Page MenuHomePhabricator

Pitfalls checklist for software using AGPL
Closed, ResolvedPublic

Description

In a recent conversation on the ops list, @LuisVilla cautioned against using AGPL-licensed software:

Short version is that I'm not certain we comply with the requirements of AGPL out of the box—what we do with source availability is great, but arguably not sufficient. But I have been talking with Rob, and will soon talk with ops/ @mark., to get us all on the same page about this.

@RobLa added:

Yup, what he said ^ No problem in spirit with AGPL, but the requirements of the license are such that compliance is not as simple as it is with just about every other license we have. I don't remember what it was that Nik was looking at the last time AGPL came up, but I believe it was a relatively small and unimportant feature and so it was easier for him to just avoid it rather than forcing a conversation about AGPL compliance. This is large and important, so if we need to force a discussion about AGPL, that's fine. We need to have that conversation sooner or later, and this would be a perfectly reasonable trigger.

It would be great if we could clarify what the issues are, given that basically all our code is available from our git repositories / source debs. I'm especially interested in these scenarios:

  • private security patches that are only released to the public on the next release
  • use of AGPL modules -- any issues beyond 'program needs to be AGPL too'?
  • shelling out to AGPL-licensed executables
  • mixing of GPL and AGPL network services, which communicate exclusively over the network

Not relevant:

  • hyperlinking a webservice based on AGPL software

Premises:

  • All our code is published and under some sort of OSI-approved license, but:
  • since 2009, our code embeds proprietary data (especially CentralNotice for geolocation);
  • starting in 2015, proprietary and closed-source software services may be embedded over the network by some of our code.

Event Timeline

GWicke raised the priority of this task from to Needs Triage.
GWicke updated the task description. (Show Details)
GWicke added a project: WMF-Legal.
GWicke changed Security from none to None.
GWicke added subscribers: RobLa, mark, MarkTraceur.
GWicke added a subscriber: GWicke.
GWicke updated the task description. (Show Details)Nov 27 2014, 7:32 PM
GWicke updated the task description. (Show Details)Nov 27 2014, 7:37 PM
GWicke updated the task description. (Show Details)
GWicke updated the task description. (Show Details)

I think a explanatory page on mediawiki.org, meta.wikimedia.org, wikitech.wikimedia.org, or wikimediafoundation.org (least preferred) would probably be sufficient here.

greg added a subscriber: greg.Nov 28 2014, 9:22 PM
revi added a subscriber: revi.Nov 29 2014, 10:51 AM

Just to check in here - I'm talking with outside counsel about this issue, and I think we have resolution on most of my concerns. That will lead to a checklist we can follow whenever we need to comply with AGPL. Hopefully that will be ready soon.

greg added a comment.Dec 11 2014, 4:54 PM

Boy do I love checklists! (sarcastic sounding but not!)

Parent5446 added a subscriber: Parent5446.

Adding Security since the whole security patch issue is related.

Nemo_bis updated the task description. (Show Details)Feb 17 2015, 8:10 AM
Nemo_bis added a subscriber: LuisVilla.
Nemo_bis updated the task description. (Show Details)Feb 17 2015, 8:17 AM
Nemo_bis updated the task description. (Show Details)
Nemo_bis added a project: MediaWiki-General.
Nemo_bis removed a subscriber: LuisVilla.
Nemo_bis added a subscriber: LuisVilla.
LuisV_WMF edited subscribers, added: LuisVilla; removed: LuisV_WMF.
dpatrick triaged this task as Low priority.Aug 11 2015, 9:48 PM
dpatrick edited projects, added Security-Team; removed Security.
dpatrick added a subscriber: LuisVilla.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 11 2015, 9:48 PM
ZhouZ moved this task from Backlog to Assigned on the WMF-Legal board.Apr 14 2016, 1:31 AM
Restricted Application added a subscriber: JEumerus. · View Herald TranscriptApr 14 2016, 1:31 AM

Given that we already have AGPL software deployed on the cluster and at least I would like to deploy some more, it would be nice if someone (@Slaporte ?) could finally make a statement about AGPL usage, otherwise it seems like this ticket is just FUD.

@Legoktm please send @ZhouZ or me an email for guidance on deploying or contributing to AGPL code. We're currently looking at it on a case-by-case basis.

greg added a comment.Sep 23 2016, 10:22 PM

So is this ticket then declined or....?

I'm not a huge fan of it being a "behind closed doors only" discussion for very long. We did that for a couple years now (not consistently, very sporadically when it was relevant).

We can put together some short guidance so it's not only "behind closed doors", but in the meantime you can get advice if you need it for a specific situation via email. We have the checklist that Luis mentioned above for internal use.

Nemo_bis closed this task as Resolved.Sep 23 2016, 11:04 PM

Let's make the task summary more accurate then.

Nemo_bis renamed this task from Clarify concerns about AGPL use to Pitfalls checklist for software using AGPL.Sep 23 2016, 11:05 PM

We can put together some short guidance so it's not only "behind closed doors", but in the meantime you can get advice if you need it for a specific situation via email. We have the checklist that Luis mentioned above for internal use.

Umm, so does that mean that an official part of the process of deploying AGPL software is "Email Legal to see if its ok"? If so that should be publicly stated somewhere (e.g. On the deployment checklist), otherwise people will probably just deploy AGPL software the same way any other software is deployed.

Legoktm reopened this task as Open.Sep 24 2016, 12:14 AM

@Legoktm please send @ZhouZ or me an email for guidance on deploying or contributing to AGPL code. We're currently looking at it on a case-by-case basis.

Stephen, this doesn't really help me because I'm still waiting for a response from you or another legal team member about a different software/copyright related matter since August 8th (and resent on September 6th). If email is the recommended communication medium, how long should I expect to wait to get a response about AGPL software?

@Legoktm please send @ZhouZ or me an email for guidance on deploying or contributing to AGPL code. We're currently looking at it on a case-by-case basis.

Stephen, this doesn't really help me because I'm still waiting for a response from you or another legal team member about a different software/copyright related matter since August 8th (and resent on September 6th). If email is the recommended communication medium, how long should I expect to wait to get a response about AGPL software?

I'll look up your email question and get back to you there. Email or IM is usually the best way to reach us for legal questions. You shouldn't have to wait too long!

I'll look up your email question and get back to you there. Email or IM is usually the best way to reach us for legal questions.

@Slaporte: Did this happen?

JBennett closed this task as Resolved.Sep 4 2018, 2:27 PM
JBennett removed a project: Security-Team.