Wrt to the legal concerns with AGPL, they're not actually that it wouldn't provide any protection, but rather that it might offer the originally distributing entity too much power: legal power to declare all software used in the stack to produce a network request MUST be made source available. Basically, a ""contagious"" or copyleft license as GPLv3 intended, but even more viral than intended in the AGPL variant since it extends well beyond the source software. I have not seen any lawyer concerned with how Amazon would be able to bypass its protections, *because they're otherwise the same as GPLv3 and have already been tested.*
I think this poster created the legal theory themselves because they were aware of other legal concerns with the AGPL affecting the above scenario. I've read a lot of legalblogging about AGPL, and none bring up this as even a remote possibility, because unless you think GPLv3 case law is somehow irrelevant then you don't think AGPL will be simply bypassed.
One last thing: I'm surprised the poster was concerned about AGPL being untested, despite it using GPLv3, and not that FSL has only existed for 2 years and has 0 case law surrounding.
> legal power to declare all software used in the stack to produce a network request MUST be made source available
If I understand correctly what you say, this is one of the main concerns with the SSPL because of the following [1]:
> The SSPL is based on the GNU Affero General Public License (AGPL), with a modified Section 13 that requires that those making SSPL-licensed software available to third-parties (modified or not) as part of a "service" must release the source code for the entirety of the service, including without limitation all "management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software, all such that a user could run an instance of the service using the Service Source Code you make available", under the SSPL.
I'm not familiar with this concern for the AGPL itself.
Yes, that's the MongoDB variant which codifies it directly, and SF Conservancy and other legal entities promotion FOSS licenses states that the network stack contagion concern does not actually apply for the AGPL. But because AGPL doesn’t dig into the definition of "access", simply defining it as “users interacting with it remotely through a computer network”, nor define clear boundaries for how the "contagious" part of GPLv3 interacts with the rest of the network stack of this clause, it has meant that some lawyers think that a court may overly broadly interpret the definition.
So far this contagion concern hasn't actually played out, and big corporations/hyperscalers are often using AGPL software somewhere in their stack if they're using common Linux distros - and nothing thus far has been compelled to be open sourced that isn't AGPL software.
> But because AGPL doesn’t dig into the definition of "access", simply defining it as “users interacting with it remotely through a computer network”, nor define clear boundaries for how the "contagious" part of GPLv3 interacts with the rest of the network stack of this clause, it has meant that some lawyers think that a court may overly broadly interpret the definition.
Oh yeah, I have encountered this argument before, indeed. Thanks for the pointers btw. I do agree with Drew (your last link) here. I think it's part of the FUD from Google & Co I mentioned in my first comment in this thread. To me, it's even an evidence that the AGPL actually works as intended: it's not convenient for the Big Tech companies who can't reuse the AGPL without having to release their code that's targeted to end users, which they don't want to do.
> big corporations/hyperscalers are often using AGPL software somewhere in their stack if they're using common Linux distros
Do you have specific software in mind? What's AGPL in a common Linux distro? I'm asking because this surprises me. AGPL isn't usually used for something that's not a internet service, I wouldn't expect to find it in Linux distros' basic blocks.
Is Amazon Linux a common Linux distro? If so, it's often distributed with AGPL licensed code, I can think of a few pieces of software it has that are AGPL. They haven't been able to do internal forks of Ghostscript, if they were ever to do so, because of AGPL.
Debian is also the other more common one distros with AGPL software included with it.
Other things like forks of BerkleyDB by hyperscalers have all ended up as FOSS because of AGPL. Presumably this is a better example of where non-AGPL code would have not actually seen the light of day.
These distros package AGPL software, but are these AGPL packages part of the base install (I don't think so), and does Amazon use this software on production?
Okay, I believe you, I'm not familiar with this. I'd still be interested in knowing which specific AGPL software Amazon would use themselves (note, I'm sure they distribute AGPL software through their distro, that doesn't mean they use it themselves).
> For Debian, the software are in the main archive, actually.
I mentioned the base install. Whatever you get by running deboostrap without parameters, or with a base debian docker container. Of course there's AGPL software in main. main is huge.
So for Amazon, I used to work there and not sure I can talk about specifics, but there was AGPL software used outside of the AMIs but they were approved on a case by case basis. Ghostscript is public and used in the AMIs that are shipped standard, and ofc is used sometimes by Amazon. And if any modifications went out, it was of course gladly republished, but I don't think any forks of AGPL software were being maintained to the best of my knowledge.
>I mentioned the base install. Whatever you get by running deboostrap without parameters, or with a base debian docker container. Of course there's AGPL software in main. main is huge.
No, afaik, unfortunately. That might drastically change how you distribute its base. I was a little unclear but I had meant "No but at least the most common distro ships it in their archive" with my first comment.
AGPL isn't viral or contagious, it's copyleft. You need permission from the author to copy. If you violate the license terms you're copying something you're not allowed to copy. That's a copyright violation like illegally downloading music and the rights holder is allowed to tell you to stop doing it.
Oh I agree! And I think it's straightforward to comply with.
I was just explaining the common legal concerns that pop up with the license, and that too much 'contagion' has historically been a gripe about its lack of case law.
Sorry, I'll put that in air quotes, I don't believe free software is disease causing :) just speaking about the common concern is whether or not AGPL copyleft applies to everything involved in responding to a network request (it does not).
FSL is a much simpler court case. “You weren’t allowed to compete with us. You did. Here are the actual damages incurred. Pay us.”
An AGPL enforcement would require the court to interpret its virality which is an open question before even deciding whether a violation occurred.
The potentially overreaching nature of AGPL is one reason it maybe unenforceable. On the other hand if courts lean towards the less viral interpretation Google could get around these issues by modding an AGPL project to run on their proprietary hardware that no one has access to and then simply releasing the modified source code.
>An AGPL enforcement would require the court to interpret its virality which is an open question before even deciding whether a violation occurred.
In US courts, the case law shows that the "virality" is not really an open question because of GPLv3 case law, and has never been interpreted that way. I'm not sure why you're commenting about this scenario when you're unaware that this has been actually tried in courts.
In fact, we saw that in infamous Neo4j AGPL case, actually. AGPL worked as intended and protected the AGPL software in a similar way to LGPL. The court went on to protect non-GPL compliant additions that Neo4j made as being considered contagious, even, going even further to protect the original licensee than intended with the original unmodified license.
So, just recapping, you've gone from stating that Amazon could firewall off AGPL because it has no case law, and after learning it does has its case law includes GPLv3 that it simply may not be 'viral' enough because that hasn't been tested in court, to now learning it has been tested in court and successfully enforced.
>The extent of virality added by the additional clauses is not clear.
The Neo4J case was one piece of a longstanding part of GPLv3 caselaw where the virality is clear.
>My point is that it doesn’t matter. If it is “viral” to the extent some people are concerned about, Amazon can find ways to firewall it.
Just a recap of your responses so far:
So AGPL has no case law and might even be unenforceable, so therefore it you should use non-free source available licenses. Oh, it does have case law and hyperscalers have been forced to open source their forks like of BDB?
Well, the virality hasn't been tested and FSL would be an easier case. Oh, it has been tested, multiple times and licensees have had to work out an agreement like in the Neo4j case - such that judges would actually be able to rely on prior art unlike FSL?
Okay, well, even if that's all true - Amazon could just firewall it anyways. How? Well they would simply use vast resources to create proprietary hardware, create a fork for proprietary hardware despite that making it impossible to receive patches from the main fork, and then sell that as a service.
Based on the above, I think you've done what you can to convince me.
> Google could get around these issues by modding an AGPL project to run on their proprietary hardware that no one has access to and then simply releasing the modified source code.
Well I guess they could today, I don't see the AGPL preventing them to. As long as the modified source is available under the AGPL I suppose they'd be good to go.
A license that forces someone to release software for specific hardware would be non-free I suppose.
I don't see this being practical though. Running proprietary hardware just for this reason would likely be costly, and not really efficient: someone could restore support for general hardware from upstream / only keep the interesting changes.
If I'm not mistaken, Apple would rather avoid touching anything GPLv3 with a ten foot pole. They are among the biggest tech companies in my mind.
Anybody seems fine with GPLv2 though. But GPL is less convenient than permissive licenses.
Of course, you can still indeed build services with GPL software without redistributing the modifications, which is the point of the AGPL.
> It’s not beyond someone like Amazon to setup a new company just firewall off AGPL software.
I suppose so. However, this would work as intended: the Amazon firewall company would need to redistribute the improvements.
Also, do you have examples of this happening? (not arguing, actually genuinely curious)