1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
|
From: intrigeri <intrigeri@boum.org>
To: Isis! <isis@patternsinthevoid.net>
Subject: AGPL library, really?
Date: Thu, 04 Jul 2013 17:38:46 +0000
Hi isis,
I see on https://pypi.python.org/pypi/gnupg that you released this
library under AGPLv3. Is this correct?
If it is, then you might be interested to have a look to this long
ongoing thread on debian-devel mailing-list where I've seen explained
(by people I trust on this topic) that AGPLv3 is really not well
suited for libraries -- to start with, quite some of its terms are
ambiguous when one tries to apply them to a library:
https://lists.debian.org/debian-devel/2013/07/msg00031.html
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
From: isis agora lovecruft <isis@patternsinthevoid.net>
To: intrigeri <intrigeri@boum.org>
Subject: Re: AGPL library, really?
Date: Sun, 07 Jul 2013 04:20:13 +0000
Hi intrigeri!
intrigeri transcribed 2.3K bytes:
> I see on https://pypi.python.org/pypi/gnupg that you released this
> library under AGPLv3. Is this correct?
Yes, that it correct.
> If it is, then you might be interested to have a look to this long
> ongoing thread on debian-devel mailing-list where I've seen explained
> (by people I trust on this topic) that AGPLv3 is really not well
> suited for libraries -- to start with, quite some of its terms are
> ambiguous when one tries to apply them to a library:
> https://lists.debian.org/debian-devel/2013/07/msg00031.html
Okay, thanks!
/me reads…
I think this message better describes why AGPL is bad for libraries:
https://lists.debian.org/debian-devel/2013/07/msg00041.html or, at least, I
understood that one better than the first.
I certainly do not want to make problems for Debian, and now that a bunch of
Tor, LEAP, CryptoParty, and Freebox projects, and perhaps soon Pip too, will
be depending on this, I *really* don't want to make anyone else's license hell
worse.
Attached is an email from leap@lists.riseup.net where we had fisticuffs over
licensing opinions, wherein I explained my preference for AGPL for
everything. Essentially, I do not want people/corporations/etc. to use my work
in a closed source application and then potentially make changes to patch
found vulnerabilities without contributing those patches back to the main
codebase.
Though, you're correct, this doesn't make sense for a library, as a
closed-source web-service frontend to this Python module likely isn't going to
get anyone exploited except the person running the service. So it doesn't make
as much sense.
Do you know if it is okay for me to re-license it as regular GPL?
Do you have any advice on which of GPLv(2|3)(\+)* that I should use?
Thanks for pointing this out so quickly before it caused trouble, by the
way. :)
--
♥Ⓐisis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
--Attachment 1--
Date: Tue, 28 May 2013 04:13:56 +0000
From: isis agora lovecruft <isis@patternsinthevoid.net>
To: micah <micah@riseup.net>
Cc: leap@lists.riseup.net
X-GPG-Public-Key-URL: https://blog.patternsinthevoid.net/isis.txt
X-Louis-Lingg: In this hope do I say to you I despise you. I despise your
order, your laws, your force-propped authority. Hang me for it!
Subject: Re: [leap] license
micah transcribed 1.3K bytes:
> Tomas Touceda <chiiph@riseup.net> writes:
>
> > On 05/13/2013 05:32 PM, elijah wrote:
> >> if you have any wisdom or opinions regarding the ever joyful and
> >> uncontroversial topic of free software licenses, then please deposit
> >> said wisdom or opinions in this wiki:
> >>
> >> https://we.riseup.net/leap/license
> >>
> >> in a nutshell, we need to decide on a license for the client.
> >
> > Does anybody have license knowledge a priori? Or should I get started
> > reading licenses?
>
> I'm supposed to have a more than zero knowledge of what constitutes free
> licenses due to my debian training, and debian is world-renknowned for
> having a particularly nasty debian-legal mailing list where licenses are
> chewed up and spit out... but I personally hate the topic and tend to
> avoid it as much as possible.
>
> So basically my opinons are:
>
> 1. no license that is incompatible with the DFSG[0] (debian free
> software guidelines) - it seems like we are probably in agreement about
> this?
ACK
> 2. BSD multi-claused licenses and MIT are confusing and annoying, so I
> tend to think they should be avoided due to this
>
ACK
> 3. openssl derived works require granting an exception with GPL licenses
> (an exception is trivial), so I prefer gnutls code where possible
>
ACK
> 4. it seems weird to make things AGPL that aren't webapps
>
I started release everything I could AGPLv3 three years ago, after a
conversation with some other activist free-software devs:
Me: "I want a license which says 'If you are part of any governing body or
corporation which contracts to any private or public military entity, then
you should go fuck youself. And no, you cannot use my software -- I will
sue your pants off.'"
Them: "Isis, that is silly, and even na=C3=AFve. Universities are libraries are
often 'part of governing bodies', you don't want to exclude them, do you?
And also, you're like not going to see the blobs your code is included
in...it will get privately installed on custom military and law
enforcement hardware, and when they're done with it it'll go and rot
outside on a base or in a police confiscation parking lot somewhere."
Me: "Hum. I hate talking about licenses anyway."
Them: "Yeah, it sucks. But it's important for us to take this seriously,
because the tools we're working on have the potential for helping us
better organise at protests, as well as better help the cops kettle us
into paddy wagons." [one of the tools was a crisis mapping thing]
Different one of them: "Perhaps you both should read AGPL, and see if that
helps. I don't think using law against them is going to work, because we
can't assume they will play by the rules, but if we're arguing licenses
anyway..."
AGPL also seems useful when it seems possible that shady closed-source
startups are going to add a fancier UI or other feature to your code, and then
market it. This is especially worrying, not because they are "stealing users",
but because it's never clear if vulns discovered in your own code have been
fixed in theirs and vice versa. Or, it could get used in way that is
dangerous, or that it wasn't meant for. (For example, there is currently a
concern that a certain shell company is going to use OONI's code on these
little android-system-on-a-USB dongly thingies...and there are certain dangers
with Tor on Android that these people either don't understand or have no
intention of warning users about.)
Anyway. There is my argument for AGPL.
Though I also hate these discussions, don't care about laws, think reformism
is bunk, WTFPL is the only sane LICENSE, and all that jazz, so I'm going to go
stand over there ----------------------------------------------------------->
and watch everybody else duke it out. :)
--
♥Ⓐ isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
--End Attachment 1--
From: intrigeri <intrigeri@boum.org>
To: Isis! <isis@patternsinthevoid.net>
Subject: Re: AGPL library, really?
Date: Tue, 09 Jul 2013 18:30:46 +0000
Hi isis,
isis agora lovecruft wrote (07 Jul 2013 04:20:13 GMT) :
> I think this message better describes why AGPL is bad for libraries:
> https://lists.debian.org/debian-devel/2013/07/msg00041.html
> or, at least, I understood that one better than the first.
TBH, I've pointed you at the beginning of the thread because I was too
lazy to go fetch the best email in there. I'm glad it helps anyway.
> Do you know if it is okay for me to re-license it as regular GPL?
I've just re-read a bit to confirm, and my conclusion is that: yeah,
as the sole copyright holder (is this the case?) you can freely
re-licence to whatever you want.
> Do you have any advice on which of GPLv(2|3)(\+)* that I should use?
I usually do GPL-3+, but I would not be able to defend it seriously
against v2 or v2+.
> Thanks for pointing this out so quickly before it caused trouble, by the
> way. :)
Np.
Cheers!
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
From: isis agora lovecruft <isis@patternsinthevoid.net>
To: intrigeri <intrigeri@boum.org>
Subject: Re: AGPL library, really?
Date: Thu, 11 Jul 2013 09:24:12 +0000
intrigeri transcribed 2.6K bytes:
> isis agora lovecruft wrote (07 Jul 2013 04:20:13 GMT) :
> > Do you know if it is okay for me to re-license it as regular GPL?
>
> I've just re-read a bit to confirm, and my conclusion is that: yeah,
> as the sole copyright holder (is this the case?) you can freely
> re-licence to whatever you want.
Hey intrigeri,
I've decided to re-license with your recommendation of GPL3+. Is it okay to
credit you and/or publicly point to these emails as the basis for the
rationale for the switch?
--
♥Ⓐ isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
From: intrigeri <intrigeri@boum.org>
To: Isis! <isis@patternsinthevoid.net>
Subject: Re: AGPL library, really?
Date: Sun, 14 Jul 2013 22:33:35 +0000
Hi isis,
> Is it okay to credit you and/or publicly point to these emails as
> the basis for the rationale for the switch?
Feel free to credit me if you wish, but I certainly don't feel it's
necessary.
I feel a bit lazy to read this thread again to check if it's fine to
publish stuff from there, so if you don't mind, I'd rather skip this
part ;)
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
|