[License-review] For approval: The Cryptographic Autonomy License (Beta 4)

VanL van.lindberg at gmail.com
Thu Dec 12 20:16:47 UTC 2019


I think you are complicating the issue. It started out as "no one could
self-host WordPress." That is false. Self-hosting WordPress is allowed, and
the compliance is just the same as the AGPL, because in the basic
self-hosting instance, the operator is not holding any user data.

Then the hypothetical expanded to self-hosted comments, so that there was
some minimal user data being held. In this case, I agree that the comments
would need to be provided, should they be requested. But there are
reasonable, semi-automatic ways by which this data is provided (HTML, RSS
feeds). I would also note that a SQL dump would also work, and I don't
think that copy+pasting a SQL select from the internet is beyond the
capabilities of even a non-technical user (should the comments be
requested).

The hypothetical then expanded again to user accounts, memberships, badges,
user content, etc - the whole WordPress ecosystem. I can't say that the
whole WordPress ecosystem would be able to easily comply. But you yourself
identify that the information is stored in the database or the filesystem,
and it is accessible, so compliance is possible. I would also note plugins
like WP-all-export.

But then the hypothetical expands to a non-admin user - and that's where it
breaks again. If someone starts a WordPress hosting business, where they
are hosting other people's blogs, I don't think it is unreasonable to say
that they are taking upon themselves substantial additional compliance
requirements, of which the CAL's requirements are usually a subset.

Thanks,
Van

On Thu, Dec 12, 2019 at 1:17 PM Nigel T <nigel.2048 at gmail.com> wrote:

> If the users do not have admin privs they don't get to see wp_usermeta
> data unless it's explicitly exposed in some form.  Given that plugins and
> forms can store user input in wp_usermeta or in other areas of the database
> (like wp_commentmeta) it is easy to show that Wordpress is not fully 4.2
> compliant.
>
> To argue that Wordpress is CAL 4.2 compliant because you can see your
> comments ignores that there are many other interactions possible with
> Wordpress like upvoting, voting in polls, answering questions on forms,
> internal storage of data generated for the user, file uploads, badges,
> memberships, payment data, comment tags, guest posts, etc.
>
> And to say that because a user can copy/paste from HTML pages generated by
> Wordpress that compliance with 4.2 is trivially achievable makes a mockery
> of the desire for user data accessibility.
>
> Wordpress is great because the user of the software can export their site
> and import it into another Wordpress server....that's the desired goal for
> access to your own content.  It, however, doesn't do that for individual
> viewers of the site that interact with and respond to the content
> provided.  So it isn't CAL 4.2 compliant for the non-technical user.
>
> On Thu, Dec 12, 2019 at 3:06 AM Henrik Ingo <henrik.ingo at avoinelama.fi>
> wrote:
>
>> If there was a request from a user to get their user data, then the
>> clueless operator could also easily publish or approve the queued comments,
>> and they would be in compliance. This is a first class feature in the
>> Wordpress GUI, and requires zero coding skills from the operator.
>>
>> For those who are not intimately familiar with Wordpress... It has been
>> CAL compliant 13 years ago:
>> https://en.blog.wordpress.com/2006/08/14/my-comments/
>>
>> Admittedly the CAL maybe implies data should be exported in some other
>> format than a HTML page, such as a mysqldump, json, or xml file. But it
>> doesn't explicitly mandate a specific data format. In the case of the
>> clueless Wordpress operator presumably administering a fairly low volume
>> site, it could be argued that a HTML page from where a user can easily
>> copypaste all of their user data is in fact a good alternative to provide
>> this data.
>>
>> IMO the Wordpress example rather strengthens Van's argument that for
>> realistic scenarios the CAL requirements are not unreasonable. I agree that
>> there's a discussion worth having about licensors with bad intent, but I
>> don't support the idea that a license should be rejected based on rather
>> theoretical corner cases. Especially when - as I illustrated in my previous
>> email - same corner cases can be constructed for existing licenses like GPL.
>>
>> henrik
>>
>> On Thu, Dec 12, 2019 at 7:26 AM Bruce Perens via License-review <
>> license-review at lists.opensource.org> wrote:
>>
>>> If they hosted comments on their WordPress blog, and did not approve
>>> some comments but kept them in the approval queue, this would be sufficient
>>> to activate the data terms.
>>>
>>> I agree with Nigel.
>>>
>>> On Wed, Dec 11, 2019, 8:53 PM VanL <van.lindberg at gmail.com> wrote:
>>>
>>>> On Wed, Dec 11, 2019, 9:18 PM Nigel T <nigel.2048 at gmail.com> wrote:
>>>>
>>>>> A SaaS license is intended to be applied to software that is seen and
>>>>> used by third parties.
>>>>>
>>>>> It is disingenuous for you to imply otherwise.
>>>>>
>>>>> Many non-developers have set up their own content management system
>>>>> like Wordpress on their own servers.  If Wordpress was CAL instead of GPL
>>>>> none of those users would be able to use WordPress because it’s unlikely
>>>>> that WordPress is fully compliant under the terms of 4.2.
>>>>>
>>>>
>>>>
>>>> This is an illuminating example. If WordPress was CAL licensed, then
>>>> all those people hosting their own blogs on WordPress would have to provide
>>>> a link to or copy of the source code they were using, but that is it. Why?
>>>> Because they would not be hosting the user data of random readers. The
>>>> outcome would be essentially the same as the AGPL.
>>>>
>>>> Someone would only need to provide additional user data if they did
>>>> more than host their own blog, but instead moved into the blog hosting
>>>> business.
>>>>
>>>> Thanks,
>>>> Van
>>>>
>>>>
>>>>> _______________________________________________
>>>> License-review mailing list
>>>> License-review at lists.opensource.org
>>>>
>>>> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>>>>
>>> _______________________________________________
>>> License-review mailing list
>>> License-review at lists.opensource.org
>>>
>>> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>>>
>>
>>
>> --
>> henrik.ingo at avoinelama.fi
>> +358-40-5697354        skype: henrik.ingo            irc: hingo
>> www.openlife.cc
>>
>> My LinkedIn profile: http://fi.linkedin.com/pub/henrik-ingo/3/232/8a7
>> _______________________________________________
>> License-review mailing list
>> License-review at lists.opensource.org
>>
>> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>>
> _______________________________________________
> License-review mailing list
> License-review at lists.opensource.org
>
> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20191212/d1a03eff/attachment.html>


More information about the License-review mailing list