Category Archives: legal

Thu, 11 Dec 2008

Licensing Suckage

I just got an email from a developer who works on the nifty cairo-dock application, pointing me to a thread about licensing issues.

A bunch of months ago, he’d emailed me asking about how to best use code from my Xfce Mailwatch Plugin in cairo-dock to add mail-checking capabilities. At the time, I was pretty stoked that someone else had actually found my code useful enough to incorporate into their program, and offered my encouragement.

Sadly, though, licensing ugliness has reared its… well… ugly… head.

When licensing code under the terms of the GNU GPL or LGPL, the FSF suggests (and most people follow) that you license under “or (at your option) any later version” terms, which means that, while you initially license the code under the version of the GPL or LGPL of your choice, someone can later take your code and relicense it under the terms of a later version of the same license. This also makes the code automatically compatible with future versions of the license.

You might think this sounds pretty good for convenience and licensing compatibility, and you’d probably be right.

However, this isn’t so great from a philosophical perspective, at least from my philosophical perspective. The problem I have is this:

Licensing a work under “GPL version 2 or later” terms means that I am implicitly agreeing with any new restrictions that the FSF dreams up (or any existing restrictions the FSF wants to drop), forever. I’d basically be saying that I agree with something that doesn’t exist yet, and could take any shape or form imaginable.

Don’t get me wrong: in general, I think the FSF is good people, and I agree with their message for the most part.

But I don’t know them, personally, and I don’t agree with them 100%. And I don’t know who’s going to be running the FSF next year, or in five years, or in 20 years. So how can I know, or even have reasonable belief, that their philosophies and values will align with mine such that I’ll agree with future versions of their licenses? There are already parts of version 3 of the GPL and LGPL that I don’t completely understand or agree with, so why should I expect that versions 4, 5, or 10 will be completely to my liking?

The short answer is: I can’t.

And so, for the most part, I release my software under “GPL version 2 only” terms. (Because I’m a bit lazy and don’t want to make a big stink, I’ll release code under “or any later version” terms if I’m contributing to an existing code base that uses those terms.)

it really pained me to have to answer that email saying that my code’s licensing (GPLv2-only) wasn’t compatible with theirs (GPLv3-or-later), but it’s the truth, and there’s not much I can (or want to) do about it.

The only solution I can think of (I’m not a lawyer, of course) that allows them to use my code is that they relicense their code under GPLv2-or-later terms. Of course, then they lose any restrictions that the GPLv3 has over the GPLv2, which I assume they’d prefer to have, since that’s how they’ve licensed their code.

(Before anyone says it, another possible solution would be for me to relicense under LGPLv2.1. The problem with that is one I’ve discussed before: section 3 of the LGPLv2.1 explicitly allows a recipient of the code to relicense the code under regular GPLv#-or-later terms, regardless of the only/or-later status of the original LGPL licensing. This of course completely defeats the intent of my rationale above.)

And so, the OSS licensing mess has caused yet more pain to people who just want to share code and avoid duplicating effort. I love the GPL. I really do. But I also hate it.

14 Comments

Filed under frustrations, legal, software, xfce

Sat, 10 Nov 2007

More LGPLv2.1/GPLv3 Crap

Someone calling himself “textshell” left a comment on my previous post that made me think about a few things.

If I release something under “GPL version 2 ONLY” (which is what I usually do), I expect it to stay released under that license.

If I release something under “LGPL version 2.1 ONLY,” I expect it to either stay as the LGPL or be converted to GPL version 2 — and ONLY GPL version 2.

I’m not sure I understand textshell’s rationale here: “If you used LGPL before you seem to have been ok with the code used in commercial software, so why do you want to make sure it’s not usable in GPLv3 software?” Those are two very different things. LGPL allows proprietary software vendors to link with my code, which — for any software I release under the LGPL — I have no problem with. But allowing people to re-release my code under a license I do not fully understand and do not fully agree with (GPLv3) is not ok.

“Compatibility with other licenses” is not the main criterion by which I choose a license for my code. I choose a license that has terms with which I feel comfortable. At this time, I do not feel comfortable with the GPLv3. That may change, but for now, that’s just how it is.

The merits of the various additions in the GPLv3 can be (and have been) debated quite a bit, but I think it’s safe to say that the GPLv3 as a license is more restrictive than the GPLv2. Say I release something under LGPLv2.1, and in my license header, I say “version 2.1 of the license ONLY.” This means that — weirdly enough — no one can relicense my code as LGPLv3 (or even use it with LGPLv3 code as-is), BUT, they can “convert” (aka relicense) the code to GPLv3, and, presumably, they’re allowed to add the “or, at your option, any later version” clause. Now, the GPL is of course more restrictive than the LGPL. The GPLv3 is more restrictive than the GPLv2. I’m not currently comfortable with the restrictions imposed by the GPLv3, and I have no idea if I’ll be comfortable with GPLv4, GPLv5, etc., but the LGPLv2.1 unfortunately appears to have terms that directly contradict my wishes that the code stay as LGPLv2.1/GPLv2.

We don’t know what the GPLv4 will look like. Say through some unlikely twist of fate, Microsoft buys the FSF (currently the only organisation “allowed” to release new versions of the LGPL/GPL). Microsoft then goes and releases GPLv4, which adds a clause that basically says “if you receive GPLv4 code, you may relicense it under a proprietary software license.” In this instance, anyone who has released code under “GPLv2 or later” or “GPLv3 or later” has granted MS (or any other company) the right to make a proprietary fork of their code. It’s this thinking that leads me to release all my code under a license that says “GPL, version 2 ONLY.”

Now, do I really expect MS to somehow acquire the FSF and release an “evil” GPLv4? No, I don’t. But the fact remains that I have no idea what will happen in the future. Trusting an organisation full of people I don’t know to produce future versions of a license that I’m happy with doesn’t sound like a good idea. Indeed, they’ve already released a new version of my license of choice that I don’t fully agree with, so why should I trust them to do so in the future?

If and when I feel comfortable with the GPLv3, I’ll probably re-release all my software under a “GPLv3 ONLY” license. But that’s it for the LGPL — I have no intention of releasing any new code using the LGPL, with the exception of stuff contributed to LGPL libraries (like libxfce4util and libxfcegui4) that are mainly “LGPLv2.1 or later” and are ‘owned’ by other people.

2 Comments

Filed under everything, legal, rants, ruminations

Fri, 9 Nov 2007

If you don’t like GPLv3…

… then it’s best not to use LGPLv2.1 either. According to this footnote of the GPLv3 draft FAQ:

Every version of the LGPL gives you permission to relicense the code under the corresponding version, or any later version, of the GPL.

This is a bit disturbing to me. According to this, if I release software under a license which states “LGPL version 2.1 ONLY,” someone can go and re-release this software as GPLv3. And indeed, section 3 of the LGPLv2.1 states:

You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. [...] (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.)

That’s ridiculous. The license explicitly ignores whether you release under “LGPL version 2.1 or any later version” or “LGPL version 2.1 ONLY.” Amusingly, it looks like, under these terms, if you release LGPL-2.1-only, someone can’t go and re-release as LGPLv3, even though they can re-release as GPLv3. To illustrate the retardedness, here’s my interpretation:

Release under: Can be converted to:
GPLv2 or later GPLv3 or later; GPLv3 only
GPLv2 only nothing else
LGPLv2.1 or later LGPLv3 or later; LGPLv3 only; GPLv2 or later; GPLv2 only; GPLv3 or later; GPLv3 only
LGPLv2.1 only GPLv2 or later; GPLv2 only; GPLv3 or later; GPLv3 only

Is this correct? It seems so horribly wrong.

I need to go through my stuff and make sure I’m not using LGPL for anything, though I suppose I’ll have to leave libxfce4util and libxfcegui4 alone since most of the parts I don’t own are LGPLv2.1-or-later, so it’s probably not worth the effort. And, I’d better be more careful about understanding the licenses I use.

2 Comments

Filed under everything, legal, rants, ruminations

Mon, 13 Nov 2006

Misc GPL Stuff

Auke was ruminating on how the GPL relates to a source distro (specifically, the one he runs, Lunar Linux). It raises some interesting questions. Is Lunar, as an entity, distributing binaries? Not in the literal sense: they just distribute sources, and some amount of patches, as well as a generic automated build system. All binaries are built on the user’s target machine (well, with the exception of the install CD, which I’ll get to in a minute). But does that “count” as anything more than source distribution? I would say no, but then, consider this (contrived) scenario (applicable to most source distros, not just Lunar):

Lunar user uses the Lunar package manager to install a piece of software named Foo. Say that when he does this, it’s version 1.0. Due to some quirks, the Lunar package manager has to patch the sources to get it to build properly (or perhaps to fix some icky bug, or whatever). So Lunar user happily uses Foo for a while, and decides he wants to give it to some friends. However, when he tries to find the sources to his binary (note that he’s required by the GPL to offer source in addition to the binary), he finds that Lunar has upgraded their version of Foo to 1.5, which is (for some reason) very different from 1.0.

So, where does he get the sources? And the patches applied by Lunar? What if the sources were modified by ‘sed’ scripts inlined into the build instructions, which are no longer available. Now, I suppose he could dig through Lunar’s Subversion repository, but is that kosher with the GPL?

I suppose it’s all moot, though: the GPL says that if you distribute binaries, you must make an offer to have the source available for three years. But what if you only distribute source? Does that change if you distribute source, plus patches? Do you have any future obligations at all?

Anyway, Auke also mentions this:

We only distribute binaries in lunar-linux through the ISO images (the installer cd). All the binaries on that image are created using the unmodified sources from the original websites. For the few packages that have patches, we use the patches from our own patch website URL. That’s according to the letter of the GPL and actually the *only* thing we’re required to provide.

I suggest you take a look at this FAQ entry. As an extension to that, regarding distributing only diffs from the original version with the binaries, see this one. So in other words, if you distribute binaries, you must also make available the full source used to create those binaries. The fact that it’s (currently) on the original author’s website is not enough.

And we wonder why most software development companies are so afraid of the GPL that they refuse to touch software “tainted” with it. Most of the people in our own community (including myself, on occasion) don’t even understand the license fully.

Leave a Comment

Filed under everything, legal, software