[ninkendo]

So, thought experiment: say I do want to take AGPL MongoDB, alter its source code, and host my modifications as a SAAS without releasing my modifications, and get away with it.

One way I could do this is by completely implementing its wire-format API of MongoDB as a proxy server to my derived MongoDB, and offer that up as my SAAS.

I could use a defense that I’m not distributing MongoDB, I’m distributing my proxy service I wrote myself. It just happens to be that my proxy service talks to MongoDB to do its job, but according to you that’s not a derived work, because network access doesn’t count.

For AGPL to still protect MongoDB in this scenario, the proxy-plus-mongoDB combo would have to count as the derived work, and I think the only way to do this is to count any API access as deriving a work. I think this is at least how the lawyers I’ve talked to described it.

GPL has already established that runtime linking counts as a derived work. If what you’re saying is true about “not a derived work under copyright law requiring a license”, then I don’t understand why the LGPL exists.

[tzs]

GPL's source disclosure requirements trigger on distribution.

AGPL's trigger on distribution or on allowing remote user interaction over a computer network.

> I could use a defense that I’m not distributing MongoDB, I’m distributing my proxy service I wrote myself

You aren't distributing either of them. When you run code on your server and people interact with it over the network that's not a distribution. If it was a distribution there would be no need for AGPL. GPL would be sufficient.

> It just happens to be that my proxy service talks to MongoDB to do its job, but according to you that’s not a derived work, because network access doesn’t count.

It's not a derivative work because it doesn't incorporate copyrighted elements of MongoDB (assuming you didn't actually copy code from MongoDB).

> For AGPL to still protect MongoDB in this scenario, the proxy-plus-mongoDB combo would have to count as the derived work, and I think the only way to do this is to count any API access as deriving a work.

AGPL would protect MongoDB in that scenario because you are allowing remote users to interact with MongoDB over a computer network. That this interaction happens to be taking place through a proxy shouldn't be relevant.

[ninkendo]

> You aren't distributing either of them. When you run code on your server and people interact with it over the network that's not a distribution. If it was a distribution there would be no need for AGPL. GPL would be sufficient.

I think you’re misreading this part of my comment: MongoDB is (or at least, was) AGPL, and AGPL defines network access as distribution. So I would have to justify whether offering my proxy service to network access counts as distributing MongoDB, or if laundering it through a proxy works around this. Remember that in my example, I did modify mongoDB. But I’m not technically offering this modified mongoDB as a service, I’m offering my proxy as a service, and hoping that it doesn’t count as “distribution” of my modified mongoDB. (i.e. I’m not distributing mongo, I’m distributing my proxy, and my proxy is not AGPL.)

> AGPL would protect MongoDB in that scenario because you are allowing remote users to interact with MongoDB over a computer network. That this interaction happens to be taking place through a proxy shouldn't be relevant.

Well, that’s the thought experiment that my example is intended to provoke… it seems obvious that my dumb proxy is a way to work around the AGPL, but what if we tweak the example? What if I make a web UI where you type mongo commands and it gives you the result? (Still pretty obvious, no?) What if I make a simple dumb CRUD app that happens to use MongoDB? (Less obvious…) what if the CRUD app is itself an extremely thin wrapper, and although it doesn’t implement any MongoDB protocols, it leverages built-in mongoDB functionality for 99% of the logic?

The point is, it’s not hard to imagine a legal theory that says “if network access equals distribution, then network access equals a derived/combined work”. It’s the theory that the legal departments of several companies I’ve worked for have taken. And I’d argue that if you have a proprietary product that uses an AGPL service as part of the backend, you have a rather large reason to be worried.

[assbuttbuttass]

By my reading, the AGPL doesn't define "distribution" at all. It defines "conveying":

    To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying

This definition specifically excludes networked API access.

Here's what the AGPL says about network access:

    Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph.

It only applies if you "modify" the program. Does creating a proxy service count as modifying the original program? I think it could count as a derived work, but I would be very surprised if that counts as a modification.

[taway1237]

Doesn't it prove GP's point? If you use MongoDB in your commercial software it gets infected with AGPL, because people interact with it over the internet - just like linking does with GPL.

[dragonwriter]

> GPL has already established that runtime linking counts as a derived work

No, whether runtime/dynamic linking (or even static linking) creates a derivative work under copyright (as is when, to the extent it does, such a use would nonetheless be fair use and still not require a license) is still a contentious topic, and AFAIK there are no cases strongly suggesting a general answer.

A license offering permission cannot itself resolve when the law requires such permission. Arguing that it can is like saying my offering terms of permission to use my home and claiming that they apply to use of the public street out front establishes that I own the street.

[ninkendo]

If your argument is that AGPL can’t restrict me from using mongo in a proprietary product because copyright law itself does not restrict this, then you may or may not be right, I don’t think any of us know for sure until this is tested in court. I will say that the AGPL is written with the assumption that this is restricted by copyright law, so I don’t think your interpretation is the common one.

[kiratp]

> One way I could do this is by completely implementing its wire-format API of MongoDB as a proxy server to my derived MongoDB, and offer that up as my SAAS

This is what Cosmos DB for Mongo DB is (wire format endpoint that talks to Msft’s own DB backend.)

https://learn.microsoft.com/en-us/azure/cosmos-db/mongodb/in...