<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
You haven't answered my last question, which is whether you believe
this is not an open source license or simply that it a license that
will be difficult to comply with in some use cases. If you believe
it is not an open source license, what would be your explanation of
the rationale for refusing it?<br>
<br>
Pam<br>
<br>
<div class="moz-signature">Pamela S. Chestek<br>
Chestek Legal<br>
PO Box 2492<br>
Raleigh, NC 27602<br>
919-800-8033<br>
<a class="moz-txt-link-abbreviated" href="mailto:pamela@chesteklegal.com">pamela@chesteklegal.com</a><br>
<a class="moz-txt-link-abbreviated" href="http://www.chesteklegal.com">www.chesteklegal.com</a><br>
<br>
</div>
<div class="moz-cite-prefix">On 12/10/2019 11:48 AM, Nigel T wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CADaGzk5OEczmsFXO8iD0PVRGb_hma2DUpiFU=ktUGZ+VuyenEA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Pam,
<div><br>
</div>
<div>My concern is that most software that takes in user
data isn't very well equipped to export that user data
back out. </div>
<div><br>
</div>
<div>If the <b>code</b> you received from upstream (not
user data) can not comply with the user data export
requirements of 4.2...whatever those may be...then the
downstream user of that code is automatically not in
compliance with the license on day 1.</div>
<div><br>
</div>
<div>A simple scenario is I open source a system that lets
my clients make appointments with me, see their billing
statements, communicate with me, etc under the CAL
license. You see this and like it because of open data
and transparency and get a copy of my software and begin
to use it for your own clients. It's really easy to do as
I provided you (or whomever sets up your web site for you)
step by step instructions on how to set it up on your own
host. </div>
<div><br>
</div>
<div>No need to compile anything, just run my installer,
pick a password, fill in some preferences, add your logo
and you're ready to go. </div>
<div><br>
</div>
<div>For any other open source license if you provide the
source code of my software to your clients you are, as far
as I can tell, always in compliance.</div>
<div><br>
</div>
<div>But say I had neglected to provide a way to export some
data fields that the client gives me when interacting with
the system. You are in breach of the license as is
everyone else who used my open source software to serve
their own clients.</div>
<div><br>
</div>
<div>All the client user data is certainly available to you
as the downstream provider of the software to your
clients...it may just a simple SQL statement away or it
may require a lot of code changes to make available but
either way you DO have it.</div>
<div><br>
</div>
<div>As a potential downstream user looking at my software
web page, running on my demo site, etc, how do you know
you are actually in compliance without more careful
analysis of the system inputs and outputs? Do you not
have to remake this assessment every time you upgrade to
my latest version? </div>
<div><br>
</div>
<div>I also do not believe that we can assume that the
required data is easily ascertainable nor do I believe
that you could provide a simple criteria like "received in
plain text" given that often the most valuable user inputs
are the relationships between data and data groupings they
create.<br>
</div>
<div><br>
</div>
<div>Also the requirement to export <i
style="font-family:arial,sans-serif">"</i><i style="font-family:arial,sans-serif;white-space:pre-wrap">data has been generated by, for, or has been assigned to the Recipient"</i><span style="font-family:arial,sans-serif;white-space:pre-wrap"> makes the required export data not easily ascertainable.</span></div>
<div><br>
</div>
<div>Regards,</div>
<div><br>
</div>
<div>Nigel</div>
<div><br>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Dec 10, 2019 at 10:12
AM Pamela Chestek <<a href="mailto:pamela@chesteklegal.com"
moz-do-not-send="true">pamela@chesteklegal.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"> <br>
<div>On 12/10/2019 9:41 AM, Nigel T wrote:<br>
</div>
<blockquote type="cite">
<div><font face="arial, sans-serif">The <b>software is
not a safety deposit box</b> because of the
requirement that you must also return <i>"</i><span
style="background-color:transparent"><i style="color:rgb(0,0,0);white-space:pre-wrap">data has been generated by, for, or has been assigned to the Recipient". </i><font
color="#000000"><span style="white-space:pre-wrap">Safety deposit boxes don't generate new content for users. Software often does. </span></font></span></font></div>
<div><span style="color:rgb(0,0,0);font-family:arial,sans-serif;white-space:pre-wrap;background-color:transparent">
</span></div>
<div><span style="background-color:transparent"><font
face="arial, sans-serif" color="#000000"><span style="white-space:pre-wrap">Even ignoring generated data that you'd have go though each and every UI screen and make sure all inputs provided by user are correctly mapped to an export field...and you have to do this every time you update from upstream.</span></font></span></div>
<div><font face="arial, sans-serif"><span
style="background-color:transparent"><font
color="#000000"><span style="white-space:pre-wrap">
</span></font></span></font></div>
<div><font face="arial, sans-serif"><span
style="background-color:transparent"><font
color="#000000"><span style="white-space:pre-wrap"><b>If the original software cannot export all of the data required to meet the requirements of 4.2 then all subsequent users of the software are in breach of the license.</b> </span></font></span></font><span
style="color:rgb(0,0,0)"><font face="arial,
sans-serif"><b>This is a point that you continue to
dance around. </b></font></span><span
style="background-color:transparent"><font
face="Calibri, sans-serif"><font color="#000000"><span style="white-space:pre-wrap">You are handwaving significant legal and technical burden you are placing on users of CAL licensed software because you want to extend licensing requirements beyond open </span><b style="white-space:pre-wrap">source</b><span style="white-space:pre-wrap"> into open </span><b style="white-space:pre-wrap">data </b></font></font></span><span
style="background-color:transparent"><font
face="Calibri, sans-serif"><font color="#000000"><span style="white-space:pre-wrap">and non-technical users who just use the software out of the box don't control that at all. There are no exceptions for non-compliance of the original code in this license so it's <b>a compliance nightmare</b></span></font></font></span><font
face="Calibri, sans-serif" color="#000000"><span style="white-space:pre-wrap"><b> for every downstream user whether they change the code or not</b>.</span></font></div>
<div><span style="background-color:transparent"><font
face="Calibri, sans-serif"><font color="#000000"><span style="white-space:pre-wrap">
</span></font></font></span></div>
</blockquote>
Hi Nigel,<br>
<br>
Can you help me understand your point better? Section 4.2.1
says "Throughout any period in which You exercise any of the
permissions granted to You under this License, You must also
provide to any Recipient <i>to whom you provide services
via the Work</i>, ... the Recipient's User Data in your
possession, <i>to the extent that such User Data is
available to You</i> for use in conjunction with the
Work." <br>
<br>
I acknowledge your dislike of the ambiguity of "to the
extent that such User Data is available to You," but I'd
like to put that point aside. For the purposes of argument
let's assume that it is an easily ascertainable set of data,
something like "any User Data you received in plain text."
The scenario is that I have received data about a Recipient
from upstream, and now I am providing services to that same
Recipient, which is the only situation in which I would have
to provide User Data. Is your point that the program
architecture may make it too difficult to extract and
provide the plain text that upstream provided to me? Is your
argument that there is something that is not open source
about this arrangement, or is it that the license will be
used in situations for which it is poorly suited?<br>
<br>
Pam<br>
<br>
Pamela S. Chestek<br>
Chestek Legal<br>
PO Box 2492<br>
Raleigh, NC 27602<br>
919-800-8033<br>
<a href="mailto:pamela@chesteklegal.com" target="_blank"
moz-do-not-send="true">pamela@chesteklegal.com</a><br>
<a href="http://www.chesteklegal.com" target="_blank"
moz-do-not-send="true">www.chesteklegal.com</a><br>
</div>
_______________________________________________<br>
License-review mailing list<br>
<a href="mailto:License-review@lists.opensource.org"
target="_blank" moz-do-not-send="true">License-review@lists.opensource.org</a><br>
<a
href="http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
License-review mailing list
<a class="moz-txt-link-abbreviated" href="mailto:License-review@lists.opensource.org">License-review@lists.opensource.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org">http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org</a>
</pre>
</blockquote>
<br>
</body>
</html>