From: intrigeri To: Isis! Subject: AGPL library, really? Date: Thu, 04 Jul 2013 17:38:46 +0000 Hi isis, I see on https://pypi.python.org/pypi/gnupg that you released this library under AGPLv3. Is this correct? If it is, then you might be interested to have a look to this long ongoing thread on debian-devel mailing-list where I've seen explained (by people I trust on this topic) that AGPLv3 is really not well suited for libraries -- to start with, quite some of its terms are ambiguous when one tries to apply them to a library: https://lists.debian.org/debian-devel/2013/07/msg00031.html Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc From: isis agora lovecruft To: intrigeri Subject: Re: AGPL library, really? Date: Sun, 07 Jul 2013 04:20:13 +0000 Hi intrigeri! intrigeri transcribed 2.3K bytes: > I see on https://pypi.python.org/pypi/gnupg that you released this > library under AGPLv3. Is this correct? Yes, that it correct. > If it is, then you might be interested to have a look to this long > ongoing thread on debian-devel mailing-list where I've seen explained > (by people I trust on this topic) that AGPLv3 is really not well > suited for libraries -- to start with, quite some of its terms are > ambiguous when one tries to apply them to a library: > https://lists.debian.org/debian-devel/2013/07/msg00031.html Okay, thanks! /me reads… I think this message better describes why AGPL is bad for libraries: https://lists.debian.org/debian-devel/2013/07/msg00041.html or, at least, I understood that one better than the first. I certainly do not want to make problems for Debian, and now that a bunch of Tor, LEAP, CryptoParty, and Freebox projects, and perhaps soon Pip too, will be depending on this, I *really* don't want to make anyone else's license hell worse. Attached is an email from leap@lists.riseup.net where we had fisticuffs over licensing opinions, wherein I explained my preference for AGPL for everything. Essentially, I do not want people/corporations/etc. to use my work in a closed source application and then potentially make changes to patch found vulnerabilities without contributing those patches back to the main codebase. Though, you're correct, this doesn't make sense for a library, as a closed-source web-service frontend to this Python module likely isn't going to get anyone exploited except the person running the service. So it doesn't make as much sense. Do you know if it is okay for me to re-license it as regular GPL? Do you have any advice on which of GPLv(2|3)(\+)* that I should use? Thanks for pointing this out so quickly before it caused trouble, by the way. :) -- ♥Ⓐisis agora lovecruft _________________________________________________________ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt --Attachment 1-- Date: Tue, 28 May 2013 04:13:56 +0000 From: isis agora lovecruft To: micah Cc: leap@lists.riseup.net X-GPG-Public-Key-URL: https://blog.patternsinthevoid.net/isis.txt X-Louis-Lingg: In this hope do I say to you I despise you. I despise your order, your laws, your force-propped authority. Hang me for it! Subject: Re: [leap] license micah transcribed 1.3K bytes: > Tomas Touceda writes: > > > On 05/13/2013 05:32 PM, elijah wrote: > >> if you have any wisdom or opinions regarding the ever joyful and > >> uncontroversial topic of free software licenses, then please deposit > >> said wisdom or opinions in this wiki: > >> > >> https://we.riseup.net/leap/license > >> > >> in a nutshell, we need to decide on a license for the client. > > > > Does anybody have license knowledge a priori? Or should I get started > > reading licenses? > > I'm supposed to have a more than zero knowledge of what constitutes free > licenses due to my debian training, and debian is world-renknowned for > having a particularly nasty debian-legal mailing list where licenses are > chewed up and spit out... but I personally hate the topic and tend to > avoid it as much as possible. > > So basically my opinons are: > > 1. no license that is incompatible with the DFSG[0] (debian free > software guidelines) - it seems like we are probably in agreement about > this? ACK > 2. BSD multi-claused licenses and MIT are confusing and annoying, so I > tend to think they should be avoided due to this > ACK > 3. openssl derived works require granting an exception with GPL licenses > (an exception is trivial), so I prefer gnutls code where possible > ACK > 4. it seems weird to make things AGPL that aren't webapps > I started release everything I could AGPLv3 three years ago, after a conversation with some other activist free-software devs: Me: "I want a license which says 'If you are part of any governing body or corporation which contracts to any private or public military entity, then you should go fuck youself. And no, you cannot use my software -- I will sue your pants off.'" Them: "Isis, that is silly, and even na=C3=AFve. Universities are libraries are often 'part of governing bodies', you don't want to exclude them, do you? And also, you're like not going to see the blobs your code is included in...it will get privately installed on custom military and law enforcement hardware, and when they're done with it it'll go and rot outside on a base or in a police confiscation parking lot somewhere." Me: "Hum. I hate talking about licenses anyway." Them: "Yeah, it sucks. But it's important for us to take this seriously, because the tools we're working on have the potential for helping us better organise at protests, as well as better help the cops kettle us into paddy wagons." [one of the tools was a crisis mapping thing] Different one of them: "Perhaps you both should read AGPL, and see if that helps. I don't think using law against them is going to work, because we can't assume they will play by the rules, but if we're arguing licenses anyway..." AGPL also seems useful when it seems possible that shady closed-source startups are going to add a fancier UI or other feature to your code, and then market it. This is especially worrying, not because they are "stealing users", but because it's never clear if vulns discovered in your own code have been fixed in theirs and vice versa. Or, it could get used in way that is dangerous, or that it wasn't meant for. (For example, there is currently a concern that a certain shell company is going to use OONI's code on these little android-system-on-a-USB dongly thingies...and there are certain dangers with Tor on Android that these people either don't understand or have no intention of warning users about.) Anyway. There is my argument for AGPL. Though I also hate these discussions, don't care about laws, think reformism is bunk, WTFPL is the only sane LICENSE, and all that jazz, so I'm going to go stand over there -----------------------------------------------------------> and watch everybody else duke it out. :) -- ♥Ⓐ isis agora lovecruft _________________________________________________________ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt --End Attachment 1-- From: intrigeri To: Isis! Subject: Re: AGPL library, really? Date: Tue, 09 Jul 2013 18:30:46 +0000 Hi isis, isis agora lovecruft wrote (07 Jul 2013 04:20:13 GMT) : > I think this message better describes why AGPL is bad for libraries: > https://lists.debian.org/debian-devel/2013/07/msg00041.html > or, at least, I understood that one better than the first. TBH, I've pointed you at the beginning of the thread because I was too lazy to go fetch the best email in there. I'm glad it helps anyway. > Do you know if it is okay for me to re-license it as regular GPL? I've just re-read a bit to confirm, and my conclusion is that: yeah, as the sole copyright holder (is this the case?) you can freely re-licence to whatever you want. > Do you have any advice on which of GPLv(2|3)(\+)* that I should use? I usually do GPL-3+, but I would not be able to defend it seriously against v2 or v2+. > Thanks for pointing this out so quickly before it caused trouble, by the > way. :) Np. Cheers! -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc From: isis agora lovecruft To: intrigeri Subject: Re: AGPL library, really? Date: Thu, 11 Jul 2013 09:24:12 +0000 intrigeri transcribed 2.6K bytes: > isis agora lovecruft wrote (07 Jul 2013 04:20:13 GMT) : > > Do you know if it is okay for me to re-license it as regular GPL? > > I've just re-read a bit to confirm, and my conclusion is that: yeah, > as the sole copyright holder (is this the case?) you can freely > re-licence to whatever you want. Hey intrigeri, I've decided to re-license with your recommendation of GPL3+. Is it okay to credit you and/or publicly point to these emails as the basis for the rationale for the switch? -- ♥Ⓐ isis agora lovecruft _________________________________________________________ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt From: intrigeri To: Isis! Subject: Re: AGPL library, really? Date: Sun, 14 Jul 2013 22:33:35 +0000 Hi isis, > Is it okay to credit you and/or publicly point to these emails as > the basis for the rationale for the switch? Feel free to credit me if you wish, but I certainly don't feel it's necessary. I feel a bit lazy to read this thread again to check if it's fine to publish stuff from there, so if you don't mind, I'd rather skip this part ;) Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc