[personal profile] mjg59
MongoDB just announced that they were relicensing under their new Server Side Public License. This is basically the Affero GPL except with section 13 largely replaced with new text, as follows:

If you make the functionality of the Program or a modified version available to third parties as a service, you must make the Service Source Code available via network download to everyone at no charge, under the terms of this License. Making the functionality of the Program or modified version available to third parties as a service includes, without limitation, enabling third parties to interact with the functionality of the Program or modified version remotely through a computer network, offering a service the value of which entirely or primarily derives from the value of the Program or modified version, or offering a service that accomplishes for users the primary purpose of the Software or modified version.

“Service Source Code” means the Corresponding Source for the Program or the modified version, and the Corresponding Source for all programs that you use to make the Program or modified version available as a service, including, without limitation, management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software, all such that a user could run an instance of the service using the Service Source Code you make available.


MongoDB admit that this license is not currently open source in the sense of being approved by the Open Source Initiative, but say:We believe that the SSPL meets the standards for an open source license and are working to have it approved by the OSI.

At the broadest level, AGPL requires you to distribute the source code to the AGPLed work[1] while the SSPL requires you to distribute the source code to everything involved in providing the service. Having a license place requirements around things that aren't derived works of the covered code is unusual but not entirely unheard of - the GPL requires you to provide build scripts even if they're not strictly derived works, and you could probably make an argument that the anti-Tivoisation provisions of GPL3 fall into this category.

A stranger point is that you're required to provide all of this under the terms of the SSPL. If you have any code in your stack that can't be released under those terms then it's literally impossible for you to comply with this license. I'm not a lawyer, so I'll leave it up to them to figure out whether this means you're now only allowed to deploy MongoDB on BSD because the license would require you to relicense Linux away from the GPL. This feels sloppy rather than deliberate, but if it is deliberate then it's a massively greater reach than any existing copyleft license.

You can definitely make arguments that this is just a maximalist copyleft license, the AGPL taken to extreme, and therefore it fits the open source criteria. But there's a point where something is so far from the previously accepted scenarios that it's actually something different, and should be examined as a new category rather than already approved categories. I suspect that this license has been written to conform to a strict reading of the Open Source Definition, and that any attempt by OSI to declare it as not being open source will receive pushback. But definitions don't exist to be weaponised against the communities that they seek to protect, and a license that has overly onerous terms should be rejected even if that means changing the definition.

In general I am strongly in favour of licenses ensuring that users have the freedom to take advantage of modifications that people have made to free software, and I'm a fan of the AGPL. But my initial feeling is that this license is a deliberate attempt to make it practically impossible to take advantage of the freedoms that the license nominally grants, and this impression is strengthened by it being something that's been announced with immediate effect rather than something that's been developed with community input. I think there's a bunch of worthwhile discussion to have about whether the AGPL is strong and clear enough to achieve its goals, but I don't think that this SSPL is the answer to that - and I lean towards thinking that it's not a good faith attempt to produce a usable open source license.

(It should go without saying that this is my personal opinion as a member of the free software community, and not that of my employer)

[1] There's some complexities around GPL3 code that's incorporated into the AGPLed work, but if it's not part of the AGPLed work then it's not covered

OSI Section 9

Date: 2018-10-17 12:00 am (UTC)
From: (Anonymous)
I would be quite saddened if the OSI decides that Section 9 of the OSD ("License Must Not Restrict Other Software") does not apply because this is not related to "distribution". Given the rationale of Section 9:

> Distributors of open-source software have the right to make their own choices about their own software.

And if you replace "Distributors" with "Users" (which I think most people would agree makes the statement no less true), the problem with this license from an is-this-OSI-compliant perspective is pretty clear. (Purely out of curiosity, I wonder what RMS and the FSF think of this license.)

What does "primarily" mean here? (and more)

Date: 2018-10-17 05:02 am (UTC)
From: (Anonymous)
> offering a service the value of which entirely or primarily
> derives from the value of the Program or modified version

Who decides what "primarily" means? 51%? 75%? How would you even measure that anyway?

Do I have to give them my source code if I run my web frontend on a separate machine and only interact with their DB over the network using their standard API? How about if I spin off the part of my company that runs the frontend?

Literally unapplicable

Date: 2018-10-17 05:57 am (UTC)
From: (Anonymous)
"and the Corresponding Source for all programs that you use to make the Program or modified version available as a service, including, without limitation, management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software, all such that a user could run an instance of the service using the Service Source Code you make available"

So... taken quite literally, this means if you provision your mongoDB on AWS, well, you can't because you don't have the source for the hosting software used on AWS. Running on Windows? You're out. Running under Docker? Now you have to distribute the source to Docker and the docker image. Also, of the host OS. And that's not even considering the fact that those are not under the SSPL.

Also, does that include configuration too?
From: (Anonymous)
While I agree with mjg59's comments in the post, I am much more concerned about the meta-issues that MongoDB's actions today raise. I've written a more complete blog post about those issues at:

https://sfconservancy.org/blog/2018/oct/16/mongodb-copyleft-drafting/

--bkuhn

interpretation too extreme

Date: 2018-10-19 05:26 pm (UTC)
From: (Anonymous)
TL;DR: I believe it's just the AGPL in more clarified wording.

Read the SSPL yesterday, re-reading it today aftter your blog post.

Personally, I believe the intent of the SSPL is to clarify that you just cannot have a proprietary web service make use of a SSPL licensed work and not providing any sources for the web service. I believe that's exactly what the AGPL is about, just formulated in a different way.

Hence I don't think that we have an extreme copyleft license here, but just something that actually tries to clarify the AGPL.

Reading your blog post leaves me some doubt, whether the SSPL goes far beyond of what to my perceived intention can be enforced in court. I think without the opinion of a lawyer, and/or court decision I can't come up with a good argument for or against this license. IANAL either ;).

Cheers,
Stefan.



Uhm…

Date: 2018-10-25 05:10 pm (UTC)
From: (Anonymous)
“copyleft license […] and therefore it fits the open source criteria”

That’s a non-sequitur. The GPL as interpreted by the FSF is barely skirting being considered Open Source and mostly nobody is considering speaking out against it for historic and politic reasons.

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags