Envelope-to: isis@patternsinthevoid.net
Delivery-date: Thu, 04 Jul 2013 11:38:58 -0600
Message-Id: <85ehbep6mx.fsf@boum.org>
From: intrigeri <intrigeri@boum.org>
To: Isis! <isis@patternsinthevoid.net>
Subject: AGPL library, really?
Date: Thu, 04 Jul 2013 19:38:46 +0200
MIME-Version: 1.0
Content-Type: multipart/encrypted; boundary="=-=-=";
	protocol="application/pgp-encrypted"

--=-=-=
Content-Type: application/pgp-encrypted

Version: 1

--=-=-=
Content-Type: application/octet-stream

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.12 (GNU/Linux)

hQIMA1DJjYe0ARAPARAArgElYh6OQGZF7I5iJkKuseLEWy0C4wZ+K36Drm4mEoIN
N/3Tp08wf2czaYPYkXH2n5z9eCuCX8Ec0hAozmOHeA3pFsus5bRpVyEBnGMP8cFZ
+rpEig1xURd0GoWypWtRQSakf5bpAk9VKiSK9iJpZ3iqtkl/zWEyj13MfD6KEN34
pnDf1m6JZLjUrFa8k2dy8lohubTzl32HiFKcdP04fV+ZhlWNAYoiriDEKzpY4Aoy
XFx3HnM5vp3KkqOZM7seFZhXLupCn2F87JMzbEILOwbsJlLkKf/y/Cba+MQSPkSx
7ZE1NVyMQIckRFSrsrZuAR7nZToblQ0/TpcqCYSUUalGF8simW026rFma9c7l6vL
p0fKzMzHd0jUucMUpeAbdVkLFeZq3mBcLiyrNZVO2KLMZDnHyipTU6DkelTD+SS4
v6GbUPuELGFRV+CJvc/bPz6SGkmqaANmVXuhSHJEEb2feCliXduxBJsycM+2mxp6
U9W8YmfyCDIb7rJ2Y1HVPGjbRHWmAE+TrXS/7YVtCtWiNQCa13ccbT0Wkc8INjkQ
iRZQEI0CxfqMFaLpb33jVKVzUvU5OEERO4DTTDHDnXxAGnNlVAUQGKk6ES7pc4NY
aolhj7BkkttLElVZMeL6InhxNTi3oFE4sCTABN2CCqqvVh77IqJmAo9tGUlKxfSF
AgwDT1xlSpP5dskBD/oC8Bhvki4E8s/Q1CggPbwfCrHCDzFTjTXxipp8WkReaXE4
lZTNymG0JWrcmVbuhDy3NQH+GgpYk2PkVq1771FJtNqrfzEZN2IPtyK1GxeAYLEi
pRBInrej05EH96dhM1xMMlXWEe6svIkm3d05ETdeGuvOByXBuDHg60dgGXsjsrV1
/Duwu1Q90Yhz3XMeRVTNsOUGKZAdsz20REs7yZSiqwrm71Q0cf8RUOF4F/u2jsle
kkL6jrLhEt/jhukR9VlpYegxAbluuCM5PslfoNYY/jLagif4akJ0cyGAmNrROtWt
g0n/gdc56TFvutci1/f1zkPlqGgZWANOFVnDsv9Em9Ew3dJ2GDMk4ERFKCBV5X/C
/tuble7M2GR6gFnJstH+uTsyX+2R+LlI+6HdrTfkEm4+S4buqV62XZg6EHMraE7a
QRsgKSa9a9Kd/D0pAo7njvuev7TH9JFvJO1fXG1DARsQYBdxDwJtOHfGnsr4Kc5U
4IKdHKwytwcGC9ulKIBPZ7NN+LJxYFaKwjTfXbS7PARJ35AvN3XL/YJQCk/JKt63
LDQyT+LxeExq+uwUQxRrZQHJm07TqCMgIctLCz/VQrBOe3QMbHCooe+2D8rAR48f
bsdShnh7UuuqV7eKVeYf9lWcaeKQSmg4FxrxApnW6bHglF4d2/sMPsT8ZdxItNLB
KgE3MIRxtV2C2aWIjhAgiJh/0lBVjls0PaMQhMRYOk1CytiuLQ5ixAme4ptba+qv
fGz/pnD0lQd51ZtdDWVXNJM/AagJc+hUNHiDC3DIZw8jEqZqBUke5agHSmzNh+2C
8xQ4jg92p8jnYBkT+AA6oXvudoRpi2Nx+q8jX8fsxpFmgzWAPXyyEDHRmLNLrMhR
CIpHWpPkqH+c0/vz0lVV04LJfP2kGrIUupn2AhVDYRFjbHCOL62cNJJpu9WLCkdR
auurGi78EqVBqea58a0aE+FwGQH47UaMdDUl/eQOooCpzVb9O83HbWWkqm8buJgj
PHSf9AEa+FhnZsrUWwngiiH40ifHfwDQWSzNS2zs5OYG0DbHrESuc+bjOGZ6IOB+
ywIR7z2v4x+XN8bN74eEMK4uIqxv7Thv1BGgGGumqrMDgkrOw1yojUQTC8wRnoiB
uZQspyeVbs5iNOdWiiGzscFXW1+QqHfxtdDLqjJdyvPHhVj2JUxG6w/FggXj8nUJ
trco39vZKaLfp/Dcimok1INr2IEvzUdhV6vrtrO7w+4waNBY7d/uJtT2DLl80Y4R
MIyDeMKhw9q//u1mMOG7Ce7n9iwzX2Bf2t8TSRmM5fqwXtjxcDBl5fceCilIyfCL
fMT2Dws+/n9Y2YQ=
=jcmz
-----END PGP MESSAGE-----
--=-=-=--
Content-Type: text/plain

Hi,

I see on https://pypi.python.org/pypi/gnupg that you released this
library under AGPLv3. Is this correct?

If it is, then you might be interested to have a look to this long
ongoing thread on debian-devel mailing-list where I've seen explained
(by people I trust on this topic) that AGPLv3 is really not well
suited for libraries -- to start with, quite some of its terms are
ambiguous when one tries to apply them to a library:
https://lists.debian.org/debian-devel/2013/07/msg00031.html

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
Content-Type: text/plain

Hi isis,

isis agora lovecruft wrote (07 Jul 2013 04:20:13 GMT) :
> I think this message better describes why AGPL is bad for libraries:
> https://lists.debian.org/debian-devel/2013/07/msg00041.html
> or, at least, I understood that one better than the first.

TBH, I've pointed you at the beginning of the thread because I was too
lazy to go fetch the best email in there. I'm glad it helps anyway.

> Do you know if it is okay for me to re-license it as regular GPL?

I've just re-read a bit to confirm, and my conclusion is that: yeah,
as the sole copyright holder (is this the case?) you can freely
re-licence to whatever you want.

> Do you have any advice on which of GPLv(2|3)(\+)* that I should use?

I usually do GPL-3+, but I would not be able to defend it seriously
against v2 or v2+.

> Thanks for pointing this out so quickly before it caused trouble, by the
> way. :)

Np.

Cheers!
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
Content-Type: text/plain

Hi isis,

> Is it okay to credit you and/or publicly point to these emails as
> the basis for the rationale for the switch?

Feel free to credit me if you wish, but I certainly don't feel it's
necessary.

I feel a bit lazy to read this thread again to check if it's fine to
publish stuff from there, so if you don't mind, I'd rather skip this
part ;)

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
Content-Type: multipart/mixed; boundary="LwW0XdcUbUexiWVK"
Content-Disposition: inline


--LwW0XdcUbUexiWVK
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

intrigeri transcribed 2.3K bytes:
> I see on https://pypi.python.org/pypi/gnupg that you released this
> library under AGPLv3. Is this correct?

Yes, that it correct.

> If it is, then you might be interested to have a look to this long
> ongoing thread on debian-devel mailing-list where I've seen explained
> (by people I trust on this topic) that AGPLv3 is really not well
> suited for libraries -- to start with, quite some of its terms are
> ambiguous when one tries to apply them to a library:
> https://lists.debian.org/debian-devel/2013/07/msg00031.html

Okay, thanks!

/me reads=E2=80=A6

I think this message better describes why AGPL is bad for libraries:
https://lists.debian.org/debian-devel/2013/07/msg00041.html
or, at least, I understood that one better than the first.

I certainly do not want to make problems for Debian, and now that a bunch of
Tor, LEAP, CryptoParty, and Freebox projects, and perhaps soon Pip too, will
be depending on this, I *really* don't want to make anyone else's license h=
ell
worse.

Attached is an email from leap@lists.riseup.net where we had fisticuffs over
licensing opinions, wherein I explained my preference for AGPL for
everything. Essentially, I do not want people/corporations/etc. to use my w=
ork
in a closed source application and then potentially make changes to patch
found vulnerabilities without contributing those patches back to the main
codebase.

Though, you're correct, this doesn't make sense for a library, as a
closed-source web-service frontend to this Python module likely isn't going=
 to
get anyone exploited except the person running the service. So it doesn't m=
ake
as much sense.

Do you know if it is okay for me to re-license it as regular GPL?

Do you have any advice on which of GPLv(2|3)(\+)* that I should use?

Thanks for pointing this out so quickly before it caused trouble, by the
way. :)

--=20
 =E2=99=A5=E2=92=B6 isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt

--LwW0XdcUbUexiWVK
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename=to-intrigeri
Content-Transfer-Encoding: quoted-printable

=46rom leap-owner@lists.riseup.net Tue May 28 04:14:29 2013
Date: Tue, 28 May 2013 04:13:56 +0000
=46rom: isis agora lovecruft <isis@patternsinthevoid.net>
To: micah <micah@riseup.net>
Cc: Tomas Touceda <chiiph@riseup.net>, leap@lists.riseup.net
Message-ID: <20130528041356.GL14793@patternsinthevoid.net>
Reply-To: isis@patternsinthevoid.net
References: <51914DF8.2020507@riseup.net>
 <51A38709.5050408@riseup.net>
 <87a9ng74wn.fsf@muck.riseup.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=3Dutf-8; x-action=3Dpgp-signed
Content-Transfer-Encoding: 8bit
In-Reply-To: <87a9ng74wn.fsf@muck.riseup.net>
X-GPG-Public-Key-URL: https://blog.patternsinthevoid.net/isis.txt
X-Louis-Lingg: In this hope do I say to you I despise you. I despise your
 order, your laws, your force-propped authority. Hang me for it!
X-Virus-Scanned: clamav-milter 0.97.8 at willet
X-Virus-Status: Clean
Subject: Re: [leap] license
X-Loop: leap@lists.riseup.net
X-Sequence: 404
Errors-to: leap-owner@lists.riseup.net
Precedence: list
Precedence: bulk
X-no-archive: yes
List-Id: <leap.lists.riseup.net>
List-Help: <mailto:sympa@lists.riseup.net?subject=3Dhelp>
List-Subscribe: <mailto:sympa@lists.riseup.net?subject=3Dsubscribe%20leap>
List-Unsubscribe: <mailto:sympa@lists.riseup.net?subject=3Dunsubscribe%20le=
ap>
List-Post: <mailto:leap@lists.riseup.net>
List-Owner: <mailto:leap-request@lists.riseup.net>
List-Archive: <https://lists.riseup.net/www/arc/leap>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

micah transcribed 1.3K bytes:
> Tomas Touceda <chiiph@riseup.net> writes:
>=20
> > On 05/13/2013 05:32 PM, elijah wrote:
> >> if you have any wisdom or opinions regarding the ever joyful and
> >> uncontroversial topic of free software licenses, then please deposit
> >> said wisdom or opinions in this wiki:
> >>=20
> >> https://we.riseup.net/leap/license
> >>=20
> >> in a nutshell, we need to decide on a license for the client.
> >>=20
> >
> > Does anybody have license knowledge a priori? Or should I get started
> > reading licenses?
>=20
> I'm supposed to have a more than zero knowledge of what constitutes free
> licenses due to my debian training, and debian is world-renknowned for
> having a particularly nasty debian-legal mailing list where licenses are
> chewed up and spit out... but I personally hate the topic and tend to
> avoid it as much as possible.
>=20
> So basically my opinons are:=20
>=20
> 1. no license that is incompatible with the DFSG[0] (debian free
> software guidelines) - it seems like we are probably in agreement about
> this?
>=20

ACK

> 2. BSD multi-claused licenses and MIT are confusing and annoying, so I
> tend to think they should be avoided due to this
>=20

ACK

> 3. openssl derived works require granting an exception with GPL licenses
> (an exception is trivial), so I prefer gnutls code where possible
>=20

ACK

> 4. it seems weird to make things AGPL that aren't webapps
>=20

I started release everything I could AGPLv3 three years ago, after a
conversation with some other activist free-software devs:

    Me: "I want a license which says 'If you are part of any governing body=
 or
    corporation which contracts to any private or public military entity, t=
hen
    you should go fuck youself. And no, you cannot use my software -- I will
    sue your pants off.'"

    Them: "Isis, that is silly, and even na=C3=AFve. Universities are libra=
ries are
    often 'part of governing bodies', you don't want to exclude them, do yo=
u?
    And also, you're like not going to see the blobs your code is included
    in...it will get privately installed on custom military and law
    enforcement hardware, and when they're done with it it'll go and rot
    outside on a base or in a police confiscation parking lot somewhere."

    Me: "Hum. I hate talking about licenses anyway."

    Them: "Yeah, it sucks. But it's important for us to take this seriously,
    because the tools we're working on have the potential for helping us
    better organise at protests, as well as better help the cops kettle us
    into paddy wagons." [one of the tools was a crisis mapping thing]

    Different one of them: "Perhaps you both should read AGPL, and see if t=
hat
    helps. I don't think using law against them is going to work, because we
    can't assume they will play by the rules, but if we're arguing licenses
    anyway..."

AGPL also seems useful when it seems possible that shady closed-source
startups are going to add a fancier UI or other feature to your code, and t=
hen
market it. This is especially worrying, not because they are "stealing user=
s",
but because it's never clear if vulns discovered in your own code have been
fixed in theirs and vice versa. Or, it could get used in way that is
dangerous, or that it wasn't meant for. (For example, there is currently a
concern that a certain shell company is going to use OONI's code on these
little android-system-on-a-USB dongly thingies...and there are certain dang=
ers
with Tor on Android that these people either don't understand or have no
intention of warning users about.)

Anyway. There is my argument for AGPL.

Though I also hate these discussions, don't care about laws, think reformism
is bunk, WTFPL is the only sane LICENSE, and all that jazz, so I'm going to=
 go
stand over there ----------------------------------------------------------=
->
and watch everybody else duke it out. :)

<(A)3
isis agora lovecruft

- --=20
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
-----BEGIN PGP SIGNATURE-----

iQJuBAEBCgBYBQJRpC8DBYMB4TOASxSAAAAAABoAKGlzaXNAcGF0dGVybnNpbnRo
ZXZvaWQubmV0MEE2QTU4QTE0QjU5NDZBQkRFMThFMjA3QTNBREI2N0EyQ0RCOEIz
NQAKCRCjrbZ6LNuLNVkVD/9NVDCeFvMbAeGSCbXt/gMlyZ/OJfQcS2WwuegaRR8B
BtfujOIKEA/D9zywCTJYpk9gVQo1TqG7EiTdG25FU9cVnlf4/E0Dp/6vKS4q4T9j
Bba+lxMjoZ0ivC+nVIf2pQS1YK0PtiGZDLj4cVh5UuYcSZA0kxCh4KamqrEq/WdE
iYyd1WWvNFDYaWhsB5+DlqRi7PNs7IF7mxegGOpkqVR31NrFu9WxThFpiFKmT7m+
cEHzdGmVfa8iz2yTDrh8D01rw54GHIam8OdLp/SuyBsaaSD6UZsYXEc8L6ePR8Xa
QkO/n9PZAo2vm5Ph+ASIOKwRX5DdiiTawJ7sBb9/e0QIwsiQ0Q9nrB7Qbbv053ko
S7Bqu37hZiCjO2aPDCAF2r4UMGJw1Qy/FJme3TYEav1qL61sOYKCVwhfF2/IWzA+
kO8+4Ei4AKcoLkc6cQUDrQBgwRqEd9qzDSL5/JLJOW7Gkc5rBAADVJcPbFKuMpPr
evqdtjFXdej3KsrqdvnNRA6Q8t1XDv2CUxoK8/YK3CzPa8GbqjwS5J1pIDgA2tl9
RRYoPgfgXcYf3sQJSJUoPGUOQAqduu0WeLJFHi/kXRqzQf4nGFCUg/mi6lsGswcF
pBguGmO8deoRi59ddhek2Pgpi9hUE2cjasAgZb1B54XmjYYkDqe+owfvWDOKXOZa
AQ=3D=3D
=3DUxwA
-----END PGP SIGNATURE-----

--LwW0XdcUbUexiWVK--
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

intrigeri transcribed 2.6K bytes:
> isis agora lovecruft wrote (07 Jul 2013 04:20:13 GMT) :
> > Do you know if it is okay for me to re-license it as regular GPL?
>=20
> I've just re-read a bit to confirm, and my conclusion is that: yeah,
> as the sole copyright holder (is this the case?) you can freely
> re-licence to whatever you want.

Hey intrigeri,

I've decided to relicence with your recommendation of GPL3+. Is it okay to
credit you and/or publicly point to these emails as the basis for the
rationale for the switch?

--=20
 =E2=99=A5=E2=92=B6 isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

intrigeri transcribed 2.6K bytes:
> isis agora lovecruft wrote (07 Jul 2013 04:20:13 GMT) :
> > Do you know if it is okay for me to re-license it as regular GPL?
>=20
> I've just re-read a bit to confirm, and my conclusion is that: yeah,
> as the sole copyright holder (is this the case?) you can freely
> re-licence to whatever you want.

Hey intrigeri,

I've decided to relicence with your recommendation of GPL3+. Is it okay to
credit you and/or publicly point to these emails as the basis for the
rationale for the switch?

--=20
 =E2=99=A5=E2=92=B6 isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt