[License-review] For Approval: License Zero Reciprocal Public License

Josh berkus josh at postgresql.org
Tue Oct 24 20:41:46 UTC 2017 

On 10/23/2017 05:15 PM, Kyle Mitchell wrote:
> On 2017-10-23 16:10, Josh berkus wrote:
>> On 10/23/2017 03:55 PM, Kyle Mitchell wrote:
>>> Josh,
>>>
>>> I've been busy working out variations, trying to cover all
>>> the concerns we raised, plus a few from Richard and McCoy,
>>> without doubling the length of the license or veering into
>>> heavy-duty contract structure.
>>>
>>> The frontrunner:
>>>
>>>   3.  Use with any software patch must be accompanied by
>>>       release of that patch as Open Source Software per the
>>>       Open Source Definition published by the Open Source
>>>       Initiative.
>>
>> [...]
>>
>> My first question, in the above, is "what if the user doesn't have the
>> ability to relicense the patch?"  The clause above imposes an obligation
>> that the *user* may be unable to fulfill -- or for that matter even
>> unaware of -- while the *distributor*, who is the jerk who bundled ZRPL
>> code with a proprietary patch in the first place, gets off scot-free.
>> Is that how you intended this paragraph to be interpreted?
> 
> Yes.  The originator of the non-Open Source patch will be in
> breach, as would any follow-on user to whom they provide a
> copy.  The originator of the patch can't give more
> permission than they themselves received from owners of
> rights in the original L0-R code.  If the one who made the
> patch made any kind of warranty---express or implied---to
> the end user, the end user might be able to bring a claim
> against the infringing modifier-distributor, to answer for
> any liability of their own.

Not according to the wording in that clause; according to it, only "use"
triggers the restriction, not redistribution.  Granted that it's
difficult to modify software without using it (at least for testing
purposes), but the license seems worded to put the onus on the user, not
on the modifier.

> The situation you describe is unfortunate, but not peculiar
> to L0-R.  Any copyleft license that triggers a requirement
> to provide all source, not just source for your own
> modifications, has the same potential.  Otherwise, the
> freedom to hack software you obtain wouldn't get much
> protection.  Any first infringer could open the door for
> subsequent recipients to dodge the copyleft requirement, on
> the grounds that it's conveniently impossible to do so.

You're missing the distinction between the user and the modifier of code
here.  The GPL puts its emphasis on *distribution*, not use; in fact, I
can use GPLv2 code all I want in combination with any other licenses and
not violate anything.  The violation only happens when I give a copy of
that code to someone else.

The distinction here is important.  Theoretically, someone who is going
to modify code should understand the licensing of the code they are
modifying.  But I don't feel like we can expect the same of someone who
is just executing a binary;  they don't *know* that it was modified with
incompatibly licensed code unless they dig into the code history.

What I don't get is why you even bother with this emphasis on use
instead of distribution.  Explain?

--Josh Berkus

More information about the License-review mailing list