Licensing change: MPL
gdude2002 opened this issue Β· 49 comments
The MIT licence used for KordEx is very permissive - it essentially allows anyone to do anything with projects licensed under it, as long as the same licence notice is included with all derivatives.
This is fine for some projects, but given how the software landscape has been changing over time, I would be more comfortable with something a bit less permissive. Having looked over things, I think the MPL might be a good match.
The main thing I'm concerned about when it comes to KordEx's licensing is that, under the MIT, anyone can take KordEx, create a new version of it, and keep their changes to themselves. To me, this goes against the spirit of the open-source community - but on the other hand, I'm not willing to use a viral (or Stallman-based) licence like the GPL. Additionally, most open-source licences allow for private use without disclosure, and don't consider network use to be a form of distribution.
While the MPL is no different, I feel it strikes a good balance - requiring modifications to files that are part of KordEx to remain open source when modified, while still allowing bots and other modifications to be distributed (or not) under whatever licence the author feels meets their purposes.
Obviously, as an open-source project, everyone who has contributed to KordEx would need to give their permission for a licence change going forward. For that reason, I'd like to request that permission from the following list of people:
- @Akarys42
- @ByteAlex
- @darkerbit
- @decorator-factory
- @Distractic
- @DRSchlaubi
- @Forbidden-A
- @Galarzaa90
- @gdude2002
- @ks129
- @leocth
- @qbosst
- @Scotsguy
- @SpaceClouds42
- @sschr15
- @Tom-The-Geek
The above list includes known translators, at least as far as I was able to dig up. Obviously, anonymous contributions can't be provably tied to any particular person, so it's not going to be possible to get permission from those that didn't create an account to contribute translations - but since they're anonymous, I doubt that's going to be an issue here.
To give your permission, please respond to this issue with an explicit declaration that you're OK with this licensing change. If you're not, let's chat - I'd be happy to consider alternative licences as well!
Approvals must be placed below this comment, unless a previous comment explicitly provides approval for the change to the MPL.
Old version of this issue
The following text is provided for historical purposes, from an earlier version of this discussion.
Old version of this issue
We're currently discussing other licences, as the EUPL turned out to likely require bots to be licenced under it. The current candidate is the EPL (Eclipse Public Licence) 2.0.
The MIT licence used for KordEx is very permissive - it essentially allows anyone to do anything with projects licensed under it, as long as the same licence notice is included with all derivatives.
This is fine for some projects, but given how the software landscape has been changing over time, I would be more comfortable with something a bit less permissive. Having looked over things, I think the EUPL might be a good match.
The main thing I'm concerned about when it comes to KordEx's licensing is that, under the MIT, anyone can take KordEx, create a new version of it, and keep their changes to themselves. To me, this goes against the spirit of the open-source community - but on the other hand, I'm not willing to use a viral (or Stallman-based) licence like the GPL. The EUPL seems to strike the right balance to me, as it requires disclosure of source changes in all situations where it makes sense to modify KordEx:
When distributing compiled versionsWhen distributing source codeWhen using it to provide a SaaS solution (a Discord bot in our case)
The EUPL does not require projects that link with KordEx to be licensed under the EUPL. From my reading of it (and I'm not a lawyer), it seems that exceptions are made for interfaces and data models, or generally anything needed for an implementation to happen. By including a copy of the licence in the final KordEx JARs, this should cover pretty much any case that could come up - allowing bots that use KordEx to use whatever licence they wish.
Obviously, as an open-source project, everyone who has contributed to KordEx would need to give their permission for a licence change going forward. For that reason, I'd like to request that permission from the following list of people:
- DENIED: @ByteAlex
- DENIED: @Scotsguy
- @Akarys42
- @darkerbit
- @decorator-factory
- @Distractic
- @DRSchlaubi
- @Forbidden-A
- @Galarzaa90
- @ks129
- @leocth
- @qbosst
- @SpaceClouds42
- @sschr15
- @Tom-The-Geek
The above list includes known translators, at least as far as I was able to dig up. Obviously, anonymous contributions can't be provably tied to any particular person, so it's not going to be possible to get permission from those that didn't create an account to contribute translations - but since they're anonymous, I doubt that's going to be an issue here.
To give your permission, please respond to this issue with an explicit declaration that you're OK with this licensing change. If you're not, let's chat - I'd be happy to consider alternative licences as well!
I'm OK with the licensing change
If it isn't clear, I approve of this change haha
ok for me !
wait shouldn't i also be required to allow since i basically partially redid mapping extension
oh well, I approve anyway
For some reason, you weren't in the contrib graph? Odd stuff
Yeah, looks like I'm also missing out on @Galarzaa90 according to the PR list, I'll add them
I am happy with the license change
I'm good with the license change ππΌ
For some reason, you weren't in the contrib graph? Odd stuff
I'm guessing it's because it's not in the main branch right now?
Ah right, that's probably it, yeah
Sounds good
lgtm
I'm fine with whatever you decide gdude
I'm okay with the license change
LGTM
I don't think the EUPL allows what you think it does. A derivative must be EUPL-licensed except when a) it is combined into a work licensed under a compatible license as listed in the Abbendum or b) the derivative work is, as defined by EU directive 2009/24/EC, using the EUPL-licensed work in a way that is "indispensable to obtain the information necessary to achieve the interoperability of an independently created program with other programs" (emphasis mine)
The latter case applies for literally every license and is intended for the case where you want to replace a component in a system that communicates via proprietary protocols.
Including the license text in bots is not sufficient, they must be open source and compatible.
See also: https://op.europa.eu/en/publication-detail/-/publication/c15c9e93-27e1-11ec-bd8e-01aa75ed71a1
https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:111:0016:0022:EN:PDF
The EUPL is an open source software licence created by the European Commission. It is available in 23 languages and it can be used by all public and private software licensors. The EUPL enables public administrations, businesses and individuals to embrace the free/open source model to maximise their software development potential. The latest version of the licence β the EUPL v.1.2 β was published in 2017. It provides for wider compatibility with other open source licences compared to the previous version β EUPL v.1.1.
I've tried to read up stuff on EUPL, and I wonder why you chose such a niche license. This will either lead to people who don't even care about licensing OR people who drop it because they don't understand the license.
I'm not a lawyer. I only check for TL;DRs
Reading this I understand as if everything which is using "kordex" need's to disclose source -> Reason for me to drop work on this library entirely.
I do many customer projects and I'm not allowed to share or distribute code, so a EUPL licensed library cannot be considered.
Please consider using a commonly known license.
I'm on phone and don't have a ton of time right now, but I think I can respond to some of these concerns.
It's too niche
The EUPL is OSI-approved. As far as I'm concerned, if the OSI is happy to certify a license, I don't think it's all that niche. I also don't think the EU is a particularly niche org.
I'll have to disclose bot source
At the top of the license, the following definition is provided:
βDerivative Worksβ: the works or software that could be created by the Licensee, based upon the Original Work or modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in the country mentioned in Article 15.
Additionally, the introduction page for the EUPL states the following:
Interoperable means that the EUPL is applied according to the European Law (Directive 91/250/EEC, re-codified 2009/24/EC), making clear that the covered interfaces, APIs and data structures may be freely copied and reused for implementing static or dynamic linking with any other independent component, without impacting the licence of this component;
These statements together read to me as an extension of European copyright law, which any code I write already comes under - and the specific interoperable mention above reads to me like linking is okay and wouldn't impact your ability to license (or not) your bots.
My only real concern with this relates to the compiled KordEx JARs. The question for me here is whether shading KordEx into your bot's JAR (as you'll have no other choice but to do in most cases) causes the entire bot to become a Derivative Work. If this is the case, then we'll need to keep looking - but discussions like this are one of the reasons to open an issue!
See also: op.europa.eu/en/publication-detail/-/publication/c15c9e93-27e1-11ec-bd8e-01aa75ed71a1
eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:111:0016:0022:EN:PDF
On this page, we have:
The unauthorised reproduction, translation, adaptation or
transformation of the form of the code in which a copy
of a computer program has been made available
constitutes an infringement of the exclusive rights of
the author. Nevertheless, circumstances may exist when
such a reproduction of the code and translation of its
form are indispensable to obtain the necessary inforΒ
mation to achieve the interoperability of an indepenΒ
dently created program with other programs. It has
therefore to be considered that, in these limited circumΒ
stances only, performance of the acts of reproduction
and translation by or on behalf of a person having a
right to use a copy of the program is legitimate and
compatible with fair practice and must therefore be
deemed not to require the authorisation of the rightΒ
holder.
This paragraph (that was partially quoted) seems to only apply to reproduction, modification and distribution in an unauthorized manner. It doesn't cover licensed uses, which we seem to be OK with given the earlier screenshot?
The EUPL refers to the laws of EU countries and is therefore
interoperable. This means that all the interfaces of the
covered software (the APIs, formats, data structures) can
be freely copied and reproduced in other independent works
in order to build interoperability, e.g. combining software
distributed under the EUPL with any other software
licensed differently, even under a proprietary licence. In
such a combination or statically linked aggregation, every
linked component will keep its primary licence, without
any βviral effectβ
(quoted from guidelines)
"interfaces of the covered software" meaning not the covered software in its entirety
"can be freely copied and reproduced in other independent works" independent works is the opposite of derived
"without any βviral effectβ" because a coypright license can't apply to you if the thing you're doing does not require you to adhere to copyright law in the first place
Regardless of the specifics, the EUPL is a copyleft license, and not a library-friendly one. How about the Mozilla Public License?
I had looked at the MPL, but it has a loophole whereby it only applies to individual files rather than the project - meaning you could stub out files or otherwise call out to your custom code without having to disclose it, even if it was an objective improvement to the project
I forgot to respond to the other point, I'm leaning on the "or statically linked aggregation" part of that quote here, but it doesn't seem they define what they mean by that,
Reading the licence itself, it only seems to state that derivative works need to include the licence notices from the original work, and a copy of the EUPL (which we can easily do by adding it into the JAR). It only seems to talk about disclosing the source for modified copies of the original work, from my reading.
It's not super long - anyone else want to take a look?
It does seem that this all hinges on what a derivative is. I can't think of another licence that meets what I've been talking about, though. Where do we go from here?
- Obligations of the Licensee
[...]Attribution right: [...] The Licensee must cause any Derivative Work to carry prominent
notices stating that the Work has been modified and the date of modification.Copyleft clause: If the Licensee distributes or communicates copies of the
Original Works or Derivative Works, this Distribution or Communication will be
done under the terms of this Licence [...]. The Licensee
(becoming Licensor) cannot offer or impose any additional terms or conditions on
the Work or Derivative Work that alter or restrict the terms of the Licence.
As for what a derivative work is:
In this Licence, the following terms have the following meaning:
[...]
- βDerivative Worksβ: the works or software that could be created by the
Licensee, based upon the Original Work or modifications thereof. This Licence
does not define the extent of modification or dependence on the Original Work
required in order to classify a work as a Derivative Work; this extent is
determined by copyright law applicable in the country mentioned in Article 15.
basically, ask a lawyer. even better, ask a court to rule on this. good luck.
i don't know any other licenses that have a network use clause, but are intended to be used for libraries. could you imagine finding something with that license deep in your dependency tree? that'd be hell
You mean their SaaS-as-usage clause? I really don't need that, tbh
So TL;DR of EUPL is linked bins license is not spreading on the whole project, i.e. linked kordex wouldn't force me to align with EUPL?
That's what I thought, but if @Scotsguy disagrees then I don't think we can rely on that interpretation - so we'll need to keep looking.
Any ideas?
How about the Eclipse Public License?
From the FAQ:
4.22. If I write a module to add to a Program licensed under the EPL and distribute the object code of the module along with the rest of the Program, must I make the source code to my module available in accordance with the terms of the EPL?
No, as long as the module is not a Modified Work of the Program.
Otherwise, it seems to do what I talked about in the initial issue comment.
There's like no TL;DR on EPLv2, aside from that I'm not a lawyer, I'm giving you my OK for any license change that will not make me to have my bot(s) using a linked binary from kordex open source.
I'm okay with having all derivations to KordEx itself open sourced and I don't plan to sell KordEx as my own product, so those topics, can be touched by a license change without further approval from me.
BTW: You eventually want to check out Apache2.0 or MPL, those may fit your use case.
There's like no TL;DR on EPLv2, aside from that I'm not a lawyer, I'm giving you my OK for any license change that will not make me to have my bot(s) using a linked binary from kordex open source. I'm okay with having all derivations to KordEx itself open sourced and I don't plan to sell KordEx as my own product, so those topics, can be touched by a license change without further approval from me.
BTW: You eventually want to check out Apache2.0 or MPL, those may fit your use case.
- I need to be able to distribute my bot(s) in a commercial matter, so that may not change too. Other than these points, you should be good.
Having looked (again) over numerous licences, I've decided that really we should... just go MPL. It doesn't cover every situation I have concerns about, but it's the closest we're going to get.
An FAQ is available here.
To ratify this change, I'll need to once again ask for permission from each of our contributors. I apologize for the extra notifications, here - I've had a hard time figuring out where to go on this issue, The below list includes people who haven't already agreed to this change above:
- @Akarys42
- @darkerbit
- @decorator-factory
- @Distractic
- @DRSchlaubi
- @Galarzaa90
- @ks129
- @leocth
- @qbosst
- @Scotsguy
- @SpaceClouds42
- @sschr15
- @Tom-The-Geek
I've also updated the original issue with a new list.
Sounds good to me!
I am okay with relicensing under the Mozilla Public License.
I've tried to read up stuff on EUPL, and I wonder why you chose such a niche license. This will either lead to people who don't even care about licensing OR people who drop it because they don't understand the license.
I'm not a lawyer. I only check for TL;DRs
Reading this I understand as if everything which is using "kordex" need's to disclose source -> Reason for me to drop work on this library entirely.
I do many customer projects and I'm not allowed to share or distribute code, so a EUPL licensed library cannot be considered.Please consider using a commonly known license.
I agree
LGTM
Looks fine to me
MPL also sounds good
Sounds good ππΌ
Alright folks, it seems we've reached consensus. Thanks for everyone's input - I'll get this done ASAP!
Apparently I forgot to close this - whoops!