7

At my previous job I was responsible for building and maintaining a library in their ecosystem. The project is mature in the sense that no major new features are being implemented. It is still maintained, which means that bugs are fixed and every now and then minor enhancements are made. To give a sense of the maturity: the project has some 30k sloc, and currently about 100 lines are changed per month. These small changes do require relatively much work (a couple of hours a week, even when you have written almost the entire code base).

The company has no expertise to maintain this project, and I see they are now introducing new bugs and failing to fix existing bugs. Because I use this library in other projects I expect to have to continue to maintain it at least in the near future. I don't want my previous employer to benefit commercially from this work, for two reasons: (1) to not provide free labour on principle; (2) to motivate them to train somebody to eventually maintain the library themselves.

The project is licensed under a 2-clause BSD license. My old employer has several projects under such a license, and earns money from (subscriptions to) some closed-source projects. These projects are only available to a few clients, who receive the source code. You can imagine something like the Blackboard educational software business scheme, but on a smaller scale, and clients are responsible for their own instances.

My idea is to fork the project and provide it under a GPL 3.0 license. I understand that all code written before the fork will then also still be available under the original BSD license, but code committed after the fork should only be available under GPL 3.0. The idea is that if the company would want to use my fork, they are making a derivative that also would have to be licensed under GPL 3.0 (at least under the FSF's understanding of derivative works). They will not want to open source their application, so they cannot use my fork. My concerns with this are:

  • If I make my changes of 100 lines a month under GPL 3.0, the company may look at that, and implement the same patches with some minor changes (e.g. replace a for with a while) under their 2-clause BSD license. This is the easy way out, because the major job is to figure out what needs to be changed, not how to write it down. Am I in any way protected from this happening? Do I have some kind of intellectual property on the change that extends beyond the exact implementation to the ideas behind it?

  • The company distributes their software only to selected clients (and I am not one of them). Would they in that situation still be required to open source their application to the general public? And how would one go about proving that they use my fork / requesting their source?

Are these concerns valid? Are there better ways to solve this problem?

MadHatter
  • 48,547
  • 4
  • 122
  • 166
  • From what I can tell, they were automatically bound by the license the second they used your code (the GPL 3.0 licensed code, that is.) The license clearly lays out your exact circumstances. Look at the definition of 'convey' and then read section 10. I may be wrong. I am new at this, and most English words have more than one meaning. – Nate T Nov 08 '21 at 13:39
  • 1
    @NateT: Incorrect - "use" does not trigger the GPL3. "convey" (distribute) is the trigger. All versions of the GPL are very clear that no license is needed to use the code, use the binary, or modify either. – MSalters Nov 08 '21 at 16:40
  • @MSalters I didn't say they couldn't use the code. I said that they were bound to the license. Still, I just reread the relavent sections, and there was a sentence that I missed which explicitly excludes downloading from github et. al. from conveyance. That makes sense, as otherwise, it would be fair game. They define conveyance as "any kind of propagation that enables other parties to make or receive copies." Propagation means spreading, and there is no form of code distribution more widespread than github. – Nate T Nov 08 '21 at 17:05
  • @NateT: When you're downloading from GitHub, usually GitHub is bound by the OSS license - not you. The special GPL clause is there to make sure that GitHub itself isn't treated as the distributor, but rather the uploader to GitHub. I.e. it makes it clear that GitHub is considered infrastructure, not an active actor. – MSalters Nov 08 '21 at 17:11
  • @MSalters That makes sense. – Nate T Nov 08 '21 at 17:22
  • "If I make my changes of 100 lines a month under GPL 3.0, the company may look at that, and implement the same patches with some minor changes (e.g. replace a for with a while) under their 2-clause BSD license." -- Personally I think this would be a violation of the GPL license. You can't just take a piece of some code under some license (e.g. GPL), change a few words and then relicense it under a different license! Well, if the code is small and trivial enough, maybe. But 100 lines probably is not a trivial patch. – Brandin Nov 10 '21 at 10:49

3 Answers3

12

implement the same patches with some minor changes (e.g. replace a for with a while) under their 2-clause BSD license

While copyright is based on the implementation of an idea, it is broader than the exact implementation of an idea. Anything which "starts" from your code is a derivative work of your implementation and would therefore be covered by your copyright and hence the GPL - the technical term here is "derivative work". While there is no exact threshold for a derivative work (and it will vary by jurisdiction), taking someone else's code and just making trivial changes to it is clearly a derivative work.

Would they in that situation still be required to open source their application to the general public?

No. Any GPL obligations to supply the source code to a work apply only to entities who have legally obtained a copy of the binaries. You do not have a copy of the binary so have no right to the source.

Philip Kendall
  • 19,156
  • 1
  • 57
  • 82
  • 1
    Thanks, this is very helpful. Do you know of other licenses that really would forbid the use in closed-source applications? After all it's not really the source of their application that I'm interested in; I only want to make sure that they don't use my work in it. This seems like a not entirely infrequent use case, but maybe I'm mistaken. –  Nov 07 '21 at 16:39
  • I agree with Philip's answer. GPL v3 does not talk about 'derivative works', in the license language it is called 'modified version', but it essentially means the same. I would like to add that it is very difficult to proof that some code change which is not directly copied is a derivative work. Without access to your former employer's source code it will be very difficult to proof that they copied from your project. The only thing you could do is warning them that inappropriate use of your code might cause their software to have a 'mimemagic issue'. – Martin_in_AUT Nov 07 '21 at 17:50
  • 1
    I have looked around a bit more and it seems the NPOSL and/or RPL are useful. From what I understand both are copyleft. NPOSL disallows the use of the software for commercial purposes. RPL requires any copy to be published, so that you cannot use the software internally / only share with a limited number of clients. For my purposes NPOSL seems better, but I wanted to mention both for completeness. –  Nov 07 '21 at 18:15
  • @Martin_in_AUT I realize that now, thanks. If they would incorporate the changes into their project with the BSD license, I would be able to see that since that project is open (and will probably remain open). But even so I understand that it would be hard to prove that they are looking at my code. I found a related question here. I imagine that if a pattern emerges where my changes are always first, and theirs don't differ much, a case can be made. But for now I am hopeful that a copyleft license (or even stronger, NPOSL/RPL) is scary enough. –  Nov 07 '21 at 18:22
  • Oh, I see I have misread the NPOSL. It does not actually prevent that for-profit companies make derivatives, since the license reverts to OSL in that case. –  Nov 07 '21 at 18:32
  • 2
    @user25536 I personally would not go away from 'mainstream' licenses. You are not doing your software a favor with an 'exotic' license, because others will then not understand the implications for them and discard it. For what you are intending to do, a strong copyleft license and the awareness of the mimemagic issue should be sufficient. – Martin_in_AUT Nov 08 '21 at 08:35
  • @Martin_in_AUT yes, I'm aware of that, thank you. I am still considering whether RPL would be better, but don't want to discourage others from contributing with a non-mainstream license. Also, I have read that the GPL does not allow distributing under an NDA, which makes it unusable for the company which does not allow its clients to redistribute the software. So, probably, in the end GPL is enough after all. –  Nov 08 '21 at 09:01
  • 3
    @user25536: This answer may not make it bleeding obvious, but the definition of "derived work" comes from law and jurisprudence, and not from the GPL. Hence, it doesn't matter what license you choose. Any copy of your code, even if that's a transformed copy (s/for/while), is still legally a derived work. The specific license tells the other company if and how they can distribute such derived works. – MSalters Nov 08 '21 at 16:38
2

The company distributes their software only to selected clients (and I am not one of them). Would they in that situation still be required to open source their application to the general public?

No, and this seems to be one of the most commonly misunderstood things about the GPL. The GPL only requires that source be available to users of the binary.

And you're not providing "free labor." You contribute to open source projects because it benefits you; in this case pretty directly because you're using the library in your own project. Whether it benefits others is incidental and irrelevant. If it's easier to fork it than keep up with the new bugs they're introducing, then by all means fork it. Let them do the work of merging your changes if they want to. But don't try to deny them the use of it out of spite. Remember, you're only able to use it at all because they put it under an open source license. They're placing no demands on how you use or maintain your version, and you can't expect to place any demands on how they maintain theirs.

Tech Inquisitor
  • 121
  • 2
  • You just seem to disagree with the premise of the question. I don’t really mind whether you want to call it free labor or not. It’s just a situation I want to avoid. Whether that is out of spite is irrelevant. –  Nov 08 '21 at 19:04
  • @user25536 It's a situation that doesn't exist. From your description of the situation, unless you had a contract that specified otherwise, your former employer owns the code and generously licenses it to you under the terms of the BSD license. If you want to improve the library, do it. If you want to keep your improvements to yourself, do it. But if you want to share your improvements, you're legally obligated to do so under terms compatible with the existing license. – Tech Inquisitor Nov 08 '21 at 20:15
  • That does not seem to be correct. BSD is not copyleft, so I can perfectly share my modifications under a different license, and ask a question to figure out whether GPL would suit my needs. –  Nov 08 '21 at 20:17
  • @user25536 That's encompassed by "terms compatible with the existing license." But the answer to your question is still no; licensing your changes under the GPL will probably not accomplish what you want. You're quite right that I'm making a value judgment about what you're trying to do. But the same value judgment is embodied in most open source licenses. – Tech Inquisitor Nov 08 '21 at 20:22
  • It renders the last paragraph of your answer out of place on this site, in my opinion. And the first paragraph was already covered in the accepted answer. But thanks anyway. –  Nov 08 '21 at 20:25
  • @user25536 You're right that I'm making a value judgment about what you're trying to do. The point is that most open source licenses embody the same value judgment. – Tech Inquisitor Nov 08 '21 at 20:51
-1

Given your preference to restrict certain purposes, the GPL family of licenses will not help you achieve your aims. Comparing the GPL with other FOSS licenses is not more worrying than using other FOSS licenses, but then no FOSS license can help you with your goals. Compared to other licensing regimes, like the ones on the list I have curated, your choices will be in more alignment with your preferences and goals.

To reduce anxieties about being exploited, you will need to fix your work to a license that (at a minimum) explicitly disallows the purposes that concern you most - eg. commercial use.

As side notes: if there is only one way of doing something - like writing (pseudocode) var A = a++ for an increment then writing var B = b++ is not copyright infringement. Also, the way of doing something is more about software patents, while copyright protects how ideas are expressed.

Your concerns are valid but if I am reading your goals correctly then I think the best way to solve this problem is to find a license that explicitly states the restrictions you want, and then fix your work to whatever license offers you that.

Mat K. Witts
  • 21
  • 3
  • Thanks for your answer. Could you clarify on what way GPL should exacerbate worries? –  Nov 08 '21 at 06:41
  • I think this does it? – Mat K. Witts Nov 08 '21 at 11:28
  • 1
    Not really, sorry. This is not concrete enough for me. I can see how GPL might not do what I want. I do not see why I should be more worried when I license under GPL. But maybe that's not what you're saying, or we're comparing the GPL scenario with different things. GPL clearly allows more commercial exploitation than "all rights reserved", but it is not more worrying when compared to a permissive license. –  Nov 08 '21 at 15:34
  • 7
    This answer would be greatly improved if it would disclose that its author is also the person behind the novel “social domain license” concept, and that this concept does not currently have any relevant mindshare in the community. But it reminds me of the https://EthicalSource.dev/ concept. In a recent answer on a similar question, I outlined the issues of such usage-restricting licenses. – amon Nov 08 '21 at 16:07
  • I have given a more concise answer and made it clearer that the list of social domain licenses is a list I have curated. The link to the recent answer on a similar question is opinionated and contains contentious assumptions, for example - the idea that FOSS is both libertarian and practical is a giveaway as to the authors own political preferences and thus is less reliable than it might be. – Mat K. Witts Nov 09 '21 at 09:12
  • @Mat I don't think I can be faulted on this site for being pro-Open Source and pro-Software Freedom :) Beyond that, there are little politics in my answer. That I use the word “libertarian” is a critical reflection on the values expressed by FLOSS licensing, in particular permissive licenses. My point is that all licenses express values, but some value systems enable network effects that foster the commons while others do not. Of course, I could have used the same argument to bet against the copyleft concept, if I had been alive back then. – amon Nov 10 '21 at 12:44
  • @amon I have not commented about your attitudes to FOSS. I have kept my comment to what you said in the comment you linked to. To say permissive licensing regimes are libertarian is not accurate. Permissive licenses also do not give rise to a commons rights system but a government backed free market system. Commons governance is far more complex than the authoritative tenor of your response implies and if you would like an extended discussion of the many inaccuracies then I would be happy to do that ina cordial fashion. Thanks. – Mat K. Witts Nov 11 '21 at 15:03