[License-review] [new license] Blue Oak Model License 1.0.0

Luis (lu.is) luis at lu.is
Wed Dec 27 20:44:57 UTC 2023

Hi! Thanks for all the comments. As a service to the l-r community, I am editing and condensing the three comments on Blue Oak in one place.

As a prefatory matter, I note, again, that this process would be better handled in an issue tracking system or wiki; pretty much anything other than a mailing list. That said, I appreciate the efforts of the current l-r community, especially Pam but I'm sure many others, to improve the process since I last engaged in it.

Important part first, approval:

• Lucas Atkinson: “The license is evidently OSD-compliant and should probably be approved.”
• Carlo Piana: “I ... do not spot any reasons why it should not be approved.” “[I]f a license is sufficiently marking all checkboxes in OSD, it has been submitted according to the policy, it is not up to OSI to question the merit of the license, IMHO or to raise ‘recommendations’.”
• Pam Chestek: “I don't see that it could be construed in a way that violates the OSD nor does it fail to meet the non-OSD requirements.”

On substantive feedback, two prefatory points:

• The license is fairly widely used, so this feedback is appreciated and might inform the FAQ or a future version of the license but obviously can’t impact the submitted (and used) 1.0.0 text.
• I speak here only for myself. The other authors of the license have not been consulted on these answers.

The actual substance:

• Lucas: “While attempting to be maximally permissive in as few words as possible, the copyright license does not consider potentially non-licenseable aspects of copyright such as moral rights.” This is a fair point, though as a practical matter I’ve never seen moral rights come up in the software context (and Carlo’s response suggests they may not even be applicable).
    • Side note: OSI would benefit from a discussion of how to handle the interaction of restrictive statutes and pro-sharing OSI licensing; eg moral rights; automatic termination; indemnification.
• Lucas: “Unusually, the license does not even expect the preservation of copyright notices.” As a practical matter, I think preservation of notices is not a useful requirement for a modern license. For small packages, removal of notices rarely happens, and for complex amalgamations of packages, like our phones, the multi-hundred-page notice files serve no one except the tool vendors who get paid to put them together. I will consider whether the FAQ should more clearly signpost that authors should look to other mechanisms for attribution.
• Lucas: “The "strong patent grant" looks so broad that it would be completely unsafe for anyone who might come into contact with patents to contribute to Blue Oak covered software.” I appreciate the argument for a more limited grant, but I think the change here is (1) extremely minor in practice, especially relative to modern licenses like GPLv3 (as pointed out also by Carlo) and (2) it is appropriate at this economic juncture for open source projects to desire and demand broader patent grants.
• Pam makes several points about the line between concision and vagueness. I take Pam’s general point; in particular, I think Pam is right that “rules”/license conditions could be more explicit, following MPL 2.0 §2.7 and CAL 1.0 §4 (though I believe that’s the entire list of open licenses that get this particular issue right, despite it being a live problem in the caselaw (see Microsoft v. Sun). But I think the Blue Oak approach, of straightforward definitions that fall back on common sense and the industry’s multi-decade course of dealing, is better than most older licenses, and arguably more robust in the long run than most over-specified/inflexible licenses.

Hope that is helpful!
On Nov 7, 2023 at 6:14 PM -0800, Luis Villa <luis at lu.is>, wrote:
> I hereby submit the Blue Oak Model License 1.0.0 for OSI’s consideration as a new license. It is just under five years old, so not exactly “new”, but I have been asked by a number of people in the Javascript community to submit it, as it is used by a critical dependency and their policy requires OSI-approved licenses.
> # Describe what gap not filled by currently existing licenses that the new license will fill.
> While preparing the first version of the Blue Oak Council permissive license list, council members (including myself and other attorneys specialized in open source) ended up trading notes about the features of a good permissive license. No existing license boasted all of those features, particularly including plain language drafting and a strong patent grant, so we wrote this one.
> We wrote at more length about the license’s benefits in the initial announcement, which I will avoid duplicating here:
> https://blueoakcouncil.org/2019/03/06/model.html
> # Compare it to and contrast it with the most similar OSI-approved license(s).
> We feel that the license is:
> - easier to read, and more legally explicit with regards to patents and cure provisions, than the traditional “academic” permissives like MIT, BSD, or ISC
> - shorter (~ 1/5th as long) and more permissive than Apache 2.0
> # Describe any legal review the license has been through, including whether it was drafted by a lawyer.
> The license was drafted by me and other experience open source attorneys. It did not otherwise undergo a public vetting prior to publication.
> # Affirmatively state that the license complies with the Open Source Definition, including specifically affirming it meets OSD 3, 5, 6 and 9.
> I believe that the license complies with the OSD, including 3, 5, 6, and 9.
> # Identify what projects are already using the license.
> This submission was prompted because the license is used in:
> https://www.npmjs.com/package/path-scurry (downloaded 10 million times a week)
> https://www.npmjs.com/package/jackspeak (downloaded 9 million times a week)
> Both of these are dependencies of the https://www.npmjs.com/package/glob project (downloaded 126 million times a week)
> In turn, three of the top five packages in the OpenJS “Impact” list (Appium, Electron, and Node.js) depend on glob. As a result, OpenJS Foundation approached me and asked me to submit the license to OSI. (I am doing this as a favor, and am not being compensated for my time.)
> GitHub search additionally identifies about 2,000 files containing the license string (which may or may not map to packages using the license).
> # Provide the identity and contact details of the license steward, if known, and of the submitter. The OSI will try to get in touch with the license steward if the license submitter is not the steward.
> Blue Oak Council (https://blueoakcouncil.org/about) is the steward. I, Luis Villa, am on the board and drafting team of the Blue Oak Council, and am serving as the contact for this submission.
> # Provide any additional information that the submitter believes would be helpful for license review. For example, approval of the license by Debian, the FSF or the Fedora Project would be relevant to the review process.
> The license is allowed by Fedora:
> https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
> # Provide a unique name for the license, preferably including the version number.
> Blue Oak Model License 1.0.0
> # If any exist, provide the unique identifier by other projects, like SPDX or ScanCode.
> The SPDX license identifier is Blue-Oak-1.0.0.
> https://spdx.org/licenses/preview/BlueOak-1.0.0.html
> # Identify any proposed tags for the license (when available; see below regarding tagging).
> As far as I know these are not yet available.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20231227/40c99c11/attachment-0001.html>

More information about the License-review mailing list