What software license should we use?

Before we start development, we need to pick a software license. We will also need at some point to pick a content license, but as that can be implemented as a configurable item in the software, we don’t need to pick it yet.

Please vote for your choice of license here. You may vote for up to two choices. This poll is not binding, it’s just to get a sense of general opinion. See below for details of each license.

Options are listed from most to least restrictive. Condition summaries sourced from choosealicense.com.

Update: (@Marc.2377) - clarified misconceptions about copyleft over public APIs for the GPL family of licenses.

Actually I think the best would be AGPL with the special exception that use of publicly exposed web APIs does not cause the using code cause to be covered. With publicly exposed I mean that every user of the site may use it, as opposed to internal use by the site only (the exact formulation would probably have to be looked at by someone with law expertise).

Note that the implementation of additional APIs would not be covered by that exception, nor would be the use of APIs for server-internal use only (that is, you couldn’t write internal APIs to circumvent the AGPL).

Is that even a required exception, though? My understanding of the AGPLv3 is that this is covered by default.

If so, great. But again, someone with expertise should look through this.

Maybe it would make most sense to first decide on what should/should not be allowed, and only then evaluate which licenses provide that, and whether any exception clauses are needed.

We had long discussions on this topic, over the (now archived) #legal channel. I believe you were probably following our conversation at that time. Here are some of the most relevant, recent transcripts, for everyone’s benefit:

(Marc.2377, 2019-10-25)

So, folks,

I was hoping for a license that:

1. Guarantees that we get changes back as long as someone is distributing the software or hosting it as a “service”, unless for private/internal use. I.e. someone launches a competing website using our software, I want to see and be able to use their modifications to the code.
2. Is not so viral so as to require that every other piece of their software is released under the same license.
   So far I want your input. Is that sensible on my part?
   I was previously suggesting the GPLv2, but it does not fully cover 1).

After looking for an existing alternative (that is, not involving changing or adapting any existing license, to make it either more permissive or more restrictive), up until now what I have found is the AGPL (GNU Affero GPL), but it does not satisfy 2) in full.

Thus, at this point I’m considering something like this:

• Licensing the web application itself, which will be an “ASP.NET Core Web Application”, as AGPL;

• Licensing the core parts that will service the web application also as AGPL;

• Licensing the WEB API parts, as well as any other non-core “library”, with a more permissive license (could be the MIT, or Apache).

(…)
Anyway, just want to share one link.

https://softwareengineering.stackexchange.com/questions/263063/how-viral-is-the-affero-gpl

Top highlights:

MongoDB is licensed under the AGPL, and interestingly, its licensing page says the following:

“To make the above practical, we promise that your client application which uses the database is a separate work. To facilitate this, the mongodb.org supported drivers (the part you link with your application) are released under Apache license, which is copyleft free.”
– OP

AGPL says others cannot improve MongoDB privately, then offer services based on their “enhanced versions,” without at least making those improvements available to MongoDB, Inc. (among others).

The AGPL is a response to criticism in the open source community that many cloud operators, Internet service providers, and some HPC and financal industry shops devote enormous resources to tuning, tweaking, and improving their open source deployments, yet because they never “distribute” products based on the code, are effectively immune to copyleft.

Distribution is the triggering event for when you have to share your improvements under GPL, yet many large, technically- and economically-important organizations are exempt from that. “Not fair!” thought the open source community. “You’re taking advantage of our work, yet making limited or marginal contributions back to the community!”
– Jonathan Eunice

Just to be clear, the parts that I would like to have a stronger copy-left over would be those I circled in red (free-hand of course)

image806×555 54.3 KB

p.s. This is just an architectural DRAFT .

Note: An updated version of the diagram (still not final) is available here!

One important thing to keep in mind: It might be generally better to get started using a more restrictive license, that can be replaced with a more permissive one later (with the reasonable assumption that the contributors would consent), than to start off with a permissive license and decide to change it later to a less permissive one.

The reason is that, if we change to a more restrictive license, all of the code that was made available up to that point will remain available under the previous permissive license. (technically, they will be subject to dual licensing, until modified).

(Marc.2377, 2019-10-27)

So, @ArtOfCode, most (but not all) of our preliminary discussions regarding the license for our software happened here on this channel. I would appreciate if you’d be willing to read over the most recent bits of the discussion, starting from here: https://discordapp.com/channels/634104110131445811/634477326553579580/637167654469369893, and offer your commentary about it.

Considering the architecture draft proposal, from my part I woud like that at least the Business Logic layer and the Web Application layer are released under a license that offers a strong guarantee that we, and the rest of the community, can get the source code even in case of hosting-but-not-distributing (with the exception of personal or internal use).

That would be achieved by choosing the AGPL license (afaik) or some sort of similar, custom license (don’t know if there exists a similar alternative already).With some sort of provision for the developers to be able to change the license later to a more permissive one.

(ArtOfCode, 2019-10-31)

coming back to licenses… some thoughts
I’m personally always partial to MIT, because I like being permissive, but that’s often at odds with good business
I’ve used AGPL for similar kinds of projects before, though - when we wrote an emergency dispatch system for Irma, we licensed that as AGPL because we wanted to be sure we’d get changes back.
Now, IANAL, but my understanding is that we could use AGPL for the whole application and be fine - no need to use a split license as @Marc.2377 suggested above.
Correct me if I’m wrong, @Marc.2377 - it seems like you were thinking we license the API as something permissive so that folks using the API don’t have to AGPL-license their own software? My understanding is that we can avoid that even if we do use AGPL - it can be argued that API users are not creating a derivative work of the software because they’re using the data it contains not the software itself - and further, we can shore up that position by explicitly stating (probably in the API docs or in the README) that we do not consider such use to create a derivative work.
That statement would effectively serve to say “you can use the API and we won’t sue you if you don’t use the AGPL”.

(Marc.2377, 2019-10-31)

Actually, no, @ArtOfCode. The reason I suggested a more permissive license for the API parts is that I was facing strong opposition from other members in the discussion, in that people in the community would refrain from using the software at all (and contributing to it) if the license was too restrictive.

So my approach would be to strong-copyleft-license the parts that I care most about getting changes back, but not all of the components.

I mean, I’m totally fine with someone making improvements to the public API and not sharing them if they prefer.
(for some reason)

Having looked more into it, I’m positive. Consumers of the public API are not bound by the licensing terms in the same way as someone serving the API is.

Here’s one of the many references for that: Does accessing the REST interface of a AGPL-licensed server make the client a derivative work? - Open Source Stack Exchange

(edit) Another one: If I use a public API endpoint that has its source code licensed under AGPL in my app, do I need to disclose my source? - Open Source Stack Exchange

Please keep in mind that there are a lot of people, including in the open-source community, who find the GPL (including the AGPL) and the ideology it was built to try to push offensive, and if we end up deciding to license under such a model, it will drive away contributors.

@MasonWheeler For those of who us who are relatively confused about the differences between the licenses, can you provide a very brief (i.e., no more than 3 sentences) synopsis of the key difference from other licenses and the (extremely basic) concerns involved?

@manassehkatz Richard Stallman (creator of the GPL) believes that proprietary software is Inherently Evil, and he created the GPL to oppose it. The GPL is a viral license, meaning that it “infects” your codebase: if you use it anywhere in your code, the entire rest of your project out to the process boundary must also be GPL or compatible, in order to ensure that you cannot mix “free” and “non-free” code. For obvious reasons, many developers find these restrictions burdensome and find the sanctimonious ideology underlying them offensive.

(Heck, that’s actually where the term “Open Source” came from: a bunch of developers who liked the basic idea of free code sharing and peer review, but not all the ideological baggage that was attached to it, came up with this term to mean “we’re into the pragmatic parts of this idea, without needing to be as crazy as Stallman and his FSF cultists over there.”)

The GPL and AGPL are very good at what they do, which is ensuring that any modifications of your software remain free software. If that’s your main concern, then [A]GPL is a good choice, and it means you can integrate changes from other people’s adaptations into your own project.

On the other hand, some people may want to use your software but be unable to because it’s GPL-licensed: either they’re working in an environment that prevents the use of copyleft-licensed works, or because they’re fundamentally opposed to the GPL and its background.

It’s a tradeoff between ensuring changes come back to you, and ensuring your software has the widest reach possible. Of course, a more permissive license doesn’t preclude improvements being made available back to you.

That’s a side effect. If that’s what you actually want, use the Mozilla Public License. It’s designed for exactly that purpose, and is very good at that specifically, without the ideological baggage.

@MasonWheeler Thank you for the additional information. Now I want to change my original vote, but it doesn’t appear that I can do that.

Can an Admin remove my vote so I can vote again? I was able to change my vote after all.

It’s a bit unintuitive, but you can change your votes with the “hide results” button.

Thank you. That worked. Let’s make sure that all features of Codidact are more intuitive that that!

My understanding of the MPL is that it is ‘file-based’; as such, any modifications to the software in new files can be licensed under a proprietary license; based on my lay reading of the MPL, the summary above and Mozilla’s FAQ. This seems to me to be a large loophole, and as such isn’t very good at keeping subsequent modifications Free.

This is the first time I’ve heard of the GPL being referred to as an offensive license. It is strong copyleft. Would we be happy with someone taking the code, changing features and keeping them private? Some folks might not mind, others might.

@manassehkatz, and in fact @Contributor (this is important), here is a very succint description of what might happen if we use anything other than the AGPL (from the options in the poll list, that is):

Anyone can take our software - and that includes Stack Exchange, make improvements to it and publish it to a live website without sharing any of their improvements with us. As long as they don’t actually redistribute the source code, instead hosting the application online, they can get away with it.

The MIT, Apache and MPL licenses are very fine licenses if you are developing library code or general free software. Heck, take a look at my repos - I’ve licensed most of my own projects under the MPL, following @MasonWheeler’s suggestion.

However, for Codidact specifically, I would prefer to have some guarantees, in the form of a license, to make sure our competition can’t just take all of our hard work and launch a similar product that can turn up to be the end of us simply because they have more resource$$. The AGPL is the only one in the list that gives us that guarantee. Let’s not turn away from it due to prejudice reasons.

It is a large loophole - in the context of this project. We discussed this in the now-archived #legal channel over a month ago.

Lucky you! Unfortunately, you’ll find there exists much hate against the GPL family of licenses: prejudice, misunderstandings, myths.

Do I agree with the Free Software movement a 100%? Not quite.
Have I had to turn away from software before because of a GPL license? Yes, I have.

Do I completely abhor the GPL licenses and refrain from considering them entirely? Absolutely not. That would be naive.

The only differences between the MPLv2 and GPLv2 is that the former:

• grants patent rights from contributors (2.1)
• explicitly does not grant trademark rights (2.3)
• does not require that improvements and modifications to the software are distributed in source code form and under the same license as long as these modifications are implemented in new files containing all-new code. (1.4, 1.7, 1.10).

So, is the MPL is less “viral” than GPLv2? Yes… due to a specific clause that is laudable in some contexts, but counter-productive in others, such as our own.

Hmm. So I guess the problem with MPL would be that someone could bypass it by:

• Comment out the functions they want to rewrite
• Add a reference/link to bring in a new file of replacement functions

And then submit the changed file even though it won’t compile/link without the new file of effectively proprietary code and be compliant with the letter of the license while totally violating the spirit of the license.

Whereas AGPL would not allow that loophole.

Does that sum it up?

I can probably make it easier.

Consider my diagram draft. At the core level (services, infrastructure, data access), there are classes and methods. At the Web Application level, there are web pages.

Under the MPL, if someone adds a new class file to the former, or a new webpage to the latter, they won’t be required to be made open-source.

And of course, at the DB level there are tables (assuming an RDBMS engine). A new stored procedure would also not be open-source-enforceable, nor would a new table or schema definition.

But the major problem with the MPL here (and, as I said, every other license but the AGPL) is this: it doesn’t require source code to be made available unless someone is distributing the software. Distribution means: release. Hosting the application in a SAAS fashion - like Codidact is supposed to be run - is not considered distribution, not even by the GPLv3.

The AGPL is the only one that requires the source code to be made available if the software is made available to the general public through a web server.

Edit: Here’s another example. Suppose our data persistence code is actually terrible, and someone throws it away and writes a much better one. Under the MPL, they wouldn’t be required to make it open-source at all.

If someone wants a less viral GPL, the GPL with GCC runtime exception that allows for static linking can in fact end up being an even more sound alternative to the MPL.
(fun note: GCC is, of course, the *GNU* compiler collection.)