The future of F/OSS continues to be AGPL

34 points by hardwaresofton ↗ HN
Just came across this post by ParadeDB:

https://blog.paradedb.com/pages/agpl

Just taking time for a victory lap:

https://vadosware.io/post/the-future-of-free-and-open-source-is-agpl

17 comments

[ 3.2 ms ] story [ 40.9 ms ] thread
I've seen posts around AGPL and how it protects OSS vendors from their cloud cousins ever launching a competitive service and I'd just point people to

https://katedowninglaw.com/2019/09/08/the-great-open-source-...

as a really great read from a lawyer on the various factors and motivations, and which in particular touches on AGPLs lack of ability to protect what many of these companies are worried about most. Specifically:

> That understanding was the genesis for the GNU Affero General Public License 3 (AGPL 3) published in 2007: it was meant to solve for this exact problem by adding language to the GPL 3 which required companies to provide source code for software that users interacted with via a computer network if the software was modified AGPL 3 code (or a derivative work of such modified AGPL 3 code). But even the AGPL’s obligations can be avoided by simply not modifying the AGPL 3 code, which there is often no reason to do, or by building layers between the AGPL 3 code and proprietary code. That’s why a lot of these middleware companies didn’t choose to relicense to AGPL 3 and why MongoDB, who was already using AGPL 3, chose to revise the AGPL 3 to expand the circumstances under which services running on AGPL’ed code must open source the previously proprietary parts of those services.

Well, if there are no modifications to share, then there is no contribution to the community to share. This seems in line with intention to me.
My statement here is less that the AGPL doesn't set out to do what it says on the tin (it does) but more that many people launching SaaS companies don't understand what the tin says. Many at least consider AGPL because they believe it "protects" them in some fashion from other cloud providers monetizing their IP.

The OP paradedb blog states for example:

> Future-Proof: Thanks to the copyleft provision, cloud vendors cannot easily resell our project without our consent. This gives us confidence in our ability to monetize without fear of predatory competition.

IANAL but my understanding of reading the various legal analyses of AGPL (which I've read several) is this part is not true: cloud vendors absolutely could resell their project without their consent, provided those cloud vendors don't modify the code. From an end user perspective and for an OSI OSS advocate those attributes are likely in your best short-term interest: they promote competition. But in the long-term, if the company launching an AGPL product believes it protects them from this, they're going to eventually find out what Mongo did: that it doesn't. And the result of that is that they'll either need to accept that there will be cloud vendors competing with them on the IP they created or relicense. Commercial interests/shareholders being as they are and many of these companies being VC-backed startups, the latter is frankly a more likely scenario.

I suspect that is yet another case of "TL;DR", people just grab on to something they heard about or read the first sentence of?

The AGPL information page clearly states:

"if you run a modified program on a server and let other users communicate with it there, your server must also allow them to download the source code corresponding to the modified version running there."

I'm not the sharpest tool, but I interpret that as all about the code. The license is not a tool I can use to prevent competition.

It's definitely a case of people not reading, but honestly: who does read the full terms of a license? Most people just don't know which have requirements to attribute the work or redistribute license files or which provide the company they work for with certain advantages/disadvantages. They just "heard about" MIT or Apache 2 or whatever are safe to use and there are some license types that are unsafe to use.

I've led several product management teams in my career and many engineers, executives, and customers I've talked to have this impression that if they put some bit of software under AGPL, then its nature is such that it's super viral: that potentially the entire product would necessitate becoming AGPL if the AGPL code is used in any fashion in the product. This has been primarily perpetuated from Google's statement on it: https://opensource.google/documentation/reference/using/agpl... and engineers that now there's a lot of lore around AGPL generally causing so much fear in any of big-tech company potentially needing to open source their entire service that it's treated as "companies wouldn't dare include our AGPL software in a competitive offering because then they'd have to open source their entire hosting stack, and nobody is going to be willing to do that."

My understanding that I heard through the grapevine is that this fear was what MongoDB was relying on for so many years and they found out that one of the big tech companies was about to offer a competitive MongoDB-as-a-service, which caused them to make their shift away from AGPL. Other (mostly database) OSS vendors caught wind of it as well through their networks, and that's why various OSS database products didn't go to AGPL but instead to proprietary licenses.

Blog author here -- You're right, they can. We're aware of this. But, for most cloud vendors, they do need to modify the code in order to make that possible (if only to integrate it within their stack).

It then becomes a game of can you design your software in such a way that it will never be possible for cloud vendors to host it without modification, for example by keeping some required features closed-source (say a control plane, etc.).

For now, we feel this is good-enough protection and we hope that by doing our work right, we can give as much as possible to the community while still keeping guarded just enough to prevent cloud vendors from eating our lunch.

This assumes that both they are unwilling to provide users with access to whatever changes they make, and also that they are definitely going to comply with your license without being sued multiple times.
Even if they modify the code it's no issue, the simply need to provide their modifications to any users. GPL and AGPL are explicitly not intended to ever harm commercial interests, only to prevent certain ways of harming end users (by denying them source).
Harming end users is often a commercial interest.
You’re absolutely right.

I think what will really set this in people’s minds is when a company forks and maintains an AGPL clone.

AGPL only works right now because companies are supposedly scared of it (and have blanket policies) but it does not do what some often think it does, in actuality.

Needed but not sufficient: FLOSS demand an active development community, who demand active DESKTOP developers. Currently young generations born on modern commercial software/services do not understand desktop model, they just try to mimicking commercial cloud+mobile model, there is no FLOSS future possible with such paradigms.

Desktop development in the past was locked by widget based GUIs and their limits, they are not classic editable DocUIs, modern WebUIs are the commercially needed answer since they are DocUIs BUT not under user control. Most modern devs simply use WebUIs, even locally, because they can't even imaging an editable DocUI. When some colleagues see rare presentations from me (I talk a lot, but hate slides) in Emacs/EXWM/org-mode/dslide can't even understand what their see. Live rendering of an active markup witch is indeed free form text eventually with executable code (elisp: links or C-x C-e full displayed sexps) is something they can barely understand, having the same language, functions available everywhere is totally alien for most.

Even if we have the code, if the coded software is something unsuitable for personal, SME usage being just a copy of some big tech walled garden, the code alone does not suffice. Having the entire Alphabet infra under AGPL does not fit much any FLOSS purpose. It just allow big tech interoperability witch is their biggest Achilles's heel since having no walled gardens, an OS as a single application in user programmable hands interconnected with other desktops as well, is the strongest FLOSS point no one company can aspire to match no matter their size.

FLOSS need a FLOSS IT paradigm BEFORE the code, we have more than enough code not to care about "OSS Enterprise" models, we miss instead the knowledgeable user base and desktop paradigm.

What is an editable DocUI?
An Emacs buffer for instance, Plan 9 ACME GUI for another, Pharo environment for another more. Essentially a "2D/3D/4D (3D animated) CLI", an example https://youtu.be/B6jfrrwR10k or a historical 4D one https://youtu.be/RQKlgza_HgE essentially an UI where you can type "active" text, data and code together and see results in the same place.

NotebookUI like Jupyter are modern limited and limiting versions.

I'm surprised ParadeDB didn't evaluate the SSPL which is very much the spiritual successor to the AGPL; or maybe the AGPL should evolve to take on aspects of the SSPL (in other words keeping copy left thriving in a hyperscaler world)
I'd very much like a license like the LGPL that didn't require releasing object files. Just "if you modify any of the source files and/or scripts, you must provide those modifications under this license". I want something that isn't just donating code to for-profit corporations, that is easy to comply with (only release modifications to the code, no risk of covering code that depends on it, no need to release non-code files), and preserves this for other end-users of the software. A sort of LGPL-like license.

I also want an AGPL-ish version of that. If I release a library, I don't need the source to your application that uses it, but I want to get access to modifications you may have made even if you're only using it in a cloud-computing service. I want an ALGPL!

ParadeDB hasn't apparently read the AGPL and is spreading misinformation about it in that blog. I'd be happy with an AGPL future, but that's not how it arrives.

For example, they wrote, "Thanks to the copyleft provision, cloud vendors cannot easily resell our project without our consent", which is nonsense. AGPL blocks proprietary modifications that Amazon tends to make, but it is entirely trivial to "resell their product" without their consent.