[License-review] For approval: The Cryptographic Autonomy License (Beta 4)

Nigel T nigel.2048 at gmail.com
Thu Dec 12 21:29:20 UTC 2019


On Thu, Dec 12, 2019 at 3:17 PM VanL <van.lindberg at gmail.com> wrote:

> I think you are complicating the issue. It started out as "no one could
> self-host WordPress." That is false. Self-hosting WordPress is allowed, and
> the compliance is just the same as the AGPL, because in the basic
> self-hosting instance, the operator is not holding any user data.
>

Blogs often has comments.  This isn't hypothetical.


> Then the hypothetical expanded to self-hosted comments, so that there was
> some minimal user data being held. In this case, I agree that the comments
> would need to be provided, should they be requested. But there are
> reasonable, semi-automatic ways by which this data is provided (HTML, RSS
> feeds). I would also note that a SQL dump would also work, and I don't
> think that copy+pasting a SQL select from the internet is beyond the
> capabilities of even a non-technical user (should the comments be
> requested).
>

Here is an example of the steps you have to go through if you can't go
through phpMyAdmin (which isn't always installed).

1) have ssh enabled on your server, with SSH username, password, port
number and hostname.
2) have your Wordpress database username, password and hostname
3) have the right tools to interact with SSH (putty, pscp, etc)
4) run your ssh package with your SSH credentials.
5) at the ssh command line connect to mysql using your username, password,
etc
6) find and select right database
7) cut and paste the SQL statement you* found on the internet *and hope it
actually works and doesn't do something sinister.

Having the non-technical user do things in a database via SQL statements
from the internet is a recipe for really screwing up the system.  In any
case, many folks not used to the command line would be lost on step 1...and
arguably most WordPress users wouldn't want to do any SQL via phpMyAdmin
either.  If that's the cost of compliance they just wouldn't use WordPress.

Again, if user export is not implemented as part of the original software
then compliance with 4.2 becomes very hard for non-technical users for any
but the most trivial case.

Arguing that users can just do SQL queries is essentially saying that OSS
software need only be designed for developers.

No.


> The hypothetical then expanded again to user accounts, memberships,
> badges, user content, etc - the whole WordPress ecosystem. I can't say that
> the whole WordPress ecosystem would be able to easily comply. But you
> yourself identify that the information is stored in the database or the
> filesystem, and it is accessible, so compliance is possible. I would also
> note plugins like WP-all-export.
>

These specifics were provided to refute Henrik's assertion that WordPress
has been 4.2 compliant for years.  These are not "expanded hypotheticals"
but counter-examples.

But then the hypothetical expands to a non-admin user - and that's where it
> breaks again. If someone starts a WordPress hosting business, where they
> are hosting other people's blogs, I don't think it is unreasonable to say
> that they are taking upon themselves substantial additional compliance
> requirements, of which the CAL's requirements are usually a subset.
>

Wordpress sites allow visitors to register to gain different levels of
access.  This isn't a "Wordpress hosting business"...it's just letting
folks do things on your site...like make comment, set avatars, contribute
posts, moderate other visitor comments, view premium content, etc.

At no point have I ever brought up someone starting a Wordpress hosting
business.  Folks host their own site and let visitors contribute to the
site in various ways to build up their community...they aren't starting a
"hosting business".  The scenario breaks down because your license terms
are broken, not because they are a SaaS hosting provider.


> Thanks,
> Van
>
> On Thu, Dec 12, 2019 at 1:17 PM Nigel T <nigel.2048 at gmail.com> wrote:
>
>> If the users do not have admin privs they don't get to see wp_usermeta
>> data unless it's explicitly exposed in some form.  Given that plugins and
>> forms can store user input in wp_usermeta or in other areas of the database
>> (like wp_commentmeta) it is easy to show that Wordpress is not fully 4.2
>> compliant.
>>
>> To argue that Wordpress is CAL 4.2 compliant because you can see your
>> comments ignores that there are many other interactions possible with
>> Wordpress like upvoting, voting in polls, answering questions on forms,
>> internal storage of data generated for the user, file uploads, badges,
>> memberships, payment data, comment tags, guest posts, etc.
>>
>> And to say that because a user can copy/paste from HTML pages generated
>> by Wordpress that compliance with 4.2 is trivially achievable makes a
>> mockery of the desire for user data accessibility.
>>
>> Wordpress is great because the user of the software can export their site
>> and import it into another Wordpress server....that's the desired goal for
>> access to your own content.  It, however, doesn't do that for individual
>> viewers of the site that interact with and respond to the content
>> provided.  So it isn't CAL 4.2 compliant for the non-technical user.
>>
>> On Thu, Dec 12, 2019 at 3:06 AM Henrik Ingo <henrik.ingo at avoinelama.fi>
>> wrote:
>>
>>> If there was a request from a user to get their user data, then the
>>> clueless operator could also easily publish or approve the queued comments,
>>> and they would be in compliance. This is a first class feature in the
>>> Wordpress GUI, and requires zero coding skills from the operator.
>>>
>>> For those who are not intimately familiar with Wordpress... It has been
>>> CAL compliant 13 years ago:
>>> https://en.blog.wordpress.com/2006/08/14/my-comments/
>>>
>>> Admittedly the CAL maybe implies data should be exported in some other
>>> format than a HTML page, such as a mysqldump, json, or xml file. But it
>>> doesn't explicitly mandate a specific data format. In the case of the
>>> clueless Wordpress operator presumably administering a fairly low volume
>>> site, it could be argued that a HTML page from where a user can easily
>>> copypaste all of their user data is in fact a good alternative to provide
>>> this data.
>>>
>>> IMO the Wordpress example rather strengthens Van's argument that for
>>> realistic scenarios the CAL requirements are not unreasonable. I agree that
>>> there's a discussion worth having about licensors with bad intent, but I
>>> don't support the idea that a license should be rejected based on rather
>>> theoretical corner cases. Especially when - as I illustrated in my previous
>>> email - same corner cases can be constructed for existing licenses like GPL.
>>>
>>> henrik
>>>
>>> On Thu, Dec 12, 2019 at 7:26 AM Bruce Perens via License-review <
>>> license-review at lists.opensource.org> wrote:
>>>
>>>> If they hosted comments on their WordPress blog, and did not approve
>>>> some comments but kept them in the approval queue, this would be sufficient
>>>> to activate the data terms.
>>>>
>>>> I agree with Nigel.
>>>>
>>>> On Wed, Dec 11, 2019, 8:53 PM VanL <van.lindberg at gmail.com> wrote:
>>>>
>>>>> On Wed, Dec 11, 2019, 9:18 PM Nigel T <nigel.2048 at gmail.com> wrote:
>>>>>
>>>>>> A SaaS license is intended to be applied to software that is seen and
>>>>>> used by third parties.
>>>>>>
>>>>>> It is disingenuous for you to imply otherwise.
>>>>>>
>>>>>> Many non-developers have set up their own content management system
>>>>>> like Wordpress on their own servers.  If Wordpress was CAL instead of GPL
>>>>>> none of those users would be able to use WordPress because it’s unlikely
>>>>>> that WordPress is fully compliant under the terms of 4.2.
>>>>>>
>>>>>
>>>>>
>>>>> This is an illuminating example. If WordPress was CAL licensed, then
>>>>> all those people hosting their own blogs on WordPress would have to provide
>>>>> a link to or copy of the source code they were using, but that is it. Why?
>>>>> Because they would not be hosting the user data of random readers. The
>>>>> outcome would be essentially the same as the AGPL.
>>>>>
>>>>> Someone would only need to provide additional user data if they did
>>>>> more than host their own blog, but instead moved into the blog hosting
>>>>> business.
>>>>>
>>>>> Thanks,
>>>>> Van
>>>>>
>>>>>
>>>>>> _______________________________________________
>>>>> License-review mailing list
>>>>> License-review at lists.opensource.org
>>>>>
>>>>> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>>>>>
>>>> _______________________________________________
>>>> License-review mailing list
>>>> License-review at lists.opensource.org
>>>>
>>>> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>>>>
>>>
>>>
>>> --
>>> henrik.ingo at avoinelama.fi
>>> +358-40-5697354        skype: henrik.ingo            irc: hingo
>>> www.openlife.cc
>>>
>>> My LinkedIn profile: http://fi.linkedin.com/pub/henrik-ingo/3/232/8a7
>>> _______________________________________________
>>> License-review mailing list
>>> License-review at lists.opensource.org
>>>
>>> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>>>
>> _______________________________________________
>> License-review mailing list
>> License-review at lists.opensource.org
>>
>> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>>
> _______________________________________________
> License-review mailing list
> License-review at lists.opensource.org
>
> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20191212/ff71f677/attachment-0001.html>


More information about the License-review mailing list