<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    <div class="moz-signature"><br>
    </div>
    <div class="moz-cite-prefix">On 12/10/2019 1:04 PM, Nigel T wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CADaGzk4Mp4x+cNv=7T6uWabu70m08rGO_nEKmr5W0o-Jh7DSOw@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">
        <div dir="ltr">
          <div dir="ltr">Pam,
            <div><br>
            </div>
            <div>It may or may not be an open source license according
              to the OSD but I will quote Van here because he said it
              well:</div>
            <div><br>
            </div>
          </div>
        </div>
        <blockquote style="margin:0 0 0 40px;border:none;padding:0px">
          <div dir="ltr">
            <div dir="ltr">
              <div><i>"<span style="color:rgb(0,0,0);white-space:pre-wrap">Regardless, I don't think that the Vaccine License is an appropriate OSS </span><span style="color:rgb(0,0,0);white-space:pre-wrap">license. My primary objection to the vaccine license is that it imposes </span><span style="color:rgb(0,0,0);white-space:pre-wrap">conditions that are logically separate from and wholly unrelated to the </span><span style="color:rgb(0,0,0);white-space:pre-wrap">scope of the intellectual property rights that are licensed."</span></i></div>
            </div>
          </div>
        </blockquote>
        <div dir="ltr">
          <div dir="ltr">
            <div><span style="color:rgb(0,0,0);white-space:pre-wrap">
</span></div>
            <div><font color="#000000"><span style="white-space:pre-wrap">Replace vaccinations with open data.  While I support both open data and vaccinations, I am disinclined to mix requirements for those with the terms of an OSI approved software license.  Open data is arguably more related to open source than vaccinations but I would argue they are still separate.</span></font></div>
          </div>
        </div>
      </div>
    </blockquote>
    This isn't an apt comparison, the CAL is not a data license. The CAL
    was amended specifically to ensure that the data requirement only
    goes as far as necessary to allow operation of the software. It is
    therefore tightly tied to the ability to use the software. <br>
    <br>
    If I were to try to describe the difference, the Vaccine License
    uses restrictions to accomplish a goal different than ensuring that
    the software can be used. The CAL's restrictions are designed only
    to ensure the software can be used.<br>
    <blockquote type="cite"
cite="mid:CADaGzk4Mp4x+cNv=7T6uWabu70m08rGO_nEKmr5W0o-Jh7DSOw@mail.gmail.com">
      <div dir="ltr">
        <div dir="ltr">
          <div dir="ltr">
            <div><span style="color:rgb(0,0,0);white-space:pre-wrap">
</span></div>
            <div><font color="#000000"><span style="white-space:pre-wrap">And yes, I believe there are cases where it would be very difficult to comply with CAL and is a significant departure from prior licenses in terms of obligations to the user of OSS software for both being compliant and determining if you are in compliance.  
</span></font></div>
          </div>
        </div>
      </div>
    </blockquote>
    I appreciate the comment, which is a line of questioning I followed
    too many months ago (there was this red square ....). The difficulty
    of claiming "ease of compliance" as a criterion for approval is that
    it's product-specific, plus the line between "ok" and "too hard" is
    going to be different for every user. <br>
    <br>
    <blockquote type="cite"
cite="mid:CADaGzk4Mp4x+cNv=7T6uWabu70m08rGO_nEKmr5W0o-Jh7DSOw@mail.gmail.com">
      <div dir="ltr">
        <div dir="ltr">
          <div dir="ltr"><br>
            <div><font color="#000000"><span style="white-space:pre-wrap">I also do not believe that we can rely on a more forgiving reading of license terms but a stricter one...part of the review process here is hopefully to figure out possible failure modes from both benign and malevolent actors.</span></font></div>
            <div><font color="#000000"><span style="white-space:pre-wrap">
</span></font></div>
          </div>
        </div>
      </div>
    </blockquote>
    It's a balance for sure, trying to figure out whether someone is
    trying to game the system in pursuit of goals that do nothing for
    software freedom or whether instead the license has a legitimate
    application that advances software freedom but that may allow misuse
    as a side effect. <br>
    <br>
    Comments are all my own and not made on behalf of OSI.<br>
    <br>
    Pam<br>
    <blockquote type="cite"
cite="mid:CADaGzk4Mp4x+cNv=7T6uWabu70m08rGO_nEKmr5W0o-Jh7DSOw@mail.gmail.com">
      <div dir="ltr">
        <div dir="ltr">
          <div dir="ltr">
            <div><span style="color:rgb(0,0,0);white-space:pre-wrap">Regards,</span></div>
            <div><span style="color:rgb(0,0,0);white-space:pre-wrap">
</span></div>
            <div><span style="color:rgb(0,0,0);white-space:pre-wrap">Nigel</span></div>
          </div>
          <br>
          <div class="gmail_quote">
            <div dir="ltr" class="gmail_attr">On Tue, Dec 10, 2019 at
              12:26 PM Pamela Chestek <<a
                href="mailto:pamela@chesteklegal.com"
                moz-do-not-send="true">pamela@chesteklegal.com</a>>
              wrote:<br>
            </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
              <div bgcolor="#FFFFFF"> You haven't answered my last
                question, which is whether you believe this is not an
                open source license or simply that it a license that
                will be difficult to comply with in some use cases. If
                you believe it is not an open source license, what would
                be your explanation of the rationale for refusing it?<br>
                <br>
                Pam<br>
                <br>
                <div>Pamela S. Chestek<br>
                  Chestek Legal<br>
                  PO Box 2492<br>
                  Raleigh, NC 27602<br>
                  919-800-8033<br>
                  <a href="mailto:pamela@chesteklegal.com"
                    target="_blank" moz-do-not-send="true">pamela@chesteklegal.com</a><br>
                  <a href="http://www.chesteklegal.com" target="_blank"
                    moz-do-not-send="true">www.chesteklegal.com</a><br>
                  <br>
                </div>
                <div>On 12/10/2019 11:48 AM, Nigel T wrote:<br>
                </div>
                <blockquote type="cite">
                  <div dir="ltr">
                    <div dir="ltr">
                      <div dir="ltr">Pam,
                        <div><br>
                        </div>
                        <div>My concern is that most software that takes
                          in user data isn't very well equipped to
                          export that user data back out.  </div>
                        <div><br>
                        </div>
                        <div>If the <b>code</b> you received from
                          upstream (not user data) can not comply with
                          the user data export requirements of
                          4.2...whatever those may be...then the
                          downstream user of that code is automatically
                          not in compliance with the license on day 1.</div>
                        <div><br>
                        </div>
                        <div>A simple scenario is I open source a system
                          that lets my clients make appointments with
                          me, see their billing statements, communicate
                          with me, etc under the CAL license.  You see
                          this and like it because of open data and
                          transparency and get a copy of my software and
                          begin to use it for your own clients.  It's
                          really easy to do as I provided you (or
                          whomever sets up your web site for you) step
                          by step instructions on how to set it up on
                          your own host.  </div>
                        <div><br>
                        </div>
                        <div>No need to compile anything, just run my
                          installer, pick a password, fill in some
                          preferences, add your logo and you're ready to
                          go.  </div>
                        <div><br>
                        </div>
                        <div>For any other open source license if you
                          provide the source code of my software to your
                          clients you are, as far as I can tell, always
                          in compliance.</div>
                        <div><br>
                        </div>
                        <div>But say I had neglected to provide a way to
                          export some data fields that the client gives
                          me when interacting with the system.  You are
                          in breach of the license as is everyone else
                          who used my open source software to serve
                          their own clients.</div>
                        <div><br>
                        </div>
                        <div>All the client user data is certainly
                          available to you as the downstream provider of
                          the software to your clients...it may just a
                          simple SQL statement away or it may require a
                          lot of code changes to make available but
                          either way you DO have it.</div>
                        <div><br>
                        </div>
                        <div>As a potential downstream user looking at
                          my software web page, running on my demo site,
                          etc, how do you know you are actually in
                          compliance without more careful analysis of
                          the system inputs and outputs?  Do you not
                          have to remake this assessment every time you
                          upgrade to my latest version? </div>
                        <div><br>
                        </div>
                        <div>I also do not believe that we can assume
                          that the required data is easily ascertainable
                          nor do I believe that you could provide a
                          simple criteria like "received in plain text"
                          given that often the most valuable user inputs
                          are the relationships between data and data
                          groupings they create.<br>
                        </div>
                        <div><br>
                        </div>
                        <div>Also the requirement to export <i
                            style="font-family:arial,sans-serif">"</i><i style="font-family:arial,sans-serif;white-space:pre-wrap">data has been generated by, for, or has been assigned to the Recipient"</i><span style="font-family:arial,sans-serif;white-space:pre-wrap"> makes the required export data not easily ascertainable.</span></div>
                        <div><br>
                        </div>
                        <div>Regards,</div>
                        <div><br>
                        </div>
                        <div>Nigel</div>
                        <div><br>
                        </div>
                      </div>
                    </div>
                  </div>
                  <br>
                  <div class="gmail_quote">
                    <div dir="ltr" class="gmail_attr">On Tue, Dec 10,
                      2019 at 10:12 AM Pamela Chestek <<a
                        href="mailto:pamela@chesteklegal.com"
                        target="_blank" moz-do-not-send="true">pamela@chesteklegal.com</a>>
                      wrote:<br>
                    </div>
                    <blockquote class="gmail_quote" style="margin:0px
                      0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
                      <div bgcolor="#FFFFFF"> <br>
                        <div>On 12/10/2019 9:41 AM, Nigel T wrote:<br>
                        </div>
                        <blockquote type="cite">
                          <div><font face="arial, sans-serif">The <b>software
                                is not a safety deposit box</b> because
                              of the requirement that you must also
                              return <i>"</i><span
                                style="background-color:transparent"><i style="color:rgb(0,0,0);white-space:pre-wrap">data has been generated by, for, or has been assigned to the Recipient". </i><font
                                  color="#000000"><span style="white-space:pre-wrap">Safety deposit boxes don't generate new content for users.  Software often does.  </span></font></span></font></div>
                          <div><span style="color:rgb(0,0,0);font-family:arial,sans-serif;white-space:pre-wrap;background-color:transparent">
</span></div>
                          <div><span
                              style="background-color:transparent"><font
                                face="arial, sans-serif" color="#000000"><span style="white-space:pre-wrap">Even ignoring generated data that you'd have go though each and every UI screen and make sure all inputs provided by user are correctly mapped to an export field...and you have to do this every time you update from upstream.</span></font></span></div>
                          <div><font face="arial, sans-serif"><span
                                style="background-color:transparent"><font
                                  color="#000000"><span style="white-space:pre-wrap">
</span></font></span></font></div>
                          <div><font face="arial, sans-serif"><span
                                style="background-color:transparent"><font
                                  color="#000000"><span style="white-space:pre-wrap"><b>If the original software cannot export all of the data required to meet the requirements of 4.2 then all subsequent users of the software are in breach of the license.</b>  </span></font></span></font><span
                              style="color:rgb(0,0,0)"><font
                                face="arial, sans-serif"><b>This is a
                                  point that you continue to dance
                                  around. </b></font></span><span
                              style="background-color:transparent"><font
                                face="Calibri, sans-serif"><font
                                  color="#000000"><span style="white-space:pre-wrap">You are handwaving significant legal and technical burden you are placing on users of CAL licensed software because you want to extend licensing requirements beyond open </span><b style="white-space:pre-wrap">source</b><span style="white-space:pre-wrap"> into open </span><b style="white-space:pre-wrap">data </b></font></font></span><span
                              style="background-color:transparent"><font
                                face="Calibri, sans-serif"><font
                                  color="#000000"><span style="white-space:pre-wrap">and non-technical users who just use the software out of the box don't control that at all.  There are no exceptions for non-compliance of the original code in this license so it's <b>a compliance nightmare</b></span></font></font></span><font
                              face="Calibri, sans-serif" color="#000000"><span style="white-space:pre-wrap"><b> for every downstream user whether they change the code or not</b>.</span></font></div>
                          <div><span
                              style="background-color:transparent"><font
                                face="Calibri, sans-serif"><font
                                  color="#000000"><span style="white-space:pre-wrap">
</span></font></font></span></div>
                        </blockquote>
                        Hi Nigel,<br>
                        <br>
                        Can you help me understand your point better?
                        Section 4.2.1 says "Throughout any period in
                        which You exercise any of the permissions
                        granted to You under this License, You must also
                        provide to any Recipient <i>to whom you provide
                          services via the Work</i>, ... the Recipient's
                        User Data in your possession, <i>to the extent
                          that such User Data is available to You</i>
                        for use in conjunction with the Work." <br>
                        <br>
                        I acknowledge your dislike of the ambiguity of
                        "to the extent that such User Data is available
                        to You," but I'd like to put that point aside.
                        For the purposes of argument let's assume that
                        it is an easily ascertainable set of data,
                        something like "any User Data you received in
                        plain text." The scenario is that I have
                        received data about a Recipient from upstream,
                        and now I am providing services to that same
                        Recipient, which is the only situation in which
                        I would have to provide User Data. Is your point
                        that the program architecture may make it too
                        difficult to extract and provide the plain text
                        that upstream provided to me? Is your argument
                        that there is something that is not open source
                        about this arrangement, or is it that the
                        license will be used in situations for which it
                        is poorly suited?<br>
                        <br>
                        Pam<br>
                        <br>
                        Pamela S. Chestek<br>
                        Chestek Legal<br>
                        PO Box 2492<br>
                        Raleigh, NC 27602<br>
                        919-800-8033<br>
                        <a href="mailto:pamela@chesteklegal.com"
                          target="_blank" moz-do-not-send="true">pamela@chesteklegal.com</a><br>
                        <a href="http://www.chesteklegal.com"
                          target="_blank" moz-do-not-send="true">www.chesteklegal.com</a><br>
                      </div>
                      _______________________________________________<br>
                      License-review mailing list<br>
                      <a
                        href="mailto:License-review@lists.opensource.org"
                        target="_blank" moz-do-not-send="true">License-review@lists.opensource.org</a><br>
                      <a
href="http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org"
                        rel="noreferrer" target="_blank"
                        moz-do-not-send="true">http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org</a><br>
                    </blockquote>
                  </div>
                  <br>
                  <fieldset></fieldset>
                  <pre>_______________________________________________
License-review mailing list
<a href="mailto:License-review@lists.opensource.org" target="_blank" moz-do-not-send="true">License-review@lists.opensource.org</a>
<a href="http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org" target="_blank" moz-do-not-send="true">http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org</a>
</pre>
                </blockquote>
                <br>
              </div>
              _______________________________________________<br>
              License-review mailing list<br>
              <a href="mailto:License-review@lists.opensource.org"
                target="_blank" moz-do-not-send="true">License-review@lists.opensource.org</a><br>
              <a
href="http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org"
                rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org</a><br>
            </blockquote>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
License-review mailing list
<a class="moz-txt-link-abbreviated" href="mailto:License-review@lists.opensource.org">License-review@lists.opensource.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org">http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>