2019-10-18

Why are these 3 open source licenses best?

I've already said that these 3 licenses are best for open source nowadays for me:
  1. Apache License 2.0 --- Apache-2.0 @ SPDX, ChooseALicense
  2. Mozilla Public License 2.0 --- MPL-2.0 @ SPDX, ChooseALicense
  3. GNU General Public License 3.0 or later --- GPL @ SPDX, ChooseALicense
But WHY??

The open source community has basically settled on 4 styles of sharing, and with it 4 genres of open source licenses.  The list above is my pick of what I think is best in each of the first 3 genres.  Let's talk about each one in turn:

1. Software developers are free to do whatever they want with my code in building their software.

These licenses are about the freedom of the developers of the software.

Look for MIT, BSD, Apache licenses, etc.

But I think Apache License 2.0 is the best because

2. Users are free to do whatever they want with my code and any modifications to my code in the software they received, even if they can't with the software's other proprietary code.

These licenses are all about the freedom of the end users who have the software, in a piecemeal fashion.

Look for MPL, EPL, LGPL licenses, etc.

But I think MPL 2.0 is best because
  • compared to MPL and EPL, the LGPL basically makes the distinction that static linking of code equals modifications to that code, but dynamic linking is not.  That just seems like a needless distinction for a license to make, and MPL and EPL doesn't make that distinction.  And I like static linking.
  • EPL 2.0 is basically a very new update to EPL 1.0 that makes the EPL even more complicated than it already was.  The main purpose was to (1) change the boundary of what counts as "my code" from a module based distinction to a file based distinction, which is what the community has standardized on, (2) make it more internationally usable, and (3) add in GPL compatibility as an opt-in.

    Unfortunately, GPL compatibility is opt-in and not default making it even more complicated when mixing EPL 2.0 with/without GPL secondary license, and EPL 1.0 code which was never GPL compatible.

    So if your community has settled on EPL (like many in Java or Clojure), then maybe sticking with what the community is using is easiest.  Otherwise, it's hard to make an informed use of the EPL as an individual, unless you've got lawyers on retainer... which is maybe why the EPL is very well regarded by businesses?
  • It is compatible with Apache 2.0.
MPL 2.0 on the other hand has GPL compatibility by default, unless opted-out of.  It's much older so it's better known and understood, still very well regarded, and used by large projects like Mozilla for Firefox, Adobe for Flex, LibreOffice, etc.  And it's relatively short and easy to understand, so MPL 2.0 it is! 


3. Users are free to do whatever they want with all of the code in the software they got from the software developers.

These licenses are all about the freedom of the end users who have the software, not about the developers'.

Look for GPL.

This is the classic "viral copyleft" thing, although talking about strong/viral copyleft is kind of more confusing than helpful (see Weak or Strong is Wrong) because, philosophical discussions aside, it's really just about what kind of code sharing you want to take place with your code you authored.

Having said that, if you incorporate MPL 2.0 or Apache 2.0 code into a GPL code base, the whole code base has to be distributed as GPL moving forward.


4. Users are free to do whatever they want with all of the code in the software they use from the software developers.

These licenses are all about the freedom of the end users using the software over a network.

Look for AGPL, SSPL, etc.

GPL had a SaaS loophole / ASP loophole:  what happens if the end users never got the software, because they only used it running in the "cloud" (i.e. on computers they don't own)?

AGPL is supposed to close that loophole so that if an organization modifies AGPL software, any end user using that AGPL software in the cloud must be able to do anything they want with its' code.

More recently, AGPL was found to have a no-modification loophole: what happens if an organization just uses and doesn't modify AGPL software?  The AGPL doesn't compel code sharing in that case!

So companies could containerize AGPL software, build an API around it to use it internally, etc., and as long as they never modify the actual AGPL software, then they could use without ever sharing any code.

Some patched that loophole with the Commons Clause.  MongoDB took a different path by creating the SSPL.

I don't know enough about this genre of sharing to suggest any license as best.  Reading SSPL Was Not Commons Clause, it's clear this is still cutting edge licensing legal stuff.  If you're looking for a license for this genre of sharing for any serious work, you'd probably have your own lawyers anyway.

And I'm definitely not a lawyer, so let's just agree to take this as entertainment.  :)

No comments: