[License-discuss] Protection of Academic Medical Center Patent Portfolio via MGBopensource Proposed License

Thu Nov 21 11:45:34 UTC 2024

I fail to understand how this MGB license is supposed to be more
patent-friendly than Apache-2.0. I'm not a legal professional, but licenses
would ideally be both legally sound *and* comprehensible by lay people.

The relevant clauses of Apache-2.0 are:

each Contributor hereby grants to You a … patent license to make, have
> made, use, offer to sell, sell, import, and otherwise transfer the Work,
> where such license applies only to those patent claims licensable by such
> Contributor that are necessarily infringed by their Contribution(s) alone
> or by combination of their Contribution(s) with the Work to which such
> Contribution(s) was submitted.

The corresponding parts of this MGB license:

each Contributor hereby grants to You a … license to use, reproduce,
> prepare Derivative Works of, publicly display, publicly perform,
> sublicense, and to distribute the Work, and Derivative Works …
> This License does not include any express or implied license to any
> [patent] that is not necessary to exploit the rights granted in Section 2.

You explain as the rationale:

The thought is, if its necessary to exploit the patent rights to use the
> licensed works, Licensees possess the rights,  but this is a more
> appropriate standard than “if it infringes on a patent, you have rights to
> that patent.”

But these two approaches largely seem to end up with the exact same rights
being licensed.

* Apache: for those patents that are necessary for this Contribution,
Contributor grants a patent license to use.
* MGB: Contributor grants a right to use, including any implied patent
licenses necessary for that use.

It seems that the word "infringed" in the Apache license is causing some
unease, but both approaches seem to license the same rights: those patents
that would be infringed by use of the contribution, were it not for this
license.* What would be an example scenario where there is a difference*,
where the Apache-2.0 would grant a patent license beyond what is necessary
to use the Work?

As a lay person, I don't care about whether the patent license triggers on
"necessarily infringed by their Contribution" or "necessary to exploit the
rights granted in Section 2", as long as a patent license ends up being
granted to protect me from infringement claims by the Contributors. The MGB
license could make this much, much clearer, e.g. by removing the double
negation and explicitly granting a patent license.

A probably more important distinction is that the Apache-2.0 license
clearly scopes the patent license to a Contribution, whereas the MGB
license also seems to grant a patent license for any preparation of
Derivative Works. This seems unintentionally broad, but this permissiveness
is of course very welcome from a Software Freedom perspective…

Another difference is the absence of an explicit license to "sell" or
"import" the Work. If this is an Open Source license then those would be
allowed, so for the avoidance of doubt it could be worth keeping those two
verbs.

Taken together, the MGB approach is more complicated and less clear than
most other licenses. It is likely that this approach still provides
Software Freedom, but it casts a shadow of FUD over downstream users of the
Work. The rationale talks about the Apache license's "chilling effect
on … patent
portfolio owners", but I see the MGB license causing a chilling effect on
downstream users of the software – which would miss the entire point of
Open Source. Compare also the discussions surrounding the problematic
patent clause in the React license between 2014–2017.

*Some notes about other clauses:*

* The advertising clause in 5(b) is likely to be a problem. Note that the
similar 4-clause (original) BSD license is not OSI-approved. The effect of
such advertising clauses also goes against the intent of section 10 "no
trademark or name license", as it would require the Contributors to be
mentioned in promotional material for objectionable downstream
modifications.

* I feel uneasy about the combination of the somewhat implicit patent
license in sections 2+3 in connection with section 8 "no implied rights".
Someone might interpret this as explicitly withholding any patent license,
in which case the license would fail to provide Software Freedom.

* I understand the intention of section 7 "personal information", but find
it confusing. Some data is said to be part of the Work, but then gets a
separate usage license. It uses the term "protected health information"
without defining it. The definition of "personal information" would seem to
include some attribution notices per section 5, then requiring their
removal. Section 7 also includes a requirement to "inform Licensor", which
might go against the traditional "desert island test" for Software Freedom.

All in all, the license is similar to Apache-2.0 and close to something
that looks OSD-compliant. But in every point where it deviates from
Apache-2.0, I'm increasingly unsure whether and how I would be allowed to
use Works under this license. It seems less like a license than like a
labyrinth of contradictions.

If this license were submitted to license-review as-is, I would ask OSI to
_not approve_ this license (or to at least withhold approval), for the
following reasons:

* license proliferation, close proximity to Apache-2.0
* not obvious whether an (implied) patent license is granted, thus possibly
failing to ensure Software Freedom
* presence of traditionally non-free clauses like advertising clauses,
notification requirements
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20241121/39ee004e/attachment.htm>