[shp0ngle]

"As a result, Canonical cannot release LXD under the AGPLv3 license and likely never will be able to. LXD is now under a weird mix of Apache2 and AGPLv3 with no clear metadata indicating what file or what part of each file is under one license or the other."

IANAL but that's not true? You can take Apache2 and relicense it under AGPL? You can take "less copyleft" license and make it "more copyleft".

https://www.gnu.org/licenses/license-list.en.html#apache2

It's entirely kosher in my opinion, and the entire thing agpl, with no "weird mix" or whatever

[DannyBee]

Lawyer here

"IANAL but that's not true? You can take Apache2 and relicense it under AGPL? You can take "less copyleft" license and make it "more copyleft"."

No you can't. That's also not really what is happening here in the link you list.

This gets complicated very quick (and 90% of HN comments in this thread are already sort of wrong), but the short version is:

When you aggregate existing works into a larger work, you can license the larger work in any way that is compatible with the existing works.

Apache2 is compatible in that sense - i can include an apache work in a larger aggregate work licensed a different way.

However, that does not relicense the original works that you are aggegating. For the Apache2 portion of that work - even when part of a larger work, I can still exercise whatever rights Apache2 gives me for the Apache2 version of that work.

The aggregate work itself would also have very little copyright protection, even if you AGPLv3 it.

The only copyright you newly get in the aggregate work is selection, arrangement, etc.

Which means the degree to which you are licensing anything at all is ... quite small.

The easy way to think about it is: even if you release a larger AGPLv3 work containining Apache2 pieces, you could not sue people for taking the Apache2 piece of it, and using it under Apache2. Even if they explicitly use your copy of it, etc.

More than that, people could take all of your aggregate work pieces and use them under their licenses, and you could not stop them.

This already happens - RHEL et al.

[shp0ngle]

You can legally say "this whole code is AGPLv3, based on works by these people under Apache". You cannot be legally obliged to say which parts are Apache and which parts are not.

That makes no sense; that would make releasing the binaries and putting them under copyright illegal too as there is no source code.

Someone can still come and cherry-pick the old Apache code, yes. But you (canonical in this case) don't have to say which parts are which, and as the project goes on and new work is added it will be pretty hard to do.

That's basically what LibreOffice did with OpenOffice.org code...

[bscphil]

Your point is why I've always said that the "you can't relicense" people are playing a smoke and mirrors sideshow, and trying to skate by on technicalities.

No you can't literally make it the case that the code that used to be licensed as Apache is now licensed GPL. On the other hand you are free to convey that code under the terms of the GPL, without clearly specifying to others exactly which lines of code are Apache, except insofar as that license requires you to to do so. And you're free to create a combined work that the GPL (or another compatible license) applies to, and require a CLA for contributions to that combined work. In fact the Apache 2.0 license says you're free to "provide additional or different license terms ... for any such Derivative Works as a whole" (my emphasis).

But nobody ever thought you can "change the license" in that overly-literal sense, so far as I know. It's not what people who say "relicensing" mean in the software world, and the lawyers who talk as if we did completely miss the point.

> You cannot be legally obliged to say which parts are Apache and which parts are not.

This is not strictly accurate, in that you can't remove existing copyright statements from the source form of the work, under Apache 2.0:

> You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works

That would presumably include copyright statements placed on the original source files, if those exist. But you aren't obligated to do the work of explaining to others exactly which source lines have which copyright, as Apache does not obligate you to do so.

[tzs]

I've long wondered if it might make sense if I ever write something substantial that I want to open source to license most of the individual functions under a permissive license such as BSD, but license the program as a whole as a collective work or compilation under something more restrictive like GPL.

The idea is that if someone finds that I've got a nice sort function or a nifty argument parser that they would find useful I'm happy for them to copy it no strings attached, but I don't want someone just taking my whole program and making a closed fork of it.

[pessimizer]

> However, that does not relicense the original works that you are aggegating.

What does this claim even mean? I don't think that anybody thinks including Apache code in their GPL project would retroactively relicense the code of the Apache-licensed project that they probably had nothing to do with, written by someone they may have ever met. Is this what you're confirming?

> The aggregate work itself would also have very little copyright protection, even if you AGPLv3 it.

> The only copyright you newly get in the aggregate work is selection, arrangement, etc.

That's not really how code works. The old code is mixed with the new code, and the combination (I've always thought) is going to have all of the restrictions of both (all) licenses involved.

If I take a public domain book containing un-trademarked characters, write 20 additional chapters for it, and do a 20% rewrite on the original chapters, are you saying that my book wouldn't be copyrightable? Sounds like the GPL.

[DannyBee]

"What does this claim even mean? I don't think that anybody thinks including Apache code in their GPL project would retroactively relicense the code of the Apache-licensed project that they probably had nothing to do with, written by someone they may have ever met. Is this what you're confirming?"

The comment i replied to literally said that - that you can always relicense things less permissively. Which is wrong. Sure, maybe they meant it in the colloquial sense, but you simply can't have meaningful discussions about any of this without being precise.

"That's not really how code works. The old code is mixed with the new code, and the combination (I've always thought) is going to have all of the restrictions of both (all) licenses involved."

You certainly realize how arrogant it sounds to tell someone "that's not how code works"?

I'm quite aware of how code works. No, it will not have the restrictions of all the licenses involved, just because you mix it, because it can't. It may be hard to figure out what the restrictions are, but just because you mixed it all together doesn't change a darn thing. You still have no meaningful separate copyright in the mix, and the licensing is controlled by the pieces.

Read again what you claimed is obvious above, and you will see why.

The only restrictions come into place to the degree you create derivatives of existing works or code. What degree that happens varies widely. What is protectable there, varies widely.

It is totally irrelevant how much chaos you create through mixing - it does not change licensing, just makes it harder to figure it out.

Court cases that involve open source with lots of differently-licensed code often spend amazing amounts of time trying to actually separate the pieces and figure out what rights people have to them.

[janosdebugs]

If Canonical took code from Incus, wouldn't they also need to include their NOTICE file if they have one as required by the Apache license? Would not including that file constitute removal of copyright management information?

[tarruda]

I'm curious as to what qualifies as "taking code". If you copy some code and change variable names, do some minor refactoring or reformatting, is that considered the same code?

[contact9879]

It'd be considered a derivative work.

[ropyeett]

They can freely include Apache2 licensed code in an AGPLv3 project without having to re-license the entire project under Apache2 as it's not a copyleft license. However this doesn't make the code they included AGPLv3, that code remains Apache2 and must be declared as such.

[tsimionescu]

Licenses don't typically allow licensees to re-license code. You can use Apache v2 code in a proprietary or AGPL product and redistribute binaries or other source code derived from it under any other license, but you can't change the license of the original code: anyone can still use it under the Apache license.

Conversely, a copyright holder may re-license code. Depending on the exact terms of the old license, this may mean that you are no longer allowed to use it under the old license (at least, not unless you got it from someone who legally obtained it back when it had the old license).

So, if the code is not relicensed, you can theoretically download a bundle that claims it's AGPLv3, select the portions that are licensed under Apache, and incorporate those into your proprietary product without providing any access to your sources, and be legally in the clear.

[pessimizer]

> Licenses don't typically allow licensees to re-license code.

This still doesn't make any sense. Permissive licenses are designed to allow code to be relicensed freely, hence the term "permissive." There may be a few catches, like having to include attribution or a copy of the old license, but if those were significant, the code wouldn't be open source.

How could that interpretation be compatible with the fact that if the author and copyright holder relicenses the code, you can ignore them if "you got it from someone who legally obtained it back when it had the old license." LGPL projects are "someone."

> So, if the code is not relicensed, you can theoretically download a bundle that claims it's AGPLv3, select the portions that are licensed under Apache, and incorporate those into your proprietary product without providing any access to your sources, and be legally in the clear.

Very theoretically. It's very unlikely that the Apache code will sit in the AGPL project forever unmixed with new, AGPL'd, code. Since the new code is not under a permissive license, it can't be relicensed to Apache.

[tsimionescu]

Think about it like this. If I redistribute a BSD licensed piece of code released by the OpenBSD project, I have to include a note saying that "this product includes code from the OpenBSD project". If I allow others to redistribute my code, I still have to require those others to include this notice. I can't take the OpenBSD project's code and redistribute it under a license that says "you don't have to give any attribution".

However, as the copyright holder, the OpenBSD project can decide to relicense their code under a new license that says "no attribution is required". They can even do so selectively: they can sell you code under this license, but keep distributing the one with attribution required to others. The provenance of a copy of code becomes important in these cases, since different copies may have different license terms attached.

The MySQL project was doing exactly this before the Oracle acquisition, this is not a theoretical idea. You could get the code for free under the terms of the GPLv2 (or 3?), or you could buy a commercial license from them that allowed you to redistribute the binary with any modifications without sharing source code.

[alwayslikethis]

Does it not?

>

2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.

Is sublicensing something different from relicensing?

[type0]

As far I understand it means you should use the same license for the reused parts of that code

[jraph]

> You can take "less copyleft" license and make it "more copyleft".

Only if licenses are compatible. But Apache 2 is AGPL-compatible so

> It's entirely kosher in my opinion

Yes, I think so too.

However, they need to make it clear which parts are under Apache 2.

[type0]

It is if you own copyright for that code, then you can re-license. It seems Canonical didn't ask the permission of contributors that haven't signed their CLA, so Canonical have no right to change the license for that code

> However, they need to make it clear which parts are under Apache 2.

The only thing they needed to do is to add the statement that parts of the code that were written before LXD 5.20 remain Apache 2.0

[shp0ngle]

what IS weird though is the go exosystem thing.

in go ecosystem, copyleft is very much not the norm.

People might not realise that by just adding copyleft dependency to go.mod, the entire project becomes effectively agpl as it has the code built-in.

[jorams]

If you add a dependency without understanding the license that dependency is released under, you should stop doing that. That counts for every license, and particularly if there is no license.

[shp0ngle]

It goes transitively though.

Some popular go packages grab tens (sometimes over hundres, but not as much as in node world) dependencies.

NOBODY checks the license all the transitive dependencies in go world.

What should or should not happen is one thing, this is the reality

edit: oh but that lead me to google this

neat

https://github.com/google/go-licenses

[Tomte]

Yes, that's why (apart from the Cyber Resilience Act) license scanners and SBOMs are a thing.