-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to a widely-recognized OSI and FSF approved license. #301
Comments
From https://www.gnu.org/licenses/license-list.en.html
|
Thanks for the link @sergeyklay! I considered Apache 2.0 but was surprised by its length compared to Expat/MIT. The latter I can at least force myself to read. I think this is how the https://www.gnu.org/licenses page classifies the current re2c license:
Although it has an entry for public domain as well, but this seems to mean the absence of license:
In any case, it argues for having a formal license. |
@skvadrik I am not a lawyer or any specialist in this matter. However, as far as I see (from my own experience), Apache 2.0 license is most suitable for use both in the corporate sector and for individuals. There is no restriction for "making money" using your own derivative and you can safely include parts licensed under Apache 2.0 into your paid (and closed) project. My own experience tells me that companies are usually wary of products licensed on GNU GPL. And in my personal opinion, this is a major obstacle for a project (its future and distribution) if it is licensed in such a way that it can be used exclusively in purely free and open source projects. P.S. Also I would like share you Bison Conditions just for reference: https://www.gnu.org/software/bison/manual/html_node/Conditions.html |
Sure, I'm not considering a copyleft license (GPL). Re2c has been in the public domain since the beginning, and it will remain there. I don't want to change the way the project is used --- only to clarify the status by using a well-known license ("public domain" is not generally recognized as a license). I did not know that Bison disallowed using the generated parsers in non-free software. Thinking about it, re2c would not have the same problem, because it does not use a fixed program template: the interface code is written by the programmer, and the lexer code is compiled from the regular expressions, so the resulting generated program does not contain re2c code. However, I think some users bundle re2c itself in their non-free software. Thanks for the advice about Apache 2.0. I need to read it more carefully. |
Just discovered a tool for comparing 51 different free/open source licenses, created by the EU: https://joinup.ec.europa.eu/solution/joinup-licensing-assistant/joinup-licensing-assistant-jla |
@sergeyklay Cool! it is a bit disappointing that so few licenses pass the Anyway, setting I was leaning towards Apache-2.0 after our previous discussion, but then got discouraged by OpenBSD attitude, http://www.openbsd.org/policy.html (here is also some discussion):
|
@skvadrik Good to know! Well, MIT is the winner then? |
@sergeyklay Seems so! There is still time to change our minds until the next major release. |
I know I'm just a nobody on this project (I've submitted a pair of bugs) but might I suggest that you dual-license the project? Keep the public domain dedication but also license it under the MIT license? That seems "nicer" to the people who committed to a public domain project, since the project stays available in the public domain, but it also makes it easier for organizations where public domain is not legally recognized to use the project under the well-established MIT license. The reason the public domain is special to me as a developer is because it is the only way to share code the way code was FOSS was meant to be shared: with no legal repercussions possible for either party. Have you ever maintained a project in a statically-compiled language like golang? I work on such a project at my job. Every library you import in the whole project is legally being redistributed as part of the binaries that you ship. The sheer number of imported dependencies whose licenses and copyright notices need to be distributed with your binary is ridiculous. Thousands of lines of text, which change every time any developer on the project adds or removes a new dependency. The only way to get it right is to write automation, but that's a whole bunch of work that only exists to satisfy laywers. It's a frustrating waste of time as a developer. Public domain code avoids that situation... wherever lawyers for the receiving party will allow it. But that's a step in the right direction. As a side note, IANAL but my understanding of the situation is that since most project that interface with |
@rexroni , thanks for your advice! I didn't think of dual-licensing. That might be a good idea, I'm all for avoiding the bureaucracy. I think people sometimes want to embed re2c in their codebase as a subproject, so for them the license propably matters. |
Great! I love public domain code :) |
I don't know if is possible to "dual-license" with public domain - it's not a license. Licenses are something that have effect under the copyright framework, and making something public domain takes it out of that framework, so any license restrictions have no legal basis. I'm a big fan of public domain software, and it's high on the list of reasons I picked re2c from a comparison table of lexers. Great as it is though it turns out to be more complicated than it should be, from talking to Richard (maintainer of sqlite, which is public domain and is probably the piece of software with the second highest number of running copies, after zlib) it seems like they can't take contributions from at least some of the EU, because those citizens can't put their work in the public domain: https://sqlite.org/copyright.html |
@cyanogilvie Yes, I read something about public domain being not a license. I decided against any change at the moment, since I'm not aware of anyone having a problem with re2c being public domain. At the time when I opened a bug I was afraid that I won't be able to publish a paper about re2c, but it was ok in the end --- just a web page with scary text "you must choose a license" and no real-world consequences. |
I am confused. I thought CC0 is basically public domain. |
Every time I read about licenses, I end up being massively confused. I try to check at least three things:
To me CC0 seems to be almost the same as public domain. FSF says it is ok. But the Open Source Initiative does not approve it. At the same time it approves Unlicense which explicitly states CC0 as its source. Is it confusing? Yes. So I really don't know. It all seems like an empty discussion that goes in circles. At the same time I realized that it's not so important (e.g. the journal publication went well without any changes). I think for now, it is ok to keep status quo. |
I'm surprised that being public domain is really a problem. That said, isn't the Unlicense simply a formalized dedication to the public domain that has an SPDX short identifier? Given that, Unlicense would seem to be essentially the right thing since it isn't actually a change as much as a clarification. |
Have you considered the Boost Software License 1.0? https://www.boost.org/users/license.html
|
If you want re2c to remain in the public domain, why not just license it under CC0? It's a long license, but it lets you (and others) do pretty much whatever you want with the code. |
CC0 has an explicit patent exclusion, which at least Fedora is not okay with. |
Thanks everyone for your input. For the time being, I think it's all right to stick with the public domain. My reasons for changing it were:
Now, this is not true --- despite some scary warnings I was able to go through the publishing process for https://www.softwareimpacts.com/article/S2665-9638(20)30018-X/fulltext and other papers without any problems. As for SPDX, since re2c does not have the convention of adding license text at the top of each source file, this is not really a problem either. |
Let's keep the bug open for discussion, and also as a record of all the licenses that have been considered so far, and their pros and cons. |
Jumping in as a domain expert, in SPDX tagging and as open source license policy wonk. There is no "standard" "public domain declaration", because PD is not defined in all jurisdictions. The SPDX tag that is equivalent to "public domain" is "CC0". Defined by the Creative Commons, it basically says, in tightly written deeply reviewed legalese "if PD is defined in your jurisdiction, this is PD. If it is not, we grant you the rights to do anything you want with this". For your use case, just use CC0. Thank you. |
When I worked on RE2C several years ago for several years this was not a
problem. My goal was to replace Flex use in PHP with RE2C and as Ulya said,
RE2C is generator that is not part of the project or creates a license
header itself. So back then it was not a problem. However, I would never
use the tool in a company unless we finally picked a license.
That said, what actual reasons prevent us from picking something like
Apache-2.0, MIT or any other prominent license? Even GPL could work.
Now I regret that I never had this discussion 10+ years ago. But we should
imho pick a license because more and more companies are working towards a
SBOM and will refuse any non licensed code. Plus going forward more and
more companies will need to adhere to rules governing their open source
usage, even outside SBOM efforts.
My 2p
Cheers
…On Wed, Aug 2, 2023, 17:31 Mark Atwood ***@***.***> wrote:
Jumping in as a domain expert, in SPDX tagging and as open source license
policy wonk. There is no "standard" "public domain declaration", because PD
is not defined in all jurisdictions.
The SPDX tag that is equivalent to "public domain" is "CC0". Defined by
the Creative Commons, it basically says, in tightly written deeply reviewed
legalese "if PD is defined in your jurisdiction, this is PD. If it is not,
we grant you the rights to do anything you want with this".
For your use case, just use CC0.
Thank you.
—
Reply to this email directly, view it on GitHub
<#301 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABQ7NSKN2SSY6HIYAMQ624DXTJXDTANCNFSM4PSWNTMA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
The code is basically CC0. There is a CC0 SPDX. Seems like all you could ask for. (As for why to not to use another license? Because CC0 is already fine.) |
Sure. Better than nothing. But it is an inappropriate license. It pertains
to creative work on general and does not cover aspects of software
development. Using a license that is backed by an software Organisation
that has lawyer resources to make it not a moot text is still superior. In
any event the people who have done the majority of work on the past 20
years should be able to pick and agree on what they deem suitable. My two
choices were started earlier 😉
…On Wed, Aug 2, 2023, 18:38 Perry E. Metzger ***@***.***> wrote:
The code is basically CC0. There is a CC0 SPDX. Seems like all you could
ask for.
(As for why to not to use another license? Because CC0 is already fine.)
—
Reply to this email directly, view it on GitHub
<#301 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABQ7NSMRHNAPJFSRC3LCKJ3XTJ66NANCNFSM4PSWNTMA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
I make much of my software public domain (CC0 because of Europe) when I don't feel like it would be useful to restrict its use in any way. It's a totally appropriate license for software development. There's no need to use something more restrictive. |
CC0 explicitly refuses to provide a patent license, which is a problem for Fedora IIUC. |
"CC0 explicitly refuses to provide a patent license, which is a problem for Fedora IIUC." Neither does a public domain declaration. Is there actually anything patent-able in re2c? I'm not your lawyer, but it looks to me like the answer is "no". |
Another issue is, since this project started with a license that was an attempt at a PD declaration, one cannot just slap a modern license onto it. You would have to get the active or passive-with-timeout permission of every contributor in the project's history. You also can't just retroactively apply a modern patent license to the project, because thats a license that was not present when the contributors made their contributions. But starting with an attempt at a PD declaration, you can put a CC0 or MIT-0 or 0BSD license on it, and it will be legally clean, there will be no successful claim of equity, damages, intent, or copyfraud. Just put a CC0 on it. If you dont like the Creative Commons, then put MIT-0 on it. |
All the basic algorithms in the program are decades old. Even if patents existed at one time, which they didn't, they would have long since expired. It is also not possible to impose relicensing without getting the permission of all the contributors. CC0 is not (effectively) a license change, so it's okay, but imposing something like a license that discusses patents assumes consent of all contributors, and you cannot (legally) retroactively assume that all the contributors have given up their patent rights. Just put CC0 on it and be done. Anything else is a legal mess. As for Fedora, that's their problem. However, Fedora is full of MIT and BSD and ISC licensed code, none of which has a patent clause, so presumably you're wrong if you claim it's a problem for them. |
For the record, this is not quite true: re2c is based on TDFA(1) which is a relatively new algorithm. The latest paper which re2c is based on was published in 2022. Not that I ever wanted to patent it (and neither did Laurikari with TDFA(0)). |
The problem with CC0 is that it explicitly states that no patent license is granted. MIT-0 is probably the best option IMO. |
MIT-0 grants no patent license either, so it is of no advantage there. |
Indeed, those refinements are newer than the basic finite automaton regex stuff. So far as I can tell, of course, no one has tried to patent anything there in a very long time. Regardless, this is a detail. |
From the Fedora PoV there is a difference between just not granting a patent license (MIT-0) and explicitly stating that none is granted (CC0). |
One can't help but notice the considerable weight we seem to be placing on Fedora's views on this matter. Reviewing the discourse in this thread, it's apparent that the main resistance to the adoption of the CC0 license comes predominantly from Fedora (as repeatedly articulated by @DemiMarie). However, it's worth questioning whether the crux of these concerns should really be Fedora's cross to bear. |
Anyway, repeating again: CC0 seems to be in the right spirit to me, is the minimum possible change, has an SPDX code, etc. If people insist, something like MIT-0 is probably fine but is unnecessary. Something beyond that is not legally possible without talking to all past contributors. |
People who have dedicated their contributions to the public domain can have those contributions incorporated in a larger work released under a different licence. There's plenty of examples of software that was released under a permissive license being incorporated in GPL code. LibreOffice comes to mind. The licence on the original contribution hasn't changed & anyone disagreeing with the new licence is free to extract the last PD version. I agree that as the original contribution lacked a patent grant, it would be wrong and possibly damaging to future users to use a license that included one, unless all earlier contributors agree. This rules out Apache and anything else that has a patent grant, not that I recall any of those being suggested here. CC0 isn't intended as a software licence. There's plenty of options that are nearly as permissive, 0BSD, MIT no attribution, and the Boost licence I suggested earlier all spring to mind. Among the reasons I like the Boost licence is that the Boost library is very widely used and so it likely to have already been considered by organisations that use enough open source software to need to verify licenses. |
@juliaclement Yes, but we'd still need to get the consent of the past contributors, if I'm not mistaken. (For the record, I wish OSS licensing wasn't so complicated.) |
@ethindp Morally we probably do but I'm not sure we do legally. Mozilla Firefox, LibreOffice, and IBM's TCP/IP stack for OS/2 all relicenced, in IBM's case from BSD to proprietary. I doubt they all obtained permission from 100% of prior contributors. In once famous case, XFREE86 was relicenced resulting in most of the contributors moving to the X.Org project which had been forked from the last version from before the relicencing. I think it's fair to say that many of those developers didn't agree with the license change. The GPL and a few other copy-left licences were specifically written to prevent downstream relicencing but otherwise it seems to be an accepted practice. |
There seems to be a lot of confusion going around about what public domain means (partly because it means different things in different jurisdictions I suspect). But generally it means something very close to what is described on the public domain wikipedia page. Talking about licenses and patents in relation to public domain works is nonsense - licenses are something that grant conditional rights to an owned work (Intellectual Property), public domain is explicitly a work that isn't owned (or is owned by the public) - not IP. Restrictions on derivative works is something you can do within the context of a copyrighted work by limiting the rights granted by a license. Public domain is a state where copyright explicitly doesn't apply (because it has expired, isn't copyrightable to begin with, or has been explicitly placed in the public domain by the authors in countries that recognise that). So, as I understand it: because it isn't owned, no restrictions can be placed on derivative works and so no permission is required from the original authors to do anything at all with the work, any more than permission from a random stranger is required (the authors retain no special rights or ownership to the work). That includes creating closed source derivative works, releasing derivative works where the alterations are copyrighted and distributed under a different license, etc. Whether re2c is actually public domain is a different question, since some jurisdictions don't recognise the explicit disclaiming of authorship and ownership rights (placing a work in the public domain), and I suspect some of the authors live in those jurisdictions. That would be the first thing to figure out before any sensible discussion can be had around potentially relicensing. |
Not for the patent stuff. At all. Just because you've released your copyright doesn't mean you have released your patent rights, and the people who are arguing are arguing about patent rights. Furthermore, on the copyright itself, where public domain exists there is no problem, but in some jurisdictions (like parts of Europe) where public domain doesn't exist, because of rights complications, you can't just relicense more restrictive than the contributor intended. |
You will find that in almost every case where relicensing has occurred, people have indeed gone back and gotten consent from all previous contributors. |
Public domain doesn't exist in all jurisdictions, which is why CC0 exists. Because it doesn't exist in all jurisdictions, you have to be more careful. |
I'd like to see evidence of that assertion. The text is perfectly suitable for the purpose of licensing software in as close to a public domain manner as possible in jurisdictions that make that difficult, and is in no way worse than MIT-0 or other proposed solutions. |
The other CC licenses do not apply to code very well. The CC0 license/declaration is perfectly fine for code. |
CC0 would be, if it did not explicitly exclude a patent licence. I’ve been personally dual-licencing CC0 and MirBSD my “trivial” scripts because Feodora has started actively disallowing CC0 on code. Now this asks for a widely-used code licence as fallback, which The MirOS Licence is not. (I like it because I wrote it and it gives authors from the EU slightly better chances of the disclaimer being valid; it’s also OSI, OKFN, … approved.) But you could dual-licence CC0 and MIT, which is probably the most widely accepted combo at this point in time. You could even additionally add a note that states “Affirmer holds no trademark or patent rights on the Work.” (to extend CC0); you could even triple-licence (CC0, MirBSD, MIT) if you want and are permitted to licence the work. IANAL, but iff the previous PD dedication was valid in your jurisdiction and you have sufficiently creative work in it (passing threshold of originality), then you should be able to licence the entirety for jurisdictions that don’t permit authors to relinquish copyright. (Getting explicit ACK from the still-living coauthors and/or their heirs would still be preferrable.) The “Unlicense” should never have passed OSI: it’s not a licence, it’s a PD dedication with a failed attempt at a fallback licence. OSI decided to hand-wave because you cannot be sued for using a work under Unlicense[sic!] even in e.g. Germany where PD dedications are not valid, totally forgetting that FOSS people will want to redistribute and remix and generally promise to their downstreams to only include stuff under good licences (and, sitting in Germany, I could not consider anything under a mere PD dedication a good licence). Please refrain from even considering it. |
This is a proposal to change re2c license to one of the widely recognized, OSI and FSF approved licenses (most likely MIT). I'm creating the bug as a way to attract attention and possibly gather comments. I realize this won't cover all re2c users, but it's better than nothing (and I will also send an email to the mailing lists).
To clarify, re2c will remain free and open source software, and this change should not affect the users.
What is the current license?
Historically re2c uses a custom "public domain" license, worded as follows:
Why change?
It is getting increasingly difficult to use current license as a proof that re2c is free software. There is no SPDX. Github and journals like Software Impacts do recognize it. Personally I see nothing wrong with public domain, but at the same time I feel that not changing the license to an FSF and OSI approved one is the equivalent of Asimov's "...through inaction, allow a human being to come to harm".
Do I have the right?
I don't know. This is not my own project --- many people have contributed to re2c over the years, and some have spent considerable time on the project. I am the only active author: none of the other authors get in touch (sadly, not all of them are alive by now). I have made by far the most contributions to the project in the number of commits, and I am the only remaining developer with commit access to the source code repositories. I am not worried that someone will sue me (it seems extremely unlikely), but rather that it may alert or create problems for some re2c users.
Change to what?
There are two aspects: 1) what the license says and 2) how it is interpreted. Personally I prefer "public domain" licenses that don't have any requirements, like Unlicense and 0-BSD. However, they are not as widely accepted as MIT, and not always approved by various projects and organizations. Since the only reason to change license is to make re2c easier to use, it makes sense to choose a less appealing, but more default option.
MIT. Pros: it is the most widely recognized OSI and FSF approved license, its text is short and readable, it is technically very close to the current license (unlikely to cause license troubles for any re2c users). Cons: it adds one requirement not present in the current license (copy-pasting the license), it doesn't have the words "public domain" in it, and it requires the year and name.
Unlicense. Pros: it is FSF approved, it is recognized as a "public domain" license, it does not require copy-pasting the license text, and I like the wording, the name and the project goals. Cons: I don't thinks it's OSI approved, and some companies like Google exclude it from the allowed list. I'm afraid it may create more technical problems for re2c uses than the seemingly more restrictive MIT license.
Zero-Clause BSD / Free Public License 1.0.0 (0BSD). Pros: OSI approved, short, recognized as public domain, no requirement to copy license notice. Cons: not FSF approved, less widely used.
Other alternatives were also considered, but seem to be worse than the above: ISC is like MIT but less widely used, CC0 seems more for data than code (and the webcite says not to use it for public domain, "Using CC0").
I'm leaning more towards MIT, although I personally like the Unlicense better.
The text was updated successfully, but these errors were encountered: