GPL upgrades via section 14 proxy delegation
runxiyu.org87 points by weinzierl 7 hours ago
87 points by weinzierl 7 hours ago
We do that in KDE too, where the decision to update to a possible gpl4 is decided by a vote of the KDE e.v. (the legal non profit organization behind the project) membership.
https://invent.kde.org/office/marknote/-/blob/master/LICENSE...
> I find neither approach to be ideal. It is often impossible to gain consensus of all copyright holders since some may be unreachable.
Well, licences are not universal wonder tools. They have restrictions about their use cases. But, narrowing this down solely to "GPL xyz" versus "GPL xyz - or later fancypants", I always found the variant WITHOUT the "or later" to be better. It simply adds more complexity when a licence can willy-nilly be changed, at a later time, when a change happens. I understand the use case for the "or later" part, as the GPL is very strict as well as an ideological tool against abuse from corporations (let's be honest here; and I think the GPL is a good licence, despite this too), but even then I find it better to stick to the simpler variants. It is one reason why I may use GPLv2. I also use MIT/BSD when I essentially don't care much. I don't think I have had a use case for GPLv3; and not for "or later" either. LGPL is also fine.
> It’s patently clear that the license allows this, and it surprises me that this is rarely brought up in debates about GPL-3.0-only and GPL-3.0-or-later.
I was unaware that a proxy can be designated upfront; so that's another complexity with regards to the "or later" part. What can proxies do? I dislike the "or later" clause; it really just makes this way more complicated than it should be.
"It is often impossible to gain consensus of all copyright holders since some may be unreachable."
How one feels about that is a matter of where one stands. The GPL first and foremost protects the interests of software users. Not developers. Not companies.
In that regard, the above should be seen as a feature, not a bug. I believe it is the most effective way to protect the user from being locked-in.
With the "or later" version it's a concern that in the future someone nefarious could gain control of the FSF, and publish a GPL removing most of the copyleft provisions.
On the other hand, if Linux had used the "or later" version it could have helped prevent TiVoization.
According to Conservancy; Tivo didn't do "Tivoization", the GPLv3 doesn't prevent what Tivo actually did, and both GPLv2/GPLv3 prevent "Tivoization".
https://sfconservancy.org/blog/2021/mar/25/install-gplv2/ https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... https://events19.linuxfoundation.org/wp-content/uploads/2017...
No because tivo could take it under the gpl2. It's not an auto upgrade. The new version is optional.
Linus now has come to support Tivoization. I presume this has something to do with where his salary comes from.
> if Linux had used the "or later" version it could have helped prevent TiVoization
Only if the hardware manufacturer used a combined work of Linux and some GPLv3-only code, no? Otherwise, if Linux was GPLv2-or-later, they could just use it under GPLv2 terms and tivoize.
It seems that "or later" would be putting an upper bound on the GPL restrictions? If additional restrictions are added, then users can still choose 3. If any restrictions are removed, the users can choose the later version.
Can I (pedantically) raise an epistemic issue with:
> Pursuant to Section 14 of the GNU Affero General Public License, Version 3.0, [Runxi Yu] is hereby designated as the proxy who is authorized to issue a public statement accepting any future version of the GNU Affero General Public License for use with this Program.
Notice that [Runxi Yu] is an external reference, pointing to runxiyu.org.
Wouldn't this mean that the designated proxy is (any?) future entity claiming to be Runxi Yu and substantiating that claim by demonstrating control over DNS entry for runxiyu.org could effectively upgrade the GPL licence? Or practically, if the domain registration lapses, a hacker takes control or Runxi Yu looses interest — what might happen to the license? And how would this affect any contributers?
Remember that law is not technical. This is a declaration to be interpreted. The Interpretation that a specific person with the legal name Runxi Yu is designated here is very clear, the link just a helper to identify the correct person at the time of writing.
Thank you for pointing out this mistake. Of course, there also is nothing technically preventing anyone to ignore the GPL; the license itself is "just" some legalese.
I do believe, though, that these kind of references (from paper into the real world) often introduce surprising gotchas. Especially when they are intended to address some future (mostly unknown) issue.
The designated anchor point (person, technological artifact, legal entity) is itself often more likely subject to change than the thing it's trying to govern. Persons may be hit by a car, registries may expire, companies may go bankrupt. Governing laws may change. Countries may cease to exist...
The LAW® has literally millennia of dealing with these kinds of things - especially with regards to physical property, the definitions of which may refer to a king of a country that hasn't existed for five hundred years. You can find all sorts of examples, look to the US southwest or Europe or any country that has been controlled by another for a time, and then stopped.
If you are an individual developer, please don’t do this. I think proxy delegation is best suited to an organisation (ideally to a non-profit) whose lifespan is longer than of a solo developer and more likely to have “checks and balances” that protect all maintainers’ rights vs just you and yours.
If you don’t want to hand FSF a carte blanche regarding your project—perfectly understandable—then pick a “version X only” variant and move on.
A risk of putting in a literal person is that you might stop maintaining the project, and changing the maintainer is now effectively a license change. It may be better to say "consensus among whoever is currently maintaining the project, as specified by the file MAINTAINERS".
I think it's not the best, considering the chardet debacle. It would make sense though to have clauses indicating what happens or who gains the proxy role in the event the original author is gone.
Isn't that effectively the same as or-later? I can always fork your project, change the MAINTAINERS file, and relicense without your consent.
Uh yes of course, I thought of that and thought "isn't that neat" but of course it goes against exactly what the author wants. I don't find this fear very natural I suppose! A different trusted third party could be nominated, I guess (KDE project nominate KDE e.V. for instance).
Indeed, it would need to be more specific, and say this list of people in this repo.
> It’s patently clear2 that the license allows this, and it surprises me that this is rarely brought up in debates about GPL-3.0-only and GPL-3.0-or-later.
It's an interesting avenue, but the ultimate problem is that people die and/or lose interest in projects. What happens to this particular project if Runxi dies, or decides to make furniture out of wood instead? That basically becomes "GPL-3.0-only" again.
Every project becomes public domain if the copyright holder stops being able to sue you btw
You enter an "unclear title" scenario which may mean that individuals are fine using it, but no company wants to get involved because of the risks.
Similar things happen with physical property, where a title cannot be cleared and either people just live with it or they go to court to get it "reset".
I wonder if one can leave written what to do in such cases in their will.
(Similarly to what the author of the article wrote: i’m not a lawyer and this is not legal advice)
So it's basically GPLv3-or-later but with veto power of the "-or-later" part by the maintainer (but not the contributor). That's pretty clever. And, since you're asking someone to maintain your contribution, it also seems pretty fair.
> It’s patently clear2 that the license allows this, and it surprises me that this is rarely brought up in debates about GPL-3.0-only and GPL-3.0-or-later.
There is nothing surprising about it as the contentious issue about GPL3.0 is the patent claim one (which did cause multiple companies go "HELL NO we're not touching GPL with 100m pole"), not this.
[dead]
This still gives too much power to the FSF. It is better to use a CLA and have the proxy be able to switch over to any license when the need arises.
Except that such a license will most likely be a proprietary one and will make all the other contributors angry at you.
How about create a company/corporation and hold all sources under it. So directors of that company can change to later versions