By Artyom Kazak aka @availablegreen
December 28, 2020
🧱 This post is written in Brick — a platform for writing pretty public notes, which I co-founded. If you try it out, I'd love to hear feedback on Twitter or at artyom@brick.do.
Many people don't understand:
This leads to discussions like this one:
— We want to opensource a library we use internally. Should we choose GPL?
— Wait, but if we depend on this library ourselves, won't we have to make our whole product GPL?
Or questions like this one:
— Can I license my code under AGPL with an extra clause that prohibits people from using it for commercial purposes? If they want to use it for commercial purposes, they should buy a license from me.
The answers are "no" and "no-ish". This post will explain why, and give you an intuition that you can use to answer such questions.
GPL is first and foremost a permission to use your code. This permission comes with a bunch of conditions, but without GPL or other license, nobody can use your code at all, except for a few cases ("fair use" etc).
The situation is the same with other licenses.
From this, we can already deduce the first non-obvious truth: you, the copyright holder, can always do whatever you want with your code. GPL is a license from you to other people. It does not restrict you.
For example, you can license your code under GPL and then ship closed-source binaries and not give anyone source code. GPL prohibits other people to do so, but it does not prohibit you to do so.
Because almost all countries a) have copyright law and b) have signed the Berne Convention.
"Copyright" means that only the work's owner can distribute the work or create copies of it, unless they license this right to other parties.
Copyright laws are different from country to country — but thanks to the Berne Convention, works belonging to you are protected in all countries that signed the convention, not just in your home country. The protections might still be more strict or less strict depending on the country, but the Berne Convention demands that the protections are strict enough that most of the time you don't care about this.
Among other things, copyright prohibits everyone (but the work owner) from:
In many countries, there are exceptions to copyright. There is the first-sale doctrine — if you buy a copy of the work, the copyright holder can't stop you from reselling the work, although you are still not allowed to make copies. There are provisions for personal use (e.g. recording a TV program to watch later, or making a compilation of songs). There are provisions for educational use, for parodying/commenting ("fair use"), and more, depending on the country.
However, for most practical purposes, if you don't provide a license for your code, it's unusable.
GPL gives the user the right to "run, study, share, and modify" the code. The exact list is long and you should read the GPL (v3) itself if you want the details.
Now this is the interesting bit.
In essence, GPL prevents the licensee ("the user") from being a baddie.
This is probably a good moment to say that I don't like GPL. So whenever I say "baddie", this is from GPL's point of view, not mine.
Specifically:
This leads to another non-obvious truth: the user is not obligated to share all modifications of your code with the world — they only have to share the source code when they distribute the binary. This is why I can use GPL libraries in my backend, and since I don't give anyone the binary of my backend, I can keep my code secret.
AGPL was created to patch this "bug". If you are writing backends and want to release parts of your software under a GPL-like license, you should probably use AGPL and not GPL.
If you have a codebase on GitHub and you accept pull requests — gotcha! You are no longer the copyright holder of the whole codebase. You don't automatically get full copyright for others' contributions. You get the rights given to you by GPL, but not more than that.
This has interesting implications. One implication is that, for instance, you can no longer change the license of the codebase.
Another, more damning, implication is that you can't impose extra restrictions on your code. Say, you have an open-source GPL-licensed library that you wrote. You use it in your commercial product. Somebody sends a PR to the library and you accept it. From now on, you are obligated to give source code of your entire product to your customers, as long as it uses the new version of the library with outside contributions in it.
This is why companies with GPL-licensed products or libraries often make people sign contributor license agreements. Here's an excerpt from the one SAP uses:
You hereby grant, and agree to grant, to SAP a non-exclusive, perpetual, irrevocable, worldwide, fully-paid, royalty-free, transferable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute your Contributions and such derivative works, with the right to sublicense the foregoing rights through multiple tiers of sublicensees.
This means that SAP can do whatever you want with your contributed code, and not just "whatever GPL permits them".
If you want to set this up for your own code, something like CLA-assistant should work.
This lets those companies offer the code to the world under GPL, while still being free to sell their customers commercial licenses with fewer/different obligations.
No, because at least in the US copyright transfer has to be done in writing. See Copyright Basics, p. 3:
Any or all of the copyright owner’s exclusive rights, or parts of those rights, can be transferred. The transfer, however, generally must be made in writing and signed by the owner of the rights conveyed or the owner’s authorized agent. Transferring a right on a nonexclusive basis does not require a written agreement.
It does say transferring a right on a nonexclusive basis is fine, but I suspect it could still be problematic, if not in the US then in other jurisdictions. If you do want to have copyright to all modifications, setting up a CLA bot is better.
Unfortunately, in this situation GPL considers you, and not the user, a baddie.
You can write "my code is licensed under a license that is very similar to GPL, but there's an extra restriction that you can't make money with it". However, this makes your license incompatible with GPL. This means that you can no longer use GPL-licensed dependencies in your code.
Furthermore, it is hard to say how the court will interpret this augmented license, because GPL includes an entire section about how adding restrictions is not allowed. So at the very least you'll have to word it a bit more carefully than "GPL but blah blah".
An example of a product licensed under such a license is MongoDB. Look for "What specifically is the difference between the GPL and the SSPL?" in their license FAQ. And even then there's an argument that their license is unenforceable — see MongoDB's Server Side Public License is likely unenforceable.
Yeah! This is exactly what happened with GPLv2. They added an extra clause in GPLv3 that made it compatible with AGPL, but GPLv2 is not compatible with AGPL.a
Tweet at me: @availablegreen.