It might be important to you that users of software you write are able
to modify it, in which case you might release it with a copyleft license
like the
GPL. For
example, imagine someone’s making a device that will run Linux. They
need to tweak Linux so it will work on this particular device, and
they do that and sell you a copy. Because Linux is under the GPL,
however, they also need to publish the source code for their tweaks.
Then along comes the web, and people no longer send out copies of their
programs. Instead, the programs live on their server, and you talk to
them with your browser:
This means that even if a program is under the GPL, the people
interacting with it have no right to the source code. This was called
the “application service provider loophole”, and the AGPL was
created to fix it. Mastodon
is an example of AGPL software, and if you visit an instance you’ll
see a little “view source code” link. This isn’t just something your
instance is doing to be nice—it’s required by the AGPL.
Or is it? A few months ago I read an interesting
argument that you can easily bypass the AGPL: stick a “proxy”
between the AGPL code and the user, which removes the source code
offer:
How is this compliant with the license? The AGPL tells you that when
you modify the program you must preserve its “offer the source to
anyone who asks” behavior:
if you modify the Program, your modified version must prominently
offer all users interacting with it remotely through a computer
network (if your version supports such interaction) an opportunity to
receive the Corresponding Source of your version by providing access
to the Corresponding Source from a network server at no charge,
through some standard or customary means of facilitating copying of
software.
The modified software still offers everyone the option to download the
source, but then a different piece of software that isn’t covered by
the license runs a sub_filter 'source_url' '' and the
user doesn’t actually receive the offer.
Courts do care about intent and this is, of course, not what the AGPL
authors intended, but it’s not clear to me that what they intended is
coherent? They mechanism they chose, a license that controls what
you’re allowed to do when making changes to the AGPL-covered software,
doesn’t seem like it would be able to prevent someone from making
user-hostile changes to other systems between this software and the
user.
Even if you think courts would see this differently, consider a case
where modification and proxying are separated:
Company A makes modified versions of Mastodon, BitWarden, or
other AGPL software.
Company A sends these to Company B, who hosts them behind a
proxy that removes the source offer.
It looks to me like each company is compliant with the AGPL. Company A
modified the software, but left intact the portion that ensures all
users interacting with it receive an offer for the source. Company B
wouldn’t be affected by a requirement that if you modify the program
you must offer the source, because they aren’t modifying it.
(Not a lawyer, just an engineer interested in this sort of thing. Over
time I’ve moved to non-copyleft
licenses, including for server-side software.)
Does the AGPL Work?
Link post
It might be important to you that users of software you write are able to modify it, in which case you might release it with a copyleft license like the GPL. For example, imagine someone’s making a device that will run Linux. They need to tweak Linux so it will work on this particular device, and they do that and sell you a copy. Because Linux is under the GPL, however, they also need to publish the source code for their tweaks.
Then along comes the web, and people no longer send out copies of their programs. Instead, the programs live on their server, and you talk to them with your browser:
This means that even if a program is under the GPL, the people interacting with it have no right to the source code. This was called the “application service provider loophole”, and the AGPL was created to fix it. Mastodon is an example of AGPL software, and if you visit an instance you’ll see a little “view source code” link. This isn’t just something your instance is doing to be nice—it’s required by the AGPL.
Or is it? A few months ago I read an interesting argument that you can easily bypass the AGPL: stick a “proxy” between the AGPL code and the user, which removes the source code offer:
How is this compliant with the license? The AGPL tells you that when you modify the program you must preserve its “offer the source to anyone who asks” behavior:
The modified software still offers everyone the option to download the source, but then a different piece of software that isn’t covered by the license runs a
sub_filter 'source_url' ''and the user doesn’t actually receive the offer.Courts do care about intent and this is, of course, not what the AGPL authors intended, but it’s not clear to me that what they intended is coherent? They mechanism they chose, a license that controls what you’re allowed to do when making changes to the AGPL-covered software, doesn’t seem like it would be able to prevent someone from making user-hostile changes to other systems between this software and the user.
Even if you think courts would see this differently, consider a case where modification and proxying are separated:
Company A makes modified versions of Mastodon, BitWarden, or other AGPL software.
Company A sends these to Company B, who hosts them behind a proxy that removes the source offer.
It looks to me like each company is compliant with the AGPL. Company A modified the software, but left intact the portion that ensures all users interacting with it receive an offer for the source. Company B wouldn’t be affected by a requirement that if you modify the program you must offer the source, because they aren’t modifying it.
(Not a lawyer, just an engineer interested in this sort of thing. Over time I’ve moved to non-copyleft licenses, including for server-side software.)
Comment via: facebook, mastodon