9

We use Java libraries for a server application and one of the developers parted ways with us.

Since it was his project he can do whatever he wants with the github repository and he chose to delete it. Now we have no source code of the original work anymore and he states we have to delete the libraries, because as a consumer of the server application he demands a copy of the source code.

Who is the "customer" in this relationship? We, because we're using the libraries or the people consuming the service?

Edit: Is it possible to decompile the libraries - recompile them and offer the decompiled source code as the modified source code of the recompiled libraries?

Zizouz212
  • 6,449
  • 4
  • 36
  • 75
Maximilian Riegler
  • 193
  • 1
  • 7
  • So the libraries and the server application are licensed under AGPL 3.0? And the server application is hosted somewhere, publicly accessible? – unor Feb 19 '16 at 15:35
  • 3
    It's a Minecraft server (Bukkit) and licensed under GPL 3.0. The libraries are plugins for the server and licensed under AGPL 3.0. So it's somehow publicly accessible since you can play on the server and use the functionality of the plugins ingame. – Maximilian Riegler Feb 19 '16 at 15:39
  • Is it possible to decompile the libraries - recompile them and offer the decompiled source code as the modified source code of the recompiled libraries? – Maximilian Riegler Feb 19 '16 at 16:17
  • 4
    If this was a publicly accessible repo, you may be able to find it on archive.org or in the Google cache (if recently deleted). – apsillers Feb 19 '16 at 17:20
  • 1
    Assuming that your server doesn’t have to be licensed under AGPL 3.0 because of using the libraries (I don’t know enough about this topic), and assuming that you didn’t modify the libraries, I guess you wouldn’t have to provide the source (see Do I have to offer the source of an AGPL (v3.0) licensed Web app even if I didn’t modify it?). – unor Feb 19 '16 at 17:50
  • 4
    Whatever answers you get here, remember that users of this websites are not lawyers, and that answers do not constitute attorney-client relationships. If you need real legal advice, contact a lawyer. – ArtOfCode Feb 19 '16 at 17:51
  • 2
    You had permission to use the libraries, with source? That can't just be taken away, as far as I understand. – vonbrand Feb 20 '16 at 02:28
  • Could you try to find someone else who has the source code? Like other users of the library or other contributors to it (if there are any). – svick Feb 26 '16 at 16:09
  • 1
    Moral of the story: When you hire someone to write open source for you, insist on having a copy of the sourcecode. – Philipp Feb 29 '16 at 15:40
  • @Philipp - Stronger than that. You should insist that they assign copyright to you! (If you paid them to write the software, it is not morally theirs to own / control.) – Stephen C Dec 18 '18 at 04:37

1 Answers1

10

I'm not a lawyer, but let's talk about what the AGPL requires, and how it forms derivative works.

If your server uses the AGPL libraries in a way that creates a new work, then your entire work that uses the libraries is covered under the AGPL. Since, in that case, your server is a modified version of AGPL software, you must offer the source code for the entire collective work when you make the software accessible via a network.

Unfortunately for you, you don't have the source to offer. After you complete the initial physical transfer of the software, you can't compel the author to surrender the source code to you purely based on your position as a licensee of the software under the AGPL. The AGPLv3 is irrevocable, which means the licencor can't take away your right to use/modify/distribute the code, but the licencor isn't under a continuous long-term obligation to supply the source to you again if you lose it or declined to receive it in the first place.1

This is addressed, in part, in the GPL FAQ's advice to authors for making the source available:

How can I make sure each user who downloads the binaries also gets the source?

You don't have to make sure of this. As long as you make the source and binaries available so that the users can see what's available and take what they want, you have done what is required of you. It is up to the user whether to download the source.

Our requirements for redistributors are intended to make sure the users can get the source code, not to force users to download the source code even if they don't want it.

When you received the binaries, the licencor satisfied their responsibility to offer you the source by advertising the source code's availability in the Github repository. Unfortunately, you elected not to receive the source code (or did receive it and later lost it). Now, the author has chosen to stop offering the program, and you can't get it anymore. Since they no longer offer the binaries, they no longer have an obligation to offer you the source. (This is true as long as there is no written offer involved; see the footnote for an uncommon special case.)

Since you don't have a copy of the source from when it was available, you can't fulfill the requirements necessary to offer the combined AGPL work as a network service. That does not mean you must delete the AGPL binaries, but it does mean that you can no longer publicly run a network service using a program that includes AGPL components for which you cannot offer the source. You are free to continue doing things that do not require you to offer the source, such as modification, running locally for private use, etc.

This is likely your case. Any further consideration gets a bit murky; see below the bar.

Finally, offering decompiled source does not seem sufficient to satisfy the GPL's definition of "source code" as "preferred form of the work for making modifications to it." It's certainly better than the binary, but it's certainly worse than the actual code that the original author wrote.

1 As a special exception, this is not true in the rare case that the licencor gave you a formal written offer of source code under distribution option 6(b) or 6(c). In that case, the person who issued the offer of source code must honor it for at least three years from the date of issue. Since your case deals with a Github repository, it's vastly more likely that distribution was done under option 6(d), or else was not subject to the GPL at all because it was done by the original author, who is not bound by the license.

If your server's use of the AGPL libraries does not create a combined work, then your server and the plugin are separate works. In that case, you might possibly be in the clear but it's a subjective decision at what level of interaction two pieces of software combine into a single work. See the relevant GPL FAQ entry, but replace "non-free" with "GPL" and replace "GPL" with "AGPL":

Can I release a non-free program that's designed to load a GPL-covered plug-in?

It depends on how the program invokes its plug-ins. For instance, if the program uses only simple fork and exec to invoke and communicate with plug-ins, then the plug-ins are separate programs, so the license of the plug-in makes no requirements about the main program.

If the program dynamically links plug-ins, and they make function calls to each other and share data structures, we believe they form a single program, which must be treated as an extension of both the main program and the plug-ins. In order to use the GPL-covered plug-ins, the main program must be released under the GPL or a GPL-compatible free software license, and that the terms of the GPL must be followed when the main program is distributed for use with these plug-ins.

...

Since the AGPL would not apply to your entire server if it doesn't form a combined work with the AGPL library, your server does not need to share its source code. For example, this is exactly what happens with MongoDB, which is AGPL-licensed but positively asserts that a program which interacts with a MongoDB database does not form a combined work with the database, so the AGPL does not apply to any program that uses it.

Community
  • 1
apsillers
  • 35,995
  • 4
  • 94
  • 131
  • Okay, but what about the answer of FSF unor linked: http://opensource.stackexchange.com/a/791/4296 – Maximilian Riegler Feb 19 '16 at 18:56
  • @rinukkusu That deals that an unmodified AGPL program. My answer here assumes (at least above the bar) that your combination with the server creates a modified work that is covered under the AGPL as a whole, and therefore carries the source-sharing responsibilities of a modified AGPL work. – apsillers Feb 19 '16 at 19:43
  • 2
    If you got the libraries under AGPL, you certainly are entitled to the full source. And that permission can't be taken away. – vonbrand Feb 20 '16 at 02:29
  • 5
    @vonbrand I'm not a lawyer, but my intuition is that there's a difference between being allowed to make a copy (and modify it and redistribute it, etc.) and demanding that the author surrender a copy to you. The author previously licensed it to OP; that permission indeed can't be taken away (the GPLv3 is irrevocable). However, my intuition here is the OP has permission to use something that he doesn't actually have. I may be wrong, but I think the original licensor is under no obligation to fix the OP's physical lack of source. – apsillers Feb 22 '16 at 13:49
  • 1
    @vonbrand However, I appreciate that this is a pretty nuanced area of law, and I might be wrong. If you can find any case law or relevant passages of the GPL, or generally papers on licensing law, I would actually love to be proven wrong here! :) – apsillers Feb 22 '16 at 13:50
  • @apsillers, I think you are right, as long as who gave the code to OP is the original owner. The owner is (obviously) not bound by the license. – vonbrand Feb 22 '16 at 13:53
  • @vonbrand Right, I could see a reading of 6(d) that might compel a downstream redistributor to surrender a copy of the source to a further downstream recipient of the binaries, but I'm not totally convinced. I think if a downstream redistributor stops offering their binaries (as happened here), then their obligation to offer "equivalent access" to the source also ends, regardless of whether some past recipients freely chose to receive the binaries without collecting the source. This might be a good stand-alone question, though. – apsillers Feb 22 '16 at 14:09
  • @apsillers, the obligation to provide source to whoever got the binary and asks for it ends after 5 years, IIRC. – vonbrand Feb 22 '16 at 14:19
  • 2
    @vonbrand If you opt for distribution option (b) then you have an obligation to honor formal written offers for source code for 3 years. If you're distributing over a network, however, you can instead make use of option (d), which only requires that you clearly offer equivalent access to the source (optionally on a different server) whenever you distribute the binaries. There's no mention of time limits, and it appears that your obligation to offer equivalent access ends when you choose to stop distributing binaries under Section 6. – apsillers Feb 22 '16 at 14:26
  • 1
    @vonbrand Based on your feedback, I've modified the second paragraph and edited in a footnote explaining the difference between distribution options (b) and (d). – apsillers Feb 22 '16 at 16:11