| GPL's source disclosure requirements trigger on distribution. AGPL's trigger on distribution or on allowing remote user interaction over a computer network. > I could use a defense that I’m not distributing MongoDB, I’m distributing my proxy service I wrote myself You aren't distributing either of them. When you run code on your server and people interact with it over the network that's not a distribution. If it was a distribution there would be no need for AGPL. GPL would be sufficient. > It just happens to be that my proxy service talks to MongoDB to do its job, but according to you that’s not a derived work, because network access doesn’t count. It's not a derivative work because it doesn't incorporate copyrighted elements of MongoDB (assuming you didn't actually copy code from MongoDB). > For AGPL to still protect MongoDB in this scenario, the proxy-plus-mongoDB combo would have to count as the derived work, and I think the only way to do this is to count any API access as deriving a work. AGPL would protect MongoDB in that scenario because you are allowing remote users to interact with MongoDB over a computer network. That this interaction happens to be taking place through a proxy shouldn't be relevant. |
I think you’re misreading this part of my comment: MongoDB is (or at least, was) AGPL, and AGPL defines network access as distribution. So I would have to justify whether offering my proxy service to network access counts as distributing MongoDB, or if laundering it through a proxy works around this. Remember that in my example, I did modify mongoDB. But I’m not technically offering this modified mongoDB as a service, I’m offering my proxy as a service, and hoping that it doesn’t count as “distribution” of my modified mongoDB. (i.e. I’m not distributing mongo, I’m distributing my proxy, and my proxy is not AGPL.)
> AGPL would protect MongoDB in that scenario because you are allowing remote users to interact with MongoDB over a computer network. That this interaction happens to be taking place through a proxy shouldn't be relevant.
Well, that’s the thought experiment that my example is intended to provoke… it seems obvious that my dumb proxy is a way to work around the AGPL, but what if we tweak the example? What if I make a web UI where you type mongo commands and it gives you the result? (Still pretty obvious, no?) What if I make a simple dumb CRUD app that happens to use MongoDB? (Less obvious…) what if the CRUD app is itself an extremely thin wrapper, and although it doesn’t implement any MongoDB protocols, it leverages built-in mongoDB functionality for 99% of the logic?
The point is, it’s not hard to imagine a legal theory that says “if network access equals distribution, then network access equals a derived/combined work”. It’s the theory that the legal departments of several companies I’ve worked for have taken. And I’d argue that if you have a proprietary product that uses an AGPL service as part of the backend, you have a rather large reason to be worried.