My correspondence with Aaron Williamson at the Software Freedom Law Center (SFLC) about liability under AGPL 3 is quoted further below. The unrelated issue about third party module notices should have been in a different message. The messages are reproduced exactly except that I have corrected a mistake which I had made for the correct date of the #koha IRC meeting about voting on upgrading the license. The correct date is 13 July, today. I had misremembered the date as 16. I asked a following question focused on an aspect of the liability issue on which I had primarily intended to concentrate. That most recent message is quoted directly below and I am still awaiting an answer concentrating on that aspect of the issue. Overall, libraries are accustomed to having copyright responsibilities. Some responsibilities associated with a copyright license for there ILS software would be merely one more responsibility for which they would need to do something special. Thomas Dukleth Agogme 109 E 9th Street, 3D New York, NY 10003 USA http://www.agogme.com +1 212-674-3783 ---------------------------- Original Message ---------------------------- Subject: Re: AGPL 3 liability and unrelated question for 3rd party module notices From: "Thomas Dukleth" <koha@agogme.com> Date: Tue, July 13, 2010 15:10 To: "Aaron Williamson" <aaronw@softwarefreedom.org> -------------------------------------------------------------------------- Aaron, Thank you for your clear answer about an obviously old question of inadvertent license violation liability and cutting the scary straw man I could imagine down to size. There is one particular aspect on which I want to focus. If a copyright holder would ever have reason to contact a party whom the copyright holder considers an inadvertent violator of GPL 3 or AGPL 3 to help the violator understand how to comply with the license, is there any formal legal way for the copyright holder to set the clock back on the first time cure protection in section 8? Any means which could be exercised to repeatedly undue a first violation notice as long as the belief persists that the violating party is acting in good faith would be reassuring to well meaning parties. Thomas Dukleth Agogme 109 E 9th Street, 3D New York, NY 10003 USA http://www.agogme.com +1 212-674-3783 ---------------------------- Original Message ---------------------------- Subject: Re: AGPL 3 liability and unrelated question for 3rd party module notices From: "Aaron Williamson" <aaronw@softwarefreedom.org> Date: Tue, July 13, 2010 14:38 To: koha@agogme.com -------------------------------------------------------------------------- On 07/07/2010 02:45 PM, Thomas Dukleth wrote:
1. LIABILITY FOR AGPL 3 VIOLATIONS.
Q.1. If the Koha license would be upgraded to AGPL 3, what can the Koha community or individual copyright holders do to reassure those running the software that the license would not be enforced unreasonably or over-zealously against parties acting in good faith?
This question is as old as the GPL, and while the novelty of the AGPL might draw it into somewhat sharper relief until people become comfortable with that license, the issues are the same. It is true that inadvertent violations may somewhat easier if someone else is hosting your source code, but in the end every flavor of the GPL allows a single developer in a project with distributed ownership to enforce his/her copyrights. It is community norms and a general prevailing reasonableness among contributors that prevents this. As for the question of source-hosting server downtime, I don't know that anyone's brought the issue up before, but I think reasonable people would probably agree that "equivalent access" can be interpreted to mean something like "roughly the same bandwidth and uptime." Certainly equivalent doesn't mean *exactly* the same bandwidth at every microsecond, and reasonable server outages are to be expected. Does that mean a rogue developer couldn't attempt to pounce on someone for a brief outage? No, but I wouldn't represent him, and I don't know who would.
1.1. TAKING SOFTWARE OFFLINE.
Q.1.A. If the server providing access to the Corresponding Source under AGPL 3 goes offline, should the AGPL 3 software be taken offline?
For the reasons above, I think not.
2. UPGRADING THE LICENSE FOR UNMODIFIED THIRD PARTY MODULES.
Q.2. What is the best possibility for noting that unmodified third party GPL 2 modules, with an or later version option, are also available under GPL 3 or AGPL 3, with an or later version option?
I'd be inclined to put this in your top-level licensing file for Koha, or in another top-level file describing AGPL compliance. I would definitely *not* modify license headers -- people feel very strongly about changing license headers on code you haven't modified, even if the license itself allows you to distribute under another license. But I'm not sure it's necessary to do anything at all. The license of those modules is still GPLv2+ -- you're using them in a way that causes your license to be AGPLv3+, but others are free to use them independently under GPLv2. Aaron ---------------------------- Original Message ---------------------------- Subject: AGPL 3 liability and unrelated question for 3rd party module notices From: "Thomas Dukleth" <koha@agogme.com> Date: Wed, July 7, 2010 18:45 To: "Aaron Williamson" <aaronw@softwarefreedom.org> -------------------------------------------------------------------------- Aaron, Some questions arise for AGPL 3 responsibility or liability, and an implementation detail. The vote on whether to upgrade the license for Koha is coming 13 July. There is a general Koha IRC meeting 7 July. I have some simple answers of my own for liability in questions Q.1 and Q.1.A. However, answers which I have thought for those questions do not necessarily satisfy others and I do not know if some answers which I might give would be correct. I have some scenarios for supplying automated notices for question Q.2 but need direction about which is better or what other alternative might be better. 1. LIABILITY FOR AGPL 3 VIOLATIONS. Q.1. If the Koha license would be upgraded to AGPL 3, what can the Koha community or individual copyright holders do to reassure those running the software that the license would not be enforced unreasonably or over-zealously against parties acting in good faith? Participating in Koha development is open to everyone. Copyright is held by contributors; there is no assignment of copyrights for Koha. Koha incorporates the copyrighted work of people outside the Koha community for some modules which Koha uses. I am aware of the protections for innocent violators of the license in section 8. Those protections include a first time cure provision but few people have only one mishap or make only one mistake. Servers, switches, routers, power, etc. are all vulnerable to failing. Even the most reliable services suffer from an occasional outage. People running libraries are generally very cautious about potential liability for violation of copyright law and tend to avoid risks which others might think trivial. Even when libraries are part of institutions with significant resources, libraries tend to be poorly funded relative to their responsibilities with no provision for expenditure outside their normal course of business. I know of one important library automation systems developer and now library journalist who thinks that libraries would never use AGPL software. I can imagine that there are people who attempt to enforce their copyrights unreasonably. I can even imagine that there may be a programmer opposing AGPL and intent upon scaring people away from running AGPL software with a maniacal zeal. I do not know of any such actual person but I can imagine the possibility. Such a person might seek out AGPL projects to which he could contribute. He might then attempt to identify and pounce upon the smallest inadvertent violation of the license. Perhaps in the last fanciful concern I raise a straw man. However, those opposed to AGPL would raise many arguments about why AGPL software should not be used. We would need to be prepared to have answer for any fear which might be effective in scaring away a large portion of potential adopters of the software. 1.1. TAKING SOFTWARE OFFLINE. Q.1.A. If the server providing access to the Corresponding Source under AGPL 3 goes offline, should the AGPL 3 software be taken offline? As explained above, people running libraries have heightened concerns about legal liability. At the same time, libraries would find the risk of needing to take the software which runs the library offline as a means of controlling legal liability to be unacceptable. Faced with the possibility of needing to take such a choice those running libraries might be generally inclined to avoid AGPL software. 2. UPGRADING THE LICENSE FOR UNMODIFIED THIRD PARTY MODULES. Q.2. What is the best possibility for noting that unmodified third party GPL 2 modules, with an or later version option, are also available under GPL 3 or AGPL 3, with an or later version option? We would seek to avoid unnecessary maintenance of license statements for projects which the Koha community are not maintaining ourselves but which are incorporated into Koha as part of the Corresponding Source under AGPL 3 specific obligations. We may want to update unmodified third party modules under GPL 2, with an or later version option, using an automated script to download the source code for new versions of the modules from upstream sites. We would then need a good means of including license terms invoking GPL 3 or AGPL 3, with an or later version option as an alternative to GPL 2, with an or later version option. We could create a script which adds an additional header to all source code files. However, the source code in actual Koha installations would be unlikely to be altered with additional headers. Almost all installations of Koha use Debian packages with some additional packages from CPAN. There is also a recently introduced Koha Debian packages repository which includes modules which formerly had only been available from CPAN or elsewhere. We could have a single copyright file for Koha which identified the additional GPL 3 or AGPL 3 invocation, with an or later version option, for unmodified third party modules otherwise available under GPL 2, with an or later version option, which have been incorporated into Koha. Under such a scenario, the unmodified third party modules would not have their headers modified. Alternatively, we could add an additional copyright file to each of the unmodified GPL 2, with an or later option, third party modules. The unmodified third party modules would also not have their headers modified. The question implies the possibility of some other scenario which had not occured to me. Thomas Dukleth Agogme 109 E 9th Street, 3D New York, NY 10003 USA http://www.agogme.com +1 212-674-3783