[Koha] Liability risks under AGPL 3

Thomas Dukleth kohalist at agogme.com
Wed Jul 14 06:06:00 NZST 2010


My correspondence with Aaron Williamson at the Software Freedom Law Center
(SFLC) about liability under AGPL 3 is quoted further below.  The
unrelated issue about third party module notices should have been in a
different message.

The messages are reproduced exactly except that I have corrected a mistake
which I had made for the correct date of the #koha IRC meeting about
voting on upgrading the license.  The correct date is 13 July, today.  I
had misremembered the date as 16.

I asked a following question focused on an aspect of the liability issue
on which I had primarily intended to concentrate.  That most recent
message is quoted directly below and I am still awaiting an answer
concentrating on that aspect of the issue.

Overall, libraries are accustomed to having copyright responsibilities. 
Some responsibilities associated with a copyright license for there ILS
software would be merely one more responsibility for which they would need
to do something special.


Thomas Dukleth
Agogme
109 E 9th Street, 3D
New York, NY  10003
USA
http://www.agogme.com
+1 212-674-3783



---------------------------- Original Message ----------------------------
Subject: Re: AGPL 3 liability and unrelated question for 3rd party module
notices
From:    "Thomas Dukleth" <koha at agogme.com>
Date:    Tue, July 13, 2010 15:10
To:      "Aaron Williamson" <aaronw at softwarefreedom.org>
--------------------------------------------------------------------------


Aaron,

Thank you for your clear answer about an obviously old question of
inadvertent license violation liability and cutting the scary straw man I
could imagine down to size.

There is one particular aspect on which I want to focus.

If a copyright holder would ever have reason to contact a party whom the
copyright holder considers an inadvertent violator of GPL 3 or AGPL 3 to
help the violator understand how to comply with the license, is there any
formal legal way for the copyright holder to set the clock back on the
first time cure protection in section 8?

Any means which could be exercised to repeatedly undue a first violation
notice as long as the belief persists that the violating party is acting
in good faith would be reassuring to well meaning parties.


Thomas Dukleth
Agogme
109 E 9th Street, 3D
New York, NY  10003
USA
http://www.agogme.com
+1 212-674-3783



---------------------------- Original Message ----------------------------
Subject: Re: AGPL 3 liability and unrelated question for 3rd party module
notices
From:    "Aaron Williamson" <aaronw at softwarefreedom.org>
Date:    Tue, July 13, 2010 14:38
To:      koha at agogme.com
--------------------------------------------------------------------------

On 07/07/2010 02:45 PM, Thomas Dukleth wrote:
> 1.  LIABILITY FOR AGPL 3 VIOLATIONS.
>
> Q.1.  If the Koha license would be upgraded to AGPL 3, what can the Koha
> community or individual copyright holders do to reassure those running the
> software that the license would not be enforced unreasonably or
> over-zealously against parties acting in good faith?

This question is as old as the GPL, and while the novelty of the AGPL
might draw
it into somewhat sharper relief until people become comfortable with that
license, the issues are the same.  It is true that inadvertent violations may
somewhat easier if someone else is hosting your source code, but in the end
every flavor of the GPL allows a single developer in a project with
distributed
ownership to enforce his/her copyrights.  It is community norms and a general
prevailing reasonableness among contributors that prevents this.

As for the question of source-hosting server downtime, I don't know that
anyone's brought the issue up before, but I think reasonable people would
probably agree that "equivalent access" can be interpreted to mean something
like "roughly the same bandwidth and uptime."  Certainly equivalent
doesn't mean
*exactly* the same bandwidth at every microsecond, and reasonable server
outages
are to be expected.  Does that mean a rogue developer couldn't attempt to
pounce
on someone for a brief outage?  No, but I wouldn't represent him, and I don't
know who would.

> 1.1.  TAKING SOFTWARE OFFLINE.
>
> Q.1.A.  If the server providing access to the Corresponding Source under
> AGPL 3 goes offline, should the AGPL 3 software be taken offline?

For the reasons above, I think not.

> 2.  UPGRADING THE LICENSE FOR UNMODIFIED THIRD PARTY MODULES.
>
> Q.2.  What is the best possibility for noting that unmodified third party
> GPL 2 modules, with an or later version option, are also available under
> GPL 3 or AGPL 3, with an or later version option?

I'd be inclined to put this in your top-level licensing file for Koha, or in
another top-level file describing AGPL compliance.  I would definitely *not*
modify license headers -- people feel very strongly about changing license
headers on code you haven't modified, even if the license itself allows
you to
distribute under another license.  But I'm not sure it's necessary to do
anything at all.  The license of those modules is still GPLv2+ -- you're
using
them in a way that causes your license to be AGPLv3+, but others are free
to use
them independently under GPLv2.

Aaron



---------------------------- Original Message ----------------------------
Subject: AGPL 3 liability and unrelated question for 3rd party module notices
From:    "Thomas Dukleth" <koha at agogme.com>
Date:    Wed, July 7, 2010 18:45
To:      "Aaron Williamson" <aaronw at softwarefreedom.org>
--------------------------------------------------------------------------

Aaron,

Some questions arise for AGPL 3 responsibility or liability, and an
implementation detail.

The vote on whether to upgrade the license for Koha is coming 13 July. 
There is a general Koha IRC meeting 7 July.

I have some simple answers of my own for liability in questions Q.1 and
Q.1.A.  However, answers which I have thought for those questions do not
necessarily satisfy others and I do not know if some answers which I might
give would be correct.

I have some scenarios for supplying automated notices for question Q.2 but
need direction about which is better or what other alternative might be
better.


1.  LIABILITY FOR AGPL 3 VIOLATIONS.

Q.1.  If the Koha license would be upgraded to AGPL 3, what can the Koha
community or individual copyright holders do to reassure those running the
software that the license would not be enforced unreasonably or
over-zealously against parties acting in good faith?

Participating in Koha development is open to everyone.  Copyright is held
by contributors; there is no assignment of copyrights for Koha.

Koha incorporates the copyrighted work of people outside the Koha
community for some modules which Koha uses.

I am aware of the protections for innocent violators of the license in
section 8.  Those protections include a first time cure provision but few
people have only one mishap or make only one mistake.

Servers, switches, routers, power, etc. are all vulnerable to failing. 
Even the most reliable services suffer from an occasional outage.

People running libraries are generally very cautious about potential
liability for violation of copyright law and tend to avoid risks which
others might think trivial.  Even when libraries are part of institutions
with significant resources, libraries tend to be poorly funded relative to
their responsibilities with no provision for expenditure outside their
normal course of business.

I know of one important library automation systems developer and now
library journalist who thinks that libraries would never use AGPL
software.

I can imagine that there are people who attempt to enforce their
copyrights unreasonably.

I can even imagine that there may be a programmer opposing AGPL and intent
upon scaring people away from running AGPL software with a maniacal zeal. 
I do not know of any such actual person but I can imagine the possibility.
 Such a person might seek out AGPL projects to which he could contribute. 
He might then attempt to identify and pounce upon the smallest inadvertent
violation of the license.

Perhaps in the last fanciful concern I raise a straw man.  However, those
opposed to AGPL would raise many arguments about why AGPL software should
not be used.  We would need to be prepared to have answer for any fear
which might be effective in scaring away a large portion of potential
adopters of the software.


1.1.  TAKING SOFTWARE OFFLINE.

Q.1.A.  If the server providing access to the Corresponding Source under
AGPL 3 goes offline, should the AGPL 3 software be taken offline?

As explained above, people running libraries have heightened concerns
about legal liability.  At the same time, libraries would find the risk of
needing to take the software which runs the library offline as a means of
controlling legal liability to be unacceptable.  Faced with the
possibility of needing to take such a choice those running libraries might
be generally inclined to avoid AGPL software.


2.  UPGRADING THE LICENSE FOR UNMODIFIED THIRD PARTY MODULES.

Q.2.  What is the best possibility for noting that unmodified third party
GPL 2 modules, with an or later version option, are also available under
GPL 3 or AGPL 3, with an or later version option?

We would seek to avoid unnecessary maintenance of license statements for
projects which the Koha community are not maintaining ourselves but which
are incorporated into Koha as part of the Corresponding Source under AGPL
3 specific obligations.  We may want to update unmodified third party
modules under GPL 2, with an or later version option, using an automated
script to download the source code for new versions of the modules from 
upstream sites.  We would then need a good means of including license
terms invoking GPL 3 or AGPL 3, with an or later version option as an
alternative to GPL 2, with an or later version option.

We could create a script which adds an additional header to all source
code files.  However, the source code in actual Koha installations would
be unlikely to be altered with additional headers.  Almost all
installations of Koha use Debian packages with some additional packages
from CPAN.  There is also a recently introduced Koha Debian packages
repository which includes modules which formerly had only been available
from CPAN or elsewhere.

We could have a single copyright file for Koha which identified the
additional GPL 3 or AGPL 3 invocation, with an or later version option,
for unmodified third party modules otherwise available under GPL 2, with
an or later version option, which have been incorporated into Koha.  Under
such a scenario, the unmodified third party modules would not have their
headers modified.

Alternatively, we could add an additional copyright file to each of the
unmodified GPL 2, with an or later option, third party modules.  The
unmodified third party modules would also not have their headers modified.

The question implies the possibility of some other scenario which had not
occured to me.


Thomas Dukleth
Agogme
109 E 9th Street, 3D
New York, NY  10003
USA
http://www.agogme.com
+1 212-674-3783




More information about the Koha mailing list