Bug #20827
open
Relicense install templates & code samples
Description
The install templates are intended to be copied into a customer's own repository and then modified as needed. However, they are currently mostly labeled as AGPL-3.0 (a few are labeled Apache-2.0):
# Copyright (C) The Arvados Authors. All rights reserved. # # SPDX-License-Identifier: AGPL-3.0
These were added by Javier when he originally wrote the installer, presumably copy-pasted from somewhere else to get the license checker to stop complaining. It was not thought through at the time.
Since the intention is for people to be able to copy and modify these files and not have to reveal the changes to others (since it can contain all kinds of secrets and proprietary information) the use of AGPL is not appropriate.
(My understanding is that the AGPL, like the GPL, doesn't require disclosure for changes distributed within an organization, and we're certainly not going to ask anyone to hand over their configuration files, but there's no benefit in any uncertainty).
The other licenses we use are Apache-2.0 (for SDKs intended for end users to use in their own code, without GPL restrictions) and CC-BY-SA-3.0 (for documentation).
We should either pick one of these, or we should discuss whether we need to adopt a 4th license for these kinds of code examples (the code cookbook is another one) that are intended for unlimited use with no restrictions (except limitation of liability).
In particular, Apache 2.0 and CC 3.0 have requirements that you redistribute the license itself, that is onerous for code snippets that are specifically intended to be incorporated into the user's own software.
On brief research, something like BSD-0 or MIT-0 ?
Updated by Peter Amstutz 9 months ago
- Subject changed from Relicense install templates to Relicense install templates & code samples
Updated by Brett Smith 9 months ago
Peter Amstutz wrote:
In particular, Apache 2.0 and CC 3.0 have requirements that you redistribute the license itself, that is onerous for code snippets that are specifically intended to be incorporated into the user's own software.
On brief research, something like BSD-0 or MIT-0 ?
My highly opinionated opinion is that having a patent license is table stakes for a FOSS license in the 21st century. CC recommends against using their licenses for software and this is one of the reasons. This also rules out all the cutesy minimalist "zero" licenses.
I understand why the license distribution requirement is awkward but it seems like a solvable problem to me. Couldn't the license itself be one of the files added to the user's installer repository?
If we expanded our license boilerplate to include the text suggested in the license itself, including the link to the full text, that would even strengthen the case that everybody was trying to do the right thing even if the license file gets detached from everything else. It's just three wrapped lines of text plus one for a URL.
Updated by Brett Smith 9 months ago
The cookbook examples might as well be under the ASF license anyway: they all use the SDK, which is under the same license, so any code that incorporates them would already be subject to all those requirements.
Updated by Peter Amstutz 9 months ago
Brett Smith wrote in #note-7:
Peter Amstutz wrote:
In particular, Apache 2.0 and CC 3.0 have requirements that you redistribute the license itself, that is onerous for code snippets that are specifically intended to be incorporated into the user's own software.
On brief research, something like BSD-0 or MIT-0 ?
My highly opinionated opinion is that having a patent license is table stakes for a FOSS license in the 21st century. CC recommends against using their licenses for software and this is one of the reasons. This also rules out all the cutesy minimalist "zero" licenses.
Do you mean the license including a patent grant, or that the license states that someone who uses your software won't use patents against you?
Just to confuse things even more, the two files that are definitely code, installer.sh and provision.sh, have SPDX-License-Identifier: CC-BY-SA-3.0 at the top.
I understand why the license distribution requirement is awkward but it seems like a solvable problem to me. Couldn't the license itself be one of the files added to the user's installer repository?
Yea, it could be, it copies a bunch of stuff already.
If we expanded our license boilerplate to include the text suggested in the license itself, including the link to the full text, that would even strengthen the case that everybody was trying to do the right thing even if the license file gets detached from everything else. It's just three wrapped lines of text plus one for a URL.
Could you give an example of how this would look?
For the code cookbook example, if you refer a customer to the cookbook, and they take a section and stick into their program, with changes, what is a reasonable expectation that they'll attribute the code or license? It seems counterproductive to set up obligations that nobody will respect in practice, we just want to make sure we protect ourselves.
Updated by Peter Amstutz 9 months ago
It feels like there ought to be a "right" answer here. I did some brief research and it seems that Stack Overflow (for example) requires everything be licensed CC-BY-SA 4.0, and obviously that gets copied without attribution all the time. Although as you note, CC itself recommends against that.
Updated by Brett Smith 9 months ago
Peter Amstutz wrote in #note-9:
Do you mean the license including a patent grant, or that the license states that someone who uses your software won't use patents against you?
The former.
Could you give an example of how this would look?
# Copyright (C) The Arvados Authors. All rights reserved. # # SPDX-License-Identifier: Apache-2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0
For the code cookbook example, if you refer a customer to the cookbook, and they take a section and stick into their program, with changes, what is a reasonable expectation that they'll attribute the code or license?
If they don't, then they're breaking the license on the SDK already.
Updated by Peter Amstutz 9 months ago
Thoughts on BSD+patent?
https://opensource.org/license/bsdpluspatent/
This still has the attribution clauses, we could drop those, although I don't know if we'd effectively be creating our own non-standand license at that point.
We want people to feel free to copy our samples and templates into their own code, without any concerns about attribution or infringement. That's what is happening anyway, I don't want the license to put people in a position of technically infringing.
Updated by Peter Amstutz 9 months ago
- Target version changed from Development 2023-08-16 to Development 2023-08-30
Updated by Peter Amstutz 9 months ago
- Target version changed from Development 2023-08-30 to Development 2023-09-13 sprint
Updated by Peter Amstutz 8 months ago
- Target version changed from Development 2023-09-13 sprint to Development 2023-09-27 sprint
Updated by Peter Amstutz 8 months ago
- Target version changed from Development 2023-09-27 sprint to Development 2023-09-13 sprint
Updated by Peter Amstutz 8 months ago
- Target version changed from Development 2023-09-13 sprint to Development 2023-09-27 sprint
Updated by Peter Amstutz 8 months ago
- Target version changed from Development 2023-09-27 sprint to To be scheduled
Updated by Peter Amstutz about 2 months ago
- Target version changed from To be scheduled to Future