Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why reciprocal license restrictions in "Guide for Using Open Source Software"? #62

Open
kfogel opened this issue May 6, 2019 · 10 comments

Comments

@kfogel
Copy link
Contributor

kfogel commented May 6, 2019

In the Guide for Using Open Source Software, in the section Verify Open Source Software License, it says that applications that are going to be modified can't use a "strong reciprocal" license if they're web apps nor any reciprocal license if they're going to be distributed externally.

This raises several questions/issues:

  • In general, one can never predict with certainty whether one will have to make modifications to an open source software application one is deploying. One may start out intending to make no modifications, and discover one year down the road that modifications are necessary (furthermore, one cannot predict whether those modifications would be of the sort that should be submitted upstream, rather than merely published, and whether upstream would accept them if they were submitted).

  • Since the Guide for Publishing Open Source Code says that work should happen in the open by default, in principle all modifications are intended for external distribution anyway (except for those which meet one of the rare exception conditions stated, but those do not concern us here).

What this all adds up to is that the Guide for Using Open Source Software effectively prohibits GC from using any reciprocally-licensed (i.e., copyleft / GPL'd) software at all.

Presumably this was not the intent?

What is the purpose of discouraging contact with reciprocal licenses, as specified in points 3 and 4 of the section "Verify Open Source Software Licence", anyway? Or am I just misreading the text somehow?

FWIW, the publication guide (a separate document) does not similarly discourage use of reciprocal licenses -- it just lists them as an option along with other types of licenses. Unless I've misunderstood something, the interaction between those two policies means that GC could easily end up publishing open source software that GC itself cannot re-use.

@smellems
Copy link
Contributor

smellems commented May 7, 2019

It's supposed to represent a decision tree. So you only get to points 3 and 4 if you answer Yes to 2. Are there any reasons that would prevent the release of the modified source code?. In most cases you should be able to answer No and use any OSI approved licence or FSF free software licence.

Would the current situation or your department policies prevent publication of source code of modified OSS? If yes, and it's a Web application, don't use strong reciprocal (AGPL). If yes, and your going to be "distributing" the resulting software, use only permissive licences.

@gcharest
Copy link
Contributor

gcharest commented May 7, 2019 via email

@gcharest
Copy link
Contributor

gcharest commented May 7, 2019

We probably should add some nuance as well to help teams realize what would constitute a reason that the source code could not be published, linking to the conditions we mentioned in the white paper and publishing OSS.

There's really little reason why we should modify existing OSS and introduce code that shouldn't be released itself.

It may sound overkill, but we may need to add some additional disambiguation around difference of source code and software deployed. I still have to explain the difference to people I should not... (That's not just government by the way - it's a bit scary at times)

@kfogel
Copy link
Contributor Author

kfogel commented May 10, 2019

Ah, I see now how it represents a decision tree, but that wasn't clear to me when I first read it through, FWIW. A diagram, or maybe just some more clarifications in the wording, would be great. (For example, what @gcharest said here was immensely clarifying.)

@gcharest
Copy link
Contributor

Absolutely! Yes, definitely need graphics... Also, clearer introduction might help in the meantime!

@ShadeWyrm
Copy link
Contributor

Reciprocal vs Permissive Licenses in GC

@gcharest / @kfogel / @smellems - hi all! Can I get your feedback on the above, and if you feel it more clearly explains the thought process/flow?

@smellems
Copy link
Contributor

smellems commented Oct 7, 2019

This is nice, but its not about reciprocal vs permissive, I think.

Its about what OSS licences are acceptable for use by the GC. Not releasing or even contributing back. For example but we recommend permissive. We can't recommend in this case because we're not picking the license of OSS projects being used only saying if it can be used.

I think it should start with

When using OSS without modifications, all software licensed under an OSI approved license or a FSF free software licence is considered OSS and can be used.

Same for when you will make modifications and can share them.

If you can't share modifications the follow the questions..

For the yellow boxes I propose the following changes to be less about permissive vs reciprocal (from the top)

  1. Source code should be shared if it does not include the things it should not include.
  2. Consider contributing back to upstream communities.
  3. Strong reciprocal licences consider access through a network (like the Internet) distribution and the modified source code must be made available.
  4. When distributing modified versions of OSS using reciprocal licences, the modified source code must be made available.

@gcharest
Copy link
Contributor

gcharest commented Oct 9, 2019

Ah yes, the decision tree was more about the software used inbound. A decision tree should probably be done for licences applied to GC projects 🤔

For example, see this graphic from Heather Meeker's book Open (Source) for Business:
image

@gcharest
Copy link
Contributor

gcharest commented Oct 9, 2019

In other words, if you use without modifications (or any derivative work), you shouldn't be worried about from the OSS licence perspective in most cases as long as it is a recognized OSS licence.

However, if you do modify it, you have additional considerations to keep in mind, mainly that:

Inbound rights must not exceed outbound rights.

@ShadeWyrm
Copy link
Contributor

UOSS

How is this in comparison?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants