Infrastructure Licensing

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Correct meeting log link)
(AGPL placeholder)
 
(5 intermediate revisions by one user not shown)
Line 29: Line 29:
 
* Authors of applications can be asked to shift code into modules which requires relicensing to  LGPLv2+.  In general we want to do this even though it might take code to a more permissive license as having it in a library is being done to promote sharing of code.
 
* Authors of applications can be asked to shift code into modules which requires relicensing to  LGPLv2+.  In general we want to do this even though it might take code to a more permissive license as having it in a library is being done to promote sharing of code.
 
* Except in exceptional cases, we will not relicense if the author disagrees with the change in license.
 
* Except in exceptional cases, we will not relicense if the author disagrees with the change in license.
 +
 +
  
 
== Third Party Apps under AGPLv3+ ==
 
== Third Party Apps under AGPLv3+ ==
Line 46: Line 48:
  
 
=== publictest ===
 
=== publictest ===
At present, AGPLv3+ applications cannot be run on publictest machines.  publictest machines are menat for developing code and by their nature do not track changes to the code being run in the way that production doesIn the future we may change this so a specific publictest machine can be used privately or we can allow people to run "demos only" with the same rules as production.
+
For publictest machines we've currently adopted a "demo-only" policyWhat this means is that for AGPL apps we do not do development directly on the publictest boxes.  It's only for deploying demos of something new that you've done that's currently inappropriate for stagingThe rules are very similar to the rules for staging.
 +
 
 +
* The applications must be installed from rpm.
 +
* RPM and SRPM for the app is served via http from the publictest box (This prevents mismatch with external hosting, for instance, if it was hosted on fedorapeople and you cleaned out your home directory there but the publictest was still running your modified app)
 +
* The link to source in the app is adjusted to point to the directory with the srpm on the publictest machine.
 +
* '''No hotfixes or local patches''' of the AGPL apps are allowed on the publictest machines.
 +
 
 +
If we need publictest machines for development purposes in the future, we can look into adding to this policy on how to do that in a compliant manner.
  
 
== FAQ ==
 
== FAQ ==
Line 58: Line 67:
 
*** Per Infrastructure Policy, all of Fedora Infrastructure is built on Free Software.  Fedora Infrastructure will not ask to relicense your code to a proprietary license.
 
*** Per Infrastructure Policy, all of Fedora Infrastructure is built on Free Software.  Fedora Infrastructure will not ask to relicense your code to a proprietary license.
 
* GPLv2 and AGPLv3/GPLv3 are incompatible for combining and linking in compiled languages.  How does that work in dynamic languages?
 
* GPLv2 and AGPLv3/GPLv3 are incompatible for combining and linking in compiled languages.  How does that work in dynamic languages?
** The answer to this is a bit complex.  If you're comfortable, the simple guidance is "It shouldn't be a problem unless you're copying code."  If you need more information, please talk to spot with a specific example.
+
** The answer to this is a bit complex.  If you're comfortable, the simple guidance is "It shouldn't be a problem unless you're copying code."  If you need more information, please talk to spot with a specific example.  Here's some guidance of the default approach from spot:
 +
*** If the code is bundled together in the same tarball, and it is compiled together, then we worry about license compatibilities.
 +
**** If the code is not bundled together, we worry about it if there is an incompatibility across shared library linking (e.g. GPL incompatible library cannot be used by GPL code)
 +
*** For interpreted languages (Python, Java), if its inside of the same tarball we have a problem that must be resolved.
 +
**** If it's in separate tarballs we try to get upstream to relicense -- either by the GPL incompatible code relicensing to something GPL compatible or the GPL implementation adding an exception to use the GPL incompatible library/license of that library.
 +
**** If the upstreams won't relicense, have legal evaluate it on a case-by-case basis to decide if it's okay.
 
* With code licensed under the AGPLv3, do we need to link/be able to distribute to people the exact code that is part of the applications?  ie: if we hotfix something on the server, do we need to distribute the hotfix as well?
 
* With code licensed under the AGPLv3, do we need to link/be able to distribute to people the exact code that is part of the applications?  ie: if we hotfix something on the server, do we need to distribute the hotfix as well?
 
** Yes.  This means that we need to work out a policy for distributing the code that we are running on Fedora Infrastructure even when we want to hotfix something.
 
** Yes.  This means that we need to work out a policy for distributing the code that we are running on Fedora Infrastructure even when we want to hotfix something.
 
* Does distributing hotfixes to AGPL apps extend to libraries that the app depends on?
 
* Does distributing hotfixes to AGPL apps extend to libraries that the app depends on?
 
** No.
 
** No.
 +
* What methods are okay for pointing to the "corresponding source" under the AGPL?
 +
** Thus far, Red Hat legal feels that the following are sufficient:
 +
*** tarball of precisely what we're running
 +
*** srpm that matches what's running
 +
*** actual links to base tarball and to all of the patches
 +
*** Pointing exactly to source repository branch or tag of the exact version we're running
 +
*** A page specifically linking to the sources and all of the patches we've applied
 +
*** links to base srpm and page listing patches
 +
*** links to base srpm and tickets in trac that have patches attached
 +
*** A page linking to the sources and a page linking to any hotfixes we've applied to any of our apps (ie, a query in infrastructure's trac that gets all hotfixes for all of our apps).
 +
** The following have been specifically stated to be insufficient (note, these are only examples of things that are insufficient.  If the method you're advocating is not on the "sufficient" list, above, we need to pass it by Red Hat legal first.):
 +
*** Source repository at no particular version (assuming all of our patches are applied to trunk -- and trunk might contain other changes as well, including full or partial reversions of those changes in a later revision)
 +
*** Source repository at no particular version (assuming all of our patches are applied to a branch that mirrors production)
 +
*** Home page of the project (example: http://fedorahosted.org/moksha)
 +
*** links to base srpm and tickets in trac that point to commits in SCM that are applied against different versions (HEAD vs the last release, for instance)
 +
 +
== AGPL Discussion Item ==
 +
 +
We talked about using the AGPL and making it acceptable for us to not be shooting ourselves in the foot.  We arrived at the following additional permission:
 +
 +
    If you modify the Program, and your modified version becomes subject
 +
    to the requirement stated in AGPLv3, section 13, you may satisfy
 +
    this requirement by providing access to the Corresponding Source of
 +
    your modified version to each user that explicitly requests such
 +
    Corresponding Source, no later than 15 days following the date on
 +
    which such request was received.
 +
 +
We need to figure out a few things about this:
 +
 +
# How to integrate this into our policies.  Do we want to standardize on this instead of GPLv2+ for web apps?  In addition to?
 +
# How to deal with relicensing.
 +
## packages [http://lists.fedoraproject.org/pipermail/relicensing/2012-October/thread.html was waiting] on J5 Palmieri in order to complete relicensing.  it's been long enough that someone should verify that there haven't been other committers to the code base since then (and we should update any documentation to say that new contributions are accepted under the AGPL with additional permission; not vanilla agplv3).
 +
## rube is the only other app I know we write ourselves that is licensed agplv3.  We should relicense that right now while there's still only a few contributors that we can get a hold of.  (Ralph Bean, Luke Macken, and Remy DeCausemaker)
 +
 +
== References ==
 +
This is a space for specific links to mailing list or other resources that informed the information on this page.
 +
 +
* http://lists.fedoraproject.org/pipermail/infrastructure/2009-July/007257.html
 +
* http://lists.fedoraproject.org/pipermail/infrastructure/2009-July/007261.html
  
 
[[Category:Documentation]]
 
[[Category:Documentation]]
 +
[[Category: Infrastructure]]

Latest revision as of 21:35, 10 April 2013

All software used in Fedora Infrastructure is Free Software. When we develop applications for Fedora Infrastructure, we have to license them under a free software license to continue to meet this goal. However, with each application, we have to choose one particular license and that means we need to think about how our choices will influence our ability to share code with each other. This page gives guidance on making licensing choices that will expand the amount of free software while causing us the least pain when we want to share code with each other.

Contents

[edit] Goals

  • Be able to share code among the various pieces we write.
  • Not have our libraries force a specific license on the apps that we write.
  • Not have conflicting licenses between our apps and our libraries
  • Have a clear understanding of the steps we must take whenever we want to move code from an application under one license to a library under a different one.
  • Protect the code we write from being taken proprietary (note, this is not the same for every author. Mirrormanager, for instance, is under the MIT/X11 License).
  • Be able to stay compliant with licenses within our production, staging, and publictest environments

[edit] Preferred Licenses

In general, Fedora Infrastructure has chosen to use the family of GNU Public Licenses in order to keep the software free. The particular licenses chosen aim to make the software compatible with as much software as possible while still keeping this goal.

The preferred license for anything that we write is GPLv2+. This lets our code be used in both GPLv2 and GPLv3 code bases.

The preferred license for python modules and other libraries is LGPLv2+. This lets us use the library with applications with different licenses like MIT and not force the application as a whole to fall under the GPL.

Note that working with upstreams that have their own licenses or needs of the community that will be using the software can lead to different licensing choices on a case-by-case basis. This guidance is meant to make life easier for us as we develop code while supporting the expansion of free software.

Note.png
Historical Note
A draft version of this policy proposed to use AGPLv3+ for web applications but discussion decided that the effort needed for infrastructure to comply would not outweigh the protection afforded to the code bases. At this time we're not going to use AGPLv3+. Meeting log

[edit] Implementation

  • All web apps written for Fedora Infrastructure should be GPLv2+ unless there's a compelling reason not to.
  • All python modules written for fedora Infrastructure should be LGPLv2+ unless there's a compelling reason not to.
  • Apps written for Infrastructure but not falling under the GPLv2+ must be code-sharable with this but do not need to be the same license (ie: MIT, BSD(no advertising), Public Domain, are okay)
  • Authors of applications can be asked to shift code into modules which requires relicensing to LGPLv2+. In general we want to do this even though it might take code to a more permissive license as having it in a library is being done to promote sharing of code.
  • Except in exceptional cases, we will not relicense if the author disagrees with the change in license.


[edit] Third Party Apps under AGPLv3+

Sometimes we will run third party applications under the AGPLv3+. This section sums up how we need to proceed in order to run those apps on our servers.

Warning (medium size).png
Draft Documents
This portion of the document is in a draft state. Infrastructure needs to evaluate how to satisfy the AGPLv3+ with the least intrusiveness to system admins.

[edit] Production

[edit] Staging

At this time, we require that staging follow the same proceedure as Production. In the future, we may choose to limit who can hit certain web apps on staging instead of enforcing patches in trac for any deviations from upstream source. Doing that can be done by changing the proxy servers to use mod_auth_pgsql and Apache Basic Auth on those services licensed under the AGPLv3+.

[edit] publictest

For publictest machines we've currently adopted a "demo-only" policy. What this means is that for AGPL apps we do not do development directly on the publictest boxes. It's only for deploying demos of something new that you've done that's currently inappropriate for staging. The rules are very similar to the rules for staging.

  • The applications must be installed from rpm.
  • RPM and SRPM for the app is served via http from the publictest box (This prevents mismatch with external hosting, for instance, if it was hosted on fedorapeople and you cleaned out your home directory there but the publictest was still running your modified app)
  • The link to source in the app is adjusted to point to the directory with the srpm on the publictest machine.
  • No hotfixes or local patches of the AGPL apps are allowed on the publictest machines.

If we need publictest machines for development purposes in the future, we can look into adding to this policy on how to do that in a compliant manner.

[edit] FAQ

  • Can the authors of a work relicense their code at will?
    • For Red Hat employees, the answer is "Within reason." For instance, moving code you've written from an application under the AGPLv3 to a library under the LGPLv2 is allowed as it keeps similar protections for the code itself and is necessary for the adoption of the library. For others, your terms of employment may differ. However, do note that as a Fedora contributor you've signed the CLA which says that when making contributions you have the right to grant a very broad license to your work so if your employer doesn't let you change the license on your work, be sure they allow you to sign the CLA!
  • Can Fedora relicense code under the CLA?
    • Yes, if you did not explicitly put your submission under a license when you contributed it to us, the present version of the CLA allows the Fedora Project to release the code under a different license at a later date. This allows for things such as relicensing code from GPLv2 to AGPLv3+ for web applications or GPLv2 to LGPVv2+ for libraries if the original contributor disappears. It can allow us to relicense the code without your consent but please note the following:
      • The Fedora Project does not own the copyright to your code, only a license to it. If you wish to take your code and do things with that copy that is not a contribution to Fedora, you are free to do so as the Copyright remains yours.
      • Per this policy, Fedora Infrastructure is not going to relicense your code against your wishes unless there's a compelling reason. At the least, this means the reasons for and against would be discussed publically in Fedora Infrastructure meetings and/or mailing lists.
      • Per Infrastructure Policy, all of Fedora Infrastructure is built on Free Software. Fedora Infrastructure will not ask to relicense your code to a proprietary license.
  • GPLv2 and AGPLv3/GPLv3 are incompatible for combining and linking in compiled languages. How does that work in dynamic languages?
    • The answer to this is a bit complex. If you're comfortable, the simple guidance is "It shouldn't be a problem unless you're copying code." If you need more information, please talk to spot with a specific example. Here's some guidance of the default approach from spot:
      • If the code is bundled together in the same tarball, and it is compiled together, then we worry about license compatibilities.
        • If the code is not bundled together, we worry about it if there is an incompatibility across shared library linking (e.g. GPL incompatible library cannot be used by GPL code)
      • For interpreted languages (Python, Java), if its inside of the same tarball we have a problem that must be resolved.
        • If it's in separate tarballs we try to get upstream to relicense -- either by the GPL incompatible code relicensing to something GPL compatible or the GPL implementation adding an exception to use the GPL incompatible library/license of that library.
        • If the upstreams won't relicense, have legal evaluate it on a case-by-case basis to decide if it's okay.
  • With code licensed under the AGPLv3, do we need to link/be able to distribute to people the exact code that is part of the applications? ie: if we hotfix something on the server, do we need to distribute the hotfix as well?
    • Yes. This means that we need to work out a policy for distributing the code that we are running on Fedora Infrastructure even when we want to hotfix something.
  • Does distributing hotfixes to AGPL apps extend to libraries that the app depends on?
    • No.
  • What methods are okay for pointing to the "corresponding source" under the AGPL?
    • Thus far, Red Hat legal feels that the following are sufficient:
      • tarball of precisely what we're running
      • srpm that matches what's running
      • actual links to base tarball and to all of the patches
      • Pointing exactly to source repository branch or tag of the exact version we're running
      • A page specifically linking to the sources and all of the patches we've applied
      • links to base srpm and page listing patches
      • links to base srpm and tickets in trac that have patches attached
      • A page linking to the sources and a page linking to any hotfixes we've applied to any of our apps (ie, a query in infrastructure's trac that gets all hotfixes for all of our apps).
    • The following have been specifically stated to be insufficient (note, these are only examples of things that are insufficient. If the method you're advocating is not on the "sufficient" list, above, we need to pass it by Red Hat legal first.):
      • Source repository at no particular version (assuming all of our patches are applied to trunk -- and trunk might contain other changes as well, including full or partial reversions of those changes in a later revision)
      • Source repository at no particular version (assuming all of our patches are applied to a branch that mirrors production)
      • Home page of the project (example: http://fedorahosted.org/moksha)
      • links to base srpm and tickets in trac that point to commits in SCM that are applied against different versions (HEAD vs the last release, for instance)

[edit] AGPL Discussion Item

We talked about using the AGPL and making it acceptable for us to not be shooting ourselves in the foot. We arrived at the following additional permission:

   If you modify the Program, and your modified version becomes subject
   to the requirement stated in AGPLv3, section 13, you may satisfy
   this requirement by providing access to the Corresponding Source of
   your modified version to each user that explicitly requests such
   Corresponding Source, no later than 15 days following the date on
   which such request was received.

We need to figure out a few things about this:

  1. How to integrate this into our policies. Do we want to standardize on this instead of GPLv2+ for web apps? In addition to?
  2. How to deal with relicensing.
    1. packages was waiting on J5 Palmieri in order to complete relicensing. it's been long enough that someone should verify that there haven't been other committers to the code base since then (and we should update any documentation to say that new contributions are accepted under the AGPL with additional permission; not vanilla agplv3).
    2. rube is the only other app I know we write ourselves that is licensed agplv3. We should relicense that right now while there's still only a few contributors that we can get a hold of. (Ralph Bean, Luke Macken, and Remy DeCausemaker)

[edit] References

This is a space for specific links to mailing list or other resources that informed the information on this page.