Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider re-licensing to AL v2.0, as RocksDB has just done #10191

Closed
wohali opened this issue Jul 15, 2017 · 128 comments
Closed

Consider re-licensing to AL v2.0, as RocksDB has just done #10191

wohali opened this issue Jul 15, 2017 · 128 comments

Comments

@wohali
Copy link

wohali commented Jul 15, 2017

Hi there,

The Apache Software Foundation Legal Affairs Committee has announced that the so-called 'Facebook BSD+Patents License' is no longer allowed to be used as a direct dependency in Apache projects.

This has lead to a lot of upset and frustration in the Apache community, especially from projects requiring similarly-licensed code as direct dependencies - the chief of these being RocksDB.

However, we (the Apache Software Foundation) have just received word that RocksDB will be re-licensing their code under the dual Apache License v2.0 and GPL 2 licenses.

As a user of React.JS in an ASF top-level project (Apache CouchDB), please consider re-licensing React.JS under similar terms. Otherwise, many ASF projects such as our own will have to stop relying on and building with React.

A previous bug (#9760) suggested I mention @lacker in this issue when asking licensing questions, so I'm doing so.

Thank you kindly for your consideration.

@tdunning
Copy link

From what I have heard, FB is not interested in pursuing the more draconian possibilities of the BSD+patents license. If that is true, there is actually very little difference between BSD+patents and the Apache license. As such, relicensing should make little if any pragmatic difference to Facebook.

Such a change, however, would make it much easier for license-cautious downstreamers. Please do consider making the change.

@gaearon
Copy link
Collaborator

gaearon commented Jul 15, 2017

@lacker no longer works at Facebook. I'm having a little trouble figuring out who would be best to route this to, but I'll look again on Monday. Thanks for raising this!

@rmccue
Copy link

rmccue commented Jul 16, 2017

RocksDB is now dual Apache 2.0 and GPL v2 licensed as of facebook/rocksdb#2589

@rakibtg
Copy link

rakibtg commented Jul 16, 2017

@dchest
Copy link

dchest commented Jul 16, 2017

Instead of switching license to Apache License 2.0 (ALv2), which is not liked by many people, is incompatible with GPLv2) and/or dual-licensing ALv2 + GPL mess, would Facebook consider changing a PATENT license once again to make termination clause look more like the patent license grant in ALv2:

If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.

Would this satisfy ASF people?

Just to voice an opinion, in my and my company's software projects, I avoid dependencies that use ALv2, and I'm against relicensing away from the BSD-like license. I'd prefer that ASF would rewrite their software to not use dependencies that their lawyers say the can't use instead of persuading every project that they can't use to change license.

@rnewson
Copy link

rnewson commented Jul 16, 2017

We're only asking if the project would consider changing license. Apache CouchDB and others will switch away from react if we have to. We'd rather not, it's a lot of work for no real gain, but we don't have a choice. Changing license can be simple (RocksDB completed that change in a day).

@dchest
Copy link

dchest commented Jul 16, 2017

We're only asking if the project would consider changing license.

I understood that. My point is that instead of changing the license, would ASF and Facebook work to arrive at the acceptable PATENTS file?

(BTW, I'm not in any way related to the React project or Facebook Inc. apart from being the user.)

@rnewson
Copy link

rnewson commented Jul 16, 2017

great question, will need a bod from ASF Legal to answer it. I'll point them here if I can.

@nevetS
Copy link

nevetS commented Jul 16, 2017

@dchest What is it specifically that your company finds necessary to avoid in ALv2 that is not already present in the react license?

The existing PATENTS file is a point of consternation for many, not just ASF. I think the point of this request is to alleviate licensing concerns that cause unnecessary roadblocks to adoption.

@dchest
Copy link

dchest commented Jul 16, 2017

@nevetS due to Oracle America, Inc. v. Google, Inc. I avoid discussing any specifics about any licensing decisions in public or by email, so I'll leave it to other brave souls and/or lawyers. I only decided to voice my opinion here because I saw no opposing opinions posted, while in fact there are such.

The issue concerns changing the status quo to satisfy one organization's needs (but I'm sure there are others too) by re-licensing with the license written by this organization (sure, it's OSI-approved and widely used), with a history of alienating other open source (and "free software") projects. I don't want this to happen to React, so I'm trying to see if there's a middle ground by changing the PATENTS file is such a way that will satisfy both Facebook and ASF.

@j127
Copy link

j127 commented Jul 16, 2017

Many people don't use React (and Immutable, etc.) because of the PATENTS file. The simplest solution would be to delete it from all of the Facebook repos.

@erkinalp
Copy link

Modified GPL-like with share-alike patents clause?

@clarkevans
Copy link

clarkevans commented Jul 16, 2017

There has been recent, renewed awareness in medical research institutes about open source license compliance. Legal review of open source software compliance often expressly asks for Apache 2.0 license precisely because it is a competently constructed and includes equitable patent grants. Since U.S. based universities rely upon patent licensing as part of their legislatively mandated technology transfer initiatives, they are growing far more cautious in their due diligence. For this reason, at some universities, software written with React may be shunned. Existing projects using React software may be asked to remove the React software software dependency. Please strongly consider this proposal, since our RexDB work is used at major universities, we do not wish to rework to use a React alternative.

@dchest
Copy link

dchest commented Jul 16, 2017

@clarkevans thanks for your contribution to the discussion! As you said, the purpose of the review was ensuring compliance, that is protecting themselves from lawsuits. It's a worthy goal for any organization, but I doubt the effect of licenses on open source ecosystem was considered, and I think this effect is very important. Simple BSD-like licenses are known to cause less friction for open source projects. If the fact that Facebook granting additional patent rights (separately from copyright license) causes problems for some organizations, I think it's worth considering fixing the problem with patent grant instead of switching to the license that incorporates it.

Here's an example of a patent license which I think might work for everyone: https://github.com/golang/go/blob/master/PATENTS

@clarkevans
Copy link

clarkevans commented Jul 16, 2017

@dchest I'm not a lawyer, but I'm not sure you can consider the BSD license independent of the additional patent grant, it's about intent, and patents file changes the intent. Even Facebook's blog [1] refers to their license as BSD+Patents, "We use a standard BSD license paired with an additional patent grant for most of our open source projects. For brevity, we call this combination the Facebook BSD+Patents license." This is further complicated by the recent revelation that the GPL is enforceable as a contract [2]. Please note that there is sufficient dissent at the Open Source Initiative that CC0 is not approved as an open source license [3]. Hence, I don't think that you can view BSD independently once the additional patent license is added since you can no longer assume there is implicit patent grant.

While the Apache 2.0 license may not be perfect, in the interest of unifying licenses, it's far better than adding yet another license. Surely the OSI would reject Facebook's BSD+patent license if it were proposed. So, in reality, you might want to instead consider React as "non-free" expressly because of this addition. Lots of people add additional non-free clauses to the BSD license and propose it to the OSI each year, and in almost every case the license is rejected as not complying with open source standards.

[1] https://code.facebook.com/pages/850928938376556
[2] https://perens.com/blog/2017/05/28/understanding-the-gpl-is-a-contract-court-case/
[3] https://opensource.org/faq#cc-zero

@clarkevans
Copy link

clarkevans commented Jul 16, 2017

As a further note, Google's gRPC was relicensed to Apache-2.0 as part of joining CNCF. They explained their reasoning here: https://www.cncf.io/blog/2017/02/01/cncf-recommends-aslv2/

@webmink
Copy link

webmink commented Jul 16, 2017

OSI-approved alternatives to Facebook's license+grant combo also include UPL[1] and BSD+Patent[2], both of which are likely to be compatible with Apache's license. Where possible I suggest avoiding inventing yet more legal language.

[1] https://opensource.org/licenses/UPL
[2] https://opensource.org/licenses/BSDplusPatent

@tdunning
Copy link

Regarding the vague fear by unnamed people that @dchest was talking about, establishing clear compatibility with the current Apache license is precisely one of the main reasons for GPL v3.

More concretely, writing yet another license for people to have to keep track of and analyze is simply silly. This is especially so if you write one that incorporates patent language "just like" the Apache language on top of the BSD model that is also "just like" the Apache language, except that the Apache license was updated based on feedback from competent legal counsel.

@tdunning
Copy link

@nevetS

I don't think that @dchest ever said that his company found anything problematic with the Apache license. He just said that he tries to avoid it in his work. That is completely different.

My (uninformed) guess is that his company has no problem with Apache apart from that sourced from Dmitriy himself.

@harshavardhana
Copy link

From Minio team here we would like to see this change happen. Our object storage browser UI is based on react and we are Apache 2.0 licensed.

It would be unfortunate and time consuming to migrate but we will have to do that in lieu of new information regarding Apache incompatibility. Please consider re-licensing React.

Thank you for your consideration.

@dchest
Copy link

dchest commented Jul 17, 2017

@harshavardhana I think you misunderstood the situation. The current license is not incompatible with ALv2. The situation is that Apache Software Foundation's lawyers (correction: policy makers) declared that their projects will not use any dependencies licensed with BSD+Facebook's patent license, so their people filed this issue to convince Facebook to relicense it under ALv2. Many other people consider the current license and patent grant problematic, some companies also ban React for this reason. However, React is used by many more companies that don't have problems with it. See also omcljs/om#882 (comment)

@gstein
Copy link

gstein commented Jul 17, 2017

Close, @dchest. It was not our lawyers that made this choice, but our policy decision to disallow the FB/BSD+Patent license to be mixed into the software the Foundation releases to users. And I don't think anybody expected a relicensing; this change was promulgated as an "internal" change in policy around this particular license.

@nevetS
Copy link

nevetS commented Jul 17, 2017

The current license is not incompatible with ALv2.

From the apache discussion:

Roy T. Fielding added a comment - 12/Jun/17 13:50
I have discussed that license with Facebook's legal counsel. It is not BSD (which relies on implied patent grants) and is intentionally incompatible with the Apache License.

@wohali
Copy link
Author

wohali commented Jul 17, 2017

The request to re-license was made politely, and was met with similar politeness by @gaearon (Thank you Dan for your understanding!)

There is no expectation of change on Apache CouchDB's part, but there is certainly a lot of hope for re-licensing to be achieved. And I'm hoping Dan can connect with people like @daveman692 to understand Facebook's internal reasoning and process for the expeditious change-of-heart around RocksDB's licensing.

@dchest
Copy link

dchest commented Jul 17, 2017

@wohali sure, and I hope my comments are not considered impolite, if so — sorry, that wasn't my intention. It's important to note that ASF opinion is highly valued in the open source community, so while you opening the issue is a simple and polite request for the license change, the fact that the request is caused by ASF policy position — relicense or we'll stop using it — has an side effect of making other people fear the current license.

I hope that Facebook and ASF arrive at the mutually acceptable terms, however I would like to see the compromise in the form of the current BSD license plus a changed PATENTS file, rather than ALv2. I also hope that ASF itself proposes this as an option.

(That's pretty much all I had to say, so I'm unsubscribing from this thread.)

@gaearon
Copy link
Collaborator

gaearon commented Jul 17, 2017

To give you a small update, there are going to be more internal discussions about this for about a week. This is about as much as I can say. I wouldn't be too optimistic about this changing for React but we'll see. @daveman692 has kindly agreed to provide an update when these discussions are over.

@nevetS
Copy link

nevetS commented Jul 27, 2017

The lawyers from Apache have made their decision - the licenses are incompatible. Facebook lawyers have said as much, too, according to the public discusion on the apache mailing list. (linked above in one of my previous comments).

This is a request to change the license.

There is always a lot of speculation as to what the license means. There are many differing opinions. Facebook has an FAQ about the license. They made a clarification post when it was last updated.

This request, per comments above, is being discussed internally at Facebook. They will decide what to do soon enough.

Individuals, projects, and companies can decide whether it's a good decision to use software with this or any other license. There are many online discussions on this topic in more appropriate forums than a github issue.

If you are similarly having difficulty leveraging React for legal reasons pertaining to the license, that would be great information to add to the issue comments.

If you are looking to change people's minds about how to interpret the license, this isn't the place to do it.

I would caution anyone from leveraging a legal opinion from this issue discussion. Most of the participants are not Facebook employees, and nobody has made an official statement clarifying the parameters of the license in this thread.

Besides, not very many lawyers have github accounts.

@gstein
Copy link

gstein commented Jul 27, 2017

@nevetS to clarify: the Foundation did not say the licenses were incompatible. ... The Foundation said that its projects could not depend upon components using the FB/BSD+Patents license because it would introduce requirements over/above those of the ALv2.

Over the course of this discussion (here/elsewhere) several lawyers have stated the licenses are not incompatible. It is just that incorporating both into a larger Work means that you have two sets of requirements (ALv2 and FB/BSD+Patents). That larger set of requirements can be perfectly acceptable to some developers and the software they release.

By policy, that combination is not acceptable to the Foundation. Simple as that.

@k0105
Copy link

k0105 commented Jul 28, 2017

Open source should not rely on a patron's sympathy that can be revoked at any hint of conflict. Either open source a project and openly collaborate or keep it closed source. Softening this up with a Frankenstein license is counterproductive and extremely dangerous - if this sets a precedent and you have to accept additional clauses for every open source project you use, we will all suffer tremendously. The suggestion is a much cleaner solution for everyone. If this clause is only a paper tiger like some claim, it should not exist and if it is not, then this project is not open and has to be approached with extreme caution in most scenarios. In short: While I apologize for adding another opinion, the suggestion to relicense seems very well-founded. We recently had to decide against React for this reason and that's a shame.

@mistercrunch
Copy link

mistercrunch commented Jul 29, 2017

Active committer on Apache Superset (incubating) here https://github.com/apache/incubator-superset, and ex Facebooker. Like CouchDB we're caught in the Facebook/ASF crossfire and would just like to use React to build and share [truly unlimited, surprise-free] open source software.

Regardless of the legitimacy, true meaning and applicability of the patent clause, we'd like for Facebook to play by the same rule as everyone else in the open source space and produce a standard, condition-free BSD license for React.

I was largely unaware of this issue when the team chose React for Superset, and for us to backtrack on either on the ASF or React side would be extremely counterproductive. Or worse, another option might be to tip-toe around by not distributing React in our releases and have the users build the software on their own to defer liability [not an option].

Personally (and based on my limited understanding of the legal implications) I think it's unethical for Facebook to buy itself some sort of patent lawsuit immunity through its popular open source software.

[Also related] If Facebook sticks with the current patent clause, I'd like to see the npm license metadata changed to reflect Conditional BSD or something that makes it clear that it isn't good old BSD, so that when we use package managers to import libs, and recurse through dependencies to understand the tree of licensing implications, that somehow this would bubble up as something important to understand, research and validate with our lawyers and software foundations.

@johnament
Copy link

@gstein not sure what you mean, Facebook has been told that it's not compatible by foundation members

@tdunning
Copy link

@johnament I think that Greg is referring to a definition compatibility which says that two licenses are incompatible if there is no logical way to combine software components under the two licenses. For instance, CDDL and GPL are classic in this case since they both put limits on how the derived work must be licensed and the limits have no intersection.

There is another definition of compatibility and that is upstream policy compatibility. That is the problem at Apache. We don't (as you know better than I) allow dependencies that inhibit field of use or other aspects of use. As such, the patents rider on BSD+Patents is incompatible with Apache's policy.

There is nothing, however, that says that I can't use an Apache licensed component together with react if I am happy about that. I would just wind up with a derived work that imposes the same patent behavior on my users. I can't bring the combination back to Apache and suggest it be a project. But I can use it outside of Apache's policy confines.

In sum, I agree with both of you. :-)

@johnament
Copy link

@tdunning Could be. I'll let Greg comment on what his intentions were, but my reading of Roy's comment is that the licenses themselves are not compatible with one another (e.g. you couldn't dual license code under both of them). Speculatively, this is because ALv2 includes an irrevocable claim while the FBPL includes an explicit revocation clause. This is also probably why we can't include it, at the roots of it, because there is partial code that is potentially revocable.

@gstein
Copy link

gstein commented Jul 29, 2017

Very simple, @johnament ... I said that @nevetS was incorrect when he asserted "The lawyers from Apache have made their decision - the licenses are incompatible." ... Our lawyers have made no such declaration. And the referenced ASF Member is not a lawyer, let alone one representing the Foundation.

The Foundation has said it will not allow FB/BSD+Patents for policy reasons (I'd have to look, but I don't even think our lawyers weighed in, at all). It has nothing to do with compatibility, and the Foundation has made no assertions or declarations about compatibility.

@nevetS
Copy link

nevetS commented Jul 29, 2017

Apologies for stirring the pot on that @gstein - I myself had the wrong impression and shouldn't have made that statement without verifying.

It would be nice if those with legal team resources like the ASF would somehow publicly weigh in on the topic.

@gstein
Copy link

gstein commented Jul 29, 2017

No worries, @nevetS ... easy enough to clarify.

Unfortunately, the ASF cannot provide legal advice. The crazy thing about the legal profession is that no lawyer will provide such advice either, unless and until you are their client covered under a retainer agreement. That's why you'll see commentary [from lawyers] marked as opinion, and in their second breath tell you to retain your own lawyer for advice :-)

@mistercrunch
Copy link

+cc top contributors @zpao, @spicyj, @sebmarkbage, @gaearon

Multiple projects at the ASF (CouchDB, Cordova, and Superset) are in limbo and many of us would like for Facebook to communicate and clarify whether:

  • the stance on the patents clause is firm and will not change
  • people are debating internally at FB and will come up with clarification (an ETA would be great!)
  • things are moving in the direction of a standard, ASF approved license (?!)

Personally I ❤️ React, ❤️ the ASF, and ❤️ open source software. Please allow us to share things built on top of React!

@cisen
Copy link

cisen commented Aug 2, 2017

I have been waiting for more than two weeks and felt very disappointed now. We can change nothing but just go away. Goodbye react && Hello angular.

@OlegLustenko
Copy link

OlegLustenko commented Aug 2, 2017

I'm pretty sure there will be no public decision until ~31 August because of corporation-enterprise etiquette

@SEAPUNK
Copy link

SEAPUNK commented Aug 2, 2017

Calm down. At least the Facebook legal team (!!!) is looking into it. That by itself should be considered almost nothing short of divine intervention. Past that, it's going to be a waiting game, and that should be expected of anything related to legal work. Not much anyone of us can do here right now, but sit, and wait. If you can't sit and wait, go learn Vue, or something in the meantime. It's not going to kill you.

Your complaining is only going to make things worse at this point. They already know that we don't like how things are right now. They get it. I'm sure they're sick of listening to this thread. If there are more pointless comments in this thread, you bet your ass this thread will be locked down and shoved in the attic to collect dust.

@bjankord
Copy link

bjankord commented Aug 2, 2017

I too share @mistercrunch's and @OlegLustenko's thoughts/concerns. We'll likely need to wait until August 31st to hear something on this from Facebook.

@huang-x-h
Copy link

Any progress?

@sophiebits
Copy link
Collaborator

Hi all – thanks for waiting patiently. We still don't have anything to announce right now but will update here when we do.

@alanzhaonys
Copy link

Come on Facebook, do the right thing!

1 similar comment
@zenjava
Copy link

zenjava commented Aug 16, 2017

Come on Facebook, do the right thing!

@sophiebits
Copy link
Collaborator

Please stop.

@blling
Copy link

blling commented Aug 16, 2017

If you can't sit and wait, go learn Vue, or something in the meantime. It's not going to kill you.

@coding102
Copy link

Sure some people can sit and wait but when you have production code, time is money. And for a company it could become very expensive to rewrite code simply because you have to change your framework. Imagine you hired React JS developers, do you keep them and hope they could learn another framework, or do you look for other staff.

@cesarandreu
Copy link

cesarandreu commented Aug 16, 2017

@coding102 You can use use preact, with preact-compat it should be fully compatible with react.

@k0105
Copy link

k0105 commented Aug 16, 2017

I agree with spicyj: Please stop. Those discussions certainly have a place (e.g. a forum), but are misplaced in a Github issue which only deals with a very specific request. Furthermore, we have reached a point where we are waiting for a specific response. Your comments are well-intentioned (and I'm impatiently awaiting the result myself), but this should be discussed somewhere else, e.g. here, here or here. We also had preact mentioned twice before - repetitions do not contribute anything.

@sebmarkbage
Copy link
Collaborator

As Adam mentioned today, we want to be able to open source technology that is part of our most successful products. That's why we had to rethink how we could approach our licensing practice without further opening ourselves up to frivolous lawsuits and why it will remain in place. I'm sorry that this has caused so much churn in the community. Some even feel like they have to stop using UI frameworks because of it.

I understand that some organizations may choose to have policies against this type of license on principle. I like that we clearly include a patent license in our repo. IMO it would be nice if more companies would choose this route too. I was surprised by the ASF's decision since our license hasn't changed in years now. I think that's unfortunate because it works against companies trying to open up while protecting their business. It also creates a lot of churn for people building and combining great technologies. I wish this was normalized.

I'd like to keep working on giving more protection to ideas with many diverse implementations. Let's create an environment for that to happen. I'll close this out for now but let's keep the broader discussion going.

@facebook facebook locked and limited conversation to collaborators Aug 19, 2017
@gaearon
Copy link
Collaborator

gaearon commented Sep 22, 2017

We’re relicensing React, Jest, Flow, and Immutable.js under the MIT license.
I hope that this addresses your concerns.

https://code.facebook.com/posts/300798627056246/relicensing-react-jest-flow-and-immutable-js/

@gaearon
Copy link
Collaborator

gaearon commented Feb 17, 2018

React Native (including Metro, Fresco, and Yoga) has also been relicensed as MIT.

facebook/react-native@26684cf

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests