[License-discuss] open source licenses addressing malicious derivatives

Charles Swiger cswiger at mac.com
Thu Jun 23 17:26:27 UTC 2016

Hi, Sean--

On Jun 22, 2016, at 4:40 PM, Christopher Sean Morrison <brlcad at mac.com> wrote:
> Is there any OSI-approved license that provides injunctive relief to an original author in the situation of a bad actor creating a damaging derivative?

At least for the US, injunctive relief is a decision which is made by a judge:


Judges are likely to support reasonable contractual terms, but they will evaluate the specific circumstances at hand and have no obligation to blindly agree that something-or-other causes irreparable harm just because a contract says that it does:


> To figure this out, I’ve been researching and trying to sort out:
> 1) which existing OSI-approved licenses impose derivative requirements (e.g., such that others must rename, that changes must be itemized, etc) and,

The old BSD license and the zlib license also have mandatory attribution clauses.

> 2) whether such a requirement makes the license de facto GPL/LGPL-incompatible?

Yes, it would be (L)GPL incompatible.

> For #1, I know CDDL has a required notice of authorship of modifications but didn’t see anything else at least amongst the popular licenses.  I know that license+trademark protection is the primary method for several notable open source products (e.g., Firefox), but getting an injunction solely on failing to announce modifications seems weak. 

Indeed.  Beyond that, requiring modified versions to have changes be clearly identified is reasonable and compatible with the OSD.  Requiring changes to be announced or made available to the original authors would violate the OSD.

One of the goals is to allow people to modify software to suit themselves.  Unless they redistribute the changed versions to external parties, people should have the right to make private changes.

> I think the answer to #2 is “probably”, as anything that would hold up in court would likely be an additional requirement, forbidden by the GNUs, but would appreciate any insights.
> The backdrop for this is an author reasonably going to court and obtaining injunctive relief should some bad actor distribute a derivative that was specifically designed to cause some surreptitious harm to the original author.  Not just a hypothetical case.

Releasing software under an Open Source license means that the original author cannot prevent someone from changing that software, even in ways that the original author does not like.  This is intentional.

Now, if a bad actor does something against the law-- anything from harrassment, wrongful removal of copyright statements, or explicit violations of the Computer Fraud and Abuse Act-- then the author would have valid grounds for requesting damages and/or injunctive relief against the wrongful conduct.

> Consider governmental actors where the outcome is political or newsworthy in nature.  State Agency embraces open source, releases “State Agency's Super Something Yellow”.  Bad actor modifies and gets a bad SASSY into the marketplace.  Is there anything outside of trademark registration that would help State Agency save face and/or get injunctive relief more easily?

Can you be more specific about what you mean by "bad SASSY"...?	


More information about the License-discuss mailing list