You are reading content from Scuttlebutt
@mix.exe %4SexIxPRp9RVEGlu2i70F45eI+GnRZTqTLscZSVrKbM=.sha256

smell of the rain - djamilaknopf.jpg

Scuttlebutt Licensing

On a recent call with @arj they pointed out that a lot of the ssb code that has been contributed through #ahau work (e.g. ssb-tribes) has been licensed AGPL-3.0, while a lot of the #ngi-pointer work has gone for a more permissive (not copy-left?) license.

This raised questions like:

  • how can these code bases interact
  • what is the most strategic long term strategy
    • what enables more people to use our work
    • what best supports and the values with which we work

We agreed I'd open a thread to explore these topics

Purpose of this thread

Aims:

  • surface assumptions + requirements we are each carrying around licensing
  • learn and sharpen our opinions
  • hopefully reach some shared strategy about licensing

Who:

  • primarily people writing ssb code (now or in the future)
  • people with expertise in this area
  • unwelcome: foss zealots who are unprepared to listen/ accept difference/ be kind

:art: Smell of Rain by djamilaknopf

@mix.exe %CxkgwT39Cu6c76FpZMmg4G0FBBv+jEYtgxMri+zoJIw=.sha256

Where are we now

might be nice to start with a survey of where we're each currently standing:

  1. what licenses do you publish with for SSB work?
  2. why have you chosen what you've chosen?
  3. what experiences have you had as a result of license choices?

I'm going to dump a bunch of mentions here, please feel free to extend:
@arj @staltz / @andrestaltz📱 @cryptix / @cryPhone📱 @SoapDog / @SoapDog (Macbook Air) @happy0 @cblgh @Christian Bundy @mikey @piet @notplants @glyph @moid @Rabble @regular @Powersource (phone) @sami @Luandro Pàtwy
... jeez, I'm sure I've missed people, help me out

@mix.exe %igJYvyudhN0lX2b0CSxT5AkFZzfKuj9JJ9XxdWsNV8k=.sha256

Mix

1. what licenses do you publish with for SSB work?
I've been using AGPL-3.0 for everything new for years

2. why have you chosen what you’ve chosen?
I like the idea of copy-left and making it hard for companies to steal work and not contribute back
I admit that I haven't done deep learning or conversation on this topic before.

Working with #ahau has brought a new perspective to open source. I don't think MIT is all that chill if you're an indigenous group - it's an invitation for more stealing, as opposed to an invitation to partnership and growing each others mana.
For me copy-left feels like at least a stop-gap which forces a conversation if some company wants to take code (though I've not advertised anywhere about dual licensing, might be open to it)

3. what experiences have you had as a result of license choices?
Did a government project where we had to report on the licenses in our dependency tree. Highly recommend that exercise.
I haven't had any troubles with licenses to date, probably because no-one proprietary has wanted to use my code

@Rabble %MLaXYLovsO1JpOUuWXvuCJ97kfPXKU21v/Ta7bXuBw0=.sha256

With @Planetary we chose MPL 2.0 because it's a free software license which is compatible with appstores. While you can put AGPL/GPL code in the appstore, anybody who wants to can complain to google / apple and they'll remove any AGPL/GPL apps. I believe this is also why @andrestaltz chose MPL 2.0 for manyverse.

Personally I tend to prefer an MIT/BSD style license because it values the practice and culture of free software over restrictions based on copyright law. I've considered re-licensing Planetary MIT because of this.

I think many free software / open source projects benefit from and are sustained by companies using and contributing to the codebases. The more permissive the license the more likely they're going to do it. Software that is AGPL and to some extent GPL, has the effect of preventing companies from using the software. That in turn keeps them from contributing. There are prolific contributions from developers who don't live in a capitalist economic system, but that's not most people.

Maybe this will upset people but i feel AGPL and proprietary code are two sides of the same coin. Sure you can see the code, but in a practical sense neither contribute to the commons.

User has chosen not to be hosted publicly
@cel %cl6GKWm/W1q3siSO5+qd+AA54v8ybHug3GXInUyHHKo=.sha256

what licenses do you publish with for SSB work?

Mostly varying between AGPL-3.0+, MIT, ISC, Fair License, or FSFAP.

why have you chosen what you've chosen?

For software that presents a user-interface over HTTP I typically use AGPL, to try to ensure users' rights, and discourage the software from being made proprietary.

For libraries and small pieces of software I often use a more permissive license, because the long text and requirements of AGPL seems excessive in those cases.

what experiences have you had as a result of license choices?

Not much experience.

User has not chosen to be hosted publicly
@mix.exe %PMCle9NgeyRfYKDwgBdotUAsQkOxAGAkVQX7F/hP1R0=.sha256
Voted cc @cel
@mix.exe %sRbHUiDZ1Swfpx+b76DHHBMsSdy0XI30HJlXGTNburo=.sha256
Voted With [@Planetary](@oeNoy1RIArVdMdk8ndeoKbAKuU8b56VgxlYP5y8b9Ic=.ed25519) we
@mix.exe %Rp9kYLNN2di5pC9juSfFLouTgc3ew+K66UETXAL5xtg=.sha256
Voted > what licenses do you publish with for SSB work? Mostly varying between A
@mix.exe %uXUvWBa9VbP/WmiYV6EG6K3aR03RXu94+Ht1xEHiLtM=.sha256
Voted [@mix.desktop](@DIoOBMaI1f0mJg+5tUzZ7vgzCeeHh8+zGta4pOjc+k0=.ed25519) I
@Anders %nRO42tTu2Cov2Fkyl3eCvcvlDOkEbzaE0geJfdFSW8o=.sha256

Thanks for starting this thread @mix.desktop

  1. what licenses do you publish with for SSB work?

I have mainly been using Beerware license and LGPL.

  1. why have you chosen what you’ve chosen?

The first FOSS software I did was only GPL. Over time I have seen that it matters more what relationship you have with users of you code than the actual license. Because of this I like Beerware because it at least tries to communicate that hey there is another person at the other end, not a corporation with minions churning out code. For the #ngipointer work everything has been LGPL because that seems like a good fit for libraries and is FOSS complient which was a requirement from the EU.

  1. what experiences have you had as a result of license choices?

Recently I have run into a few situations where AGPL requires me or @Kyle Maas's Development Thoughts to change license or remove packages: rusty validate in db2, ssb-blob-files, gatherings. I have never really taken that seriously but sooner or later one has to.

I think for the software we are building here where there is a high degree of autonomy of peers built into the very design of the protocol makes it less likely that an extractive company would come along and built something on top of this.

What I value the most is that people working on this will be compensated fairly for the work they do so we don't end up in a extractive open source consumerism model. I think that has more to do with consistently delivering high quality that people or organisations value enough to support. The work you have been doing as well as manyverse are good examples of this.

User has not chosen to be hosted publicly
@andrestaltz %OvnLYWbU8tPjztMhNkbCdbGNDcv5TXFdrdI9X4LG6V0=.sha256
  1. what licenses do you publish with for SSB work?

MIT, LGPL, AGPL, MPL.
MIT for the most part.

  1. why have you chosen what you’ve chosen?

MIT for libraries because that's what most core SSB libraries already chose.

LGPL for ssb-ngi-pointer work, for the reasons arj already explained. It's a bit like MIT, but it basically says "virally spread this license when forking the library, but no need to virally spread when using the library in an app"

AGPL for ssb-room (1.0) because it's server infrastructure and the A in AGPL seemed suitable.

MPL for Manyverse because I wanted something copyleft that makes it difficult for companies to fork, slap some ads on it, and publish and profit. I originally went with GPL-3.0, as @Rabble said, but that's a license that makes it hard to be App Store compliant.

  1. what experiences have you had as a result of license choices?

AGPL-3.0 is really problematic for P2P. @memo is the only one who brought up the issue: basically in P2P we have peers acting as both client and server, so whenever Bob is providing new updates for Alice to replicate, Bob is providing a service over the network, and in that instance Bob needs to disclose the source code and the changes made to the source code. So, as memo said, any time modification and you basically should legally disclose that. I think none of us are complying with that part of AGPL. Curiously, in the Manyverse roadmap we have the feature "View source for remote peers" coming up precisely for this. I'm not excited to build it.

Which brings up the topic: how do we even enforce this stuff when someone breaks the terms of the license? How many of us know exactly how to proceed if someone breaks the license? Which lawyer do we contact? What country do we use for the suing? I literally have no idea how I would go about it. Currently the best recourse we have is public shaming, also known as Twitter shitstorms. I think that was actually the case, that some company forked Patchwork but forgot to disclose the changes to the source code. We didn't sue them, we just tweeted about it. There has to be a better recourse than that. Really, means of enforcing compliance are important, otherwise we're just discussing for nothing.

I'm ambivalent about copyleft. On the one hand, YES, I do not want companies forking our stuff to add closed source modifications and profit. On the other hand, to make FOSS effective, I don't want to lean on the (often USian) legal system that in turn depends on vultures and violence.

Honestly, I think FOSS doesn't give good enough tools to protect us from companies. The compliance enforcement is one reason, but the other reason is that companies could still choose to keep the source code open and still profit. Here's a hypothetical: some dirty company forks Manyverse, puts a bunch of ads in it, adds a few more features (say, Stories), and puts it on the app store. All the while, they keep the source code open, just not "obviously open", it's just somewhere there on their website. And then they dump huge amounts of money into internet marketing to pump up their growth hacking of the user base. I said this in other threads: attention is truly the most valuable resource type on the internet, and marketing is a way they could steal a lot of attention for their fork of Manyverse with ads. This could be sufficient to drown Manyverse out of sufficient attention to compete with the fork. And there you go, an AGPL-compliant fork that extracts profit.

For this and other reasons, I've been fond of public domain licenses, although I haven't yet tried them out fully (I don't know how it works for source code). Ever since @xj9 mentioned it, it's been on my mind. For an abundant resource such as information, public domain seems to me like the most commons-friendly and non-violent anarchist solution there is. It's also cybercommunist and lets go of the "property" in intellectual property.

Back to pragmatic terms, I would highly recommend that SSB libraries use permissive libraries like the classical MIT (used for muxrpc, secret-handshake, and all sorts of critical things) or midly copyleft like LGPL.

User has not chosen to be hosted publicly
@SoapDog (Macbook Air M1) %cOV634lUccn/QoAyBUL6r0sXerHve2gES0z6P2aSk/0=.sha256

what licenses do you publish with for SSB work?

All work I develop on my own is MIT.

why have you chosen what you’ve chosen?

In my experience, most licenses are unenforceable unless you're a large project with money or visibility. Having pretty words on a contract signify very little if there is no way to enforce it. Companies that just want to use your stuff without contributing back, will do so even with the GPL. There are a ton of violators of the GPL out there, and some who comply but in a way that doesn't actually help. Apple for example was famous for throwing unorganised source code in a zip file across the wall, that was enough to comply with the GPL and didn't really helped any of the projects.

These days companies can be built on top of FOSS source code, extract a profit, be essentially proprietary by tying the FOSS code to proprietary backends, and be done with it. Just look at Safari and Chrome, both have the same grandad: KHTML. Now, look where the KDE Browser and KHTML are right now. Nowhere.

Also, I have been bullied by FOSS activists in Brazil multiple times, and that has biased my own personal choices away from GPL, FSF, and adjacent activism groups. I still like KDE people though.

So, I spent some time reflecting, do I care if a company uses my stuff in a proprietary package? And I don't. They wouldn't be contributing back anyway. I'd rather use a permissive license, and let each block fall on it's own little container. Those who want to contribute will do so, because they want to, not because they're forced to throw a source-bomb across the wall. The project will advance slower, and maybe proprietary forks or versions will be better, I don't care about any of that.

what experiences have you had as a result of license choices?

MIT is quite stress free to be honest. Just a couple times I had people barking at me, forking, and relicensing my stuff GPL because bulling warms their heart. I rather have these people fork and move away than deal with their belief system.

@mix.exe %yhf41iDJkK7niwgBvmavJIPvS66YGpmRMZt0VprJue0=.sha256
Voted Thanks for starting this thread [@mix.desktop](@DIoOBMaI1f0mJg+5tUzZ7vgzCee
@mix.exe %1iROy9Xw/tWP8k8TrAVmgvp3rfuDtDzXwo9F0AE85Yo=.sha256

@arj you reference things having the be removed because AGPL, but there's nothing there about why. Would you mind giving us a window into the (presumably) offline / meat space processing which happened which compelled you to take those actions? (at the moment all I can feel is "we cannot use AGPL" from which I only learn that you and kyle feel constrained)

@mix.exe %Fv12yBkWsDHWTZLGaBija5JZ8wwZm28hMDvYojATPhU=.sha256
Voted > 1. what licenses do you publish with for SSB work? MIT, LGPL, AGPL, MPL.
@mix.exe %pDGhi+8TSlPWemtfTW36A223UZIZ0veS/oah2w8O8Sk=.sha256
Voted I prefer MIT/BSD and GPLv2, which I use. I think AGPLv3 and GPLv3 are too r
@mix.exe %R2YjujEMmGHfIlS5jqdT21V0JxQTXr8yvOPcBKVeyXg=.sha256
Voted > what licenses do you publish with for SSB work? All work I develop on my
User has not chosen to be hosted publicly
@mix.exe %P2+8SNJYDv8HyIWFtVXDDpMQ5aFGbz/YCcCXsbhxIdI=.sha256

@Grey 🜨 I found it via https://www.reddit.com/r/ImaginaryBestOf/top/?t=all (I highly recommend exploring laterally into adjacent Imaginary Network subreddits)

User has not chosen to be hosted publicly
User has not chosen to be hosted publicly
@mix.exe %oMZCYXdPw2UZi93vBullE1iPz09q2M5CeRPeTKQO7lI=.sha256
Voted hey Mix thanks for starting this conversation! 😺 this is relevant because
@mix.exe %m6Gqfq1MoQWxwAmyqH09nJDjxgmcZI4DoDN0DpWIDCM=.sha256
Voted I don't have any expertise, so consider this a /sub. I'm interested in the
@mix.exe %9PA93ah2XS4pApczg/m1r8VleZvty7SIVHqsdUJ1+fk=.sha256

that's a really interesting story @bob. I found myself chuckling feeling smug that the snake didn't win. But then I stopped when I asked myself "did the project win?". From what you said it sounds like the team didn't turn it into something which was able to financially sustain them? Was the project itself a success do you think? (I mean this in the broadest sense. e.g. sometimes if all a project did was bring people together and collaborate this can be fertile foundations for the future, which make it a net success). Sometimes it's a new positive for a project to not develop if it would have been helmed by people with greedy motives.//

@The System %oDe1iqNZKN5wuD7L6eY7s2hvAHK2QBVTN30bMLfomnc=.sha256
Voted ![smell of the rain - djamilaknopf.jpg](&D3MKcjV6lwUQyL8UXCl3nRc1vakL4wjrfS
@The System %GyAK4bJWSz4Efv3In0VXtq7Q6cJHW0utIqyFfSvPb2k=.sha256
Voted ## Mix **1. what licenses do you publish with for SSB work?** I've been us
User has not chosen to be hosted publicly
User has not chosen to be hosted publicly
@mix.exe %5ywebyhaltqf0/TGMub4H/trhJwcc0yDXgPIIw9BnmU=.sha256

backup: Sensorica spring 2014 Crisis - summary.pdf

@mix.exe %KAaF8/jPqcxah2lNVSJXgJlW/FtmITTFOohKb3a4RgE=.sha256
Voted [@mix.desktop](@DIoOBMaI1f0mJg+5tUzZ7vgzCeeHh8+zGta4pOjc+k0=.ed25519) > I
@mix.exe %TyTnHT+m+S5jIQg+6dg9e+Pe4mQIi602gPFTuhZXyS0=.sha256
Voted [@mix.desktop](@DIoOBMaI1f0mJg+5tUzZ7vgzCeeHh8+zGta4pOjc+k0=.ed25519) P.S.
User has not chosen to be hosted publicly
User has not chosen to be hosted publicly
User has not chosen to be hosted publicly
Join Scuttlebutt now