Re: [legal-discuss] [openstack-dev] [Marconi] Why is marconi a queue implementation vs a provisioning API?
Ianal, but I know there are some lawyers out there who are concerned that the mechanism of attachment is vague. If there is an issue (I'm not saying there is) I don't think mongodb's view is relevant, as they are quite likely to be bought by someone, say Oracle, who might not share and would not be bound by that opinion. That said, I don't think a mongo driver is an issue, as long as it's not the only driver... That way deployers can make an agpl call on their own. We've had mongo driver for ceilometer for a while. On Mar 20, 2014 7:28 AM, Richard Fontana <rfontana@redhat.com> wrote:
Why not contact MongoDB to understand its viewpoint, if there's concern?
On Wed, Mar 19, 2014 at 09:38:53PM +0000, Fox, Kevin M wrote:
Its my understanding that the only case the A in the AGPL would kick in is if the cloud provider made a change to MongoDB and exposed the MongoDB instance to users. Then the users would have to be able to download the changed code. Since Marconi's in front, the user is Marconi, and wouldn't ever want to download the source. As far as I can tell, in this use case, the AGPL'ed MongoDB is not really any different then the GPL'ed MySQL in footprint here. MySQL is acceptable, so why isn't MongoDB?
It would be good to get legal's official take on this. It would be a shame to make major architectural decisions based on license assumptions that turn out not to be true. I'm cc-ing them.
Thanks, Kevin ________________________________________ From: Chris Friesen [chris.friesen@windriver.com] Sent: Wednesday, March 19, 2014 2:24 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [Marconi] Why is marconi a queue implementation vs a provisioning API?
On 03/19/2014 02:24 PM, Fox, Kevin M wrote:
Can someone please give more detail into why MongoDB being AGPL is a problem? The drivers that Marconi uses are Apache2 licensed, MongoDB is separated by the network stack and MongoDB is not exposed to the Marconi users so I don't think the 'A' part of the GPL really kicks in at all since the MongoDB "user" is the cloud provider, not the cloud end user?
Even if MongoDB was exposed to end-users, would that be a problem?
Obviously the source to MongoDB would need to be made available (presumably it already is) but does the AGPL licence "contaminate" the Marconi stuff? I would have thought that would fall under "mere aggregation".
Chris
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________ legal-discuss mailing list legal-discuss@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss
_______________________________________________ legal-discuss mailing list legal-discuss@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss
On Thu, 2014-03-20 at 07:37 +0400, Monty Taylor wrote:
Ianal, but I know there are some lawyers out there who are concerned that the mechanism of attachment is vague.
AFAICT, you're proxying some concerns from others at HP here? At least, that's the way I've understood the issue each time it has been raised since it came up with Ceilometer and MongoDB - "some people at HP have some concerns about AGPLv3 and we'd never deploy MongoDB". I'm no fan (personally) of AGPLv3, but taking a stance that there must be a way of deploying OpenStack in production without requiring any AGPLv3 code to be deployed is a significant policy decision for the project and I don't think we've ever articulated the reasons clearly for it. I've added a stub entry to the legal issues FAQ: https://wiki.openstack.org/wiki/LegalIssuesFAQ#Licensing_of_non-library_depe... Can we get it fleshed out with more specifics? Thanks, Mark.
On Thu, 2014-03-20 at 08:22 +0000, Mark McLoughlin wrote:
On Thu, 2014-03-20 at 07:37 +0400, Monty Taylor wrote:
Ianal, but I know there are some lawyers out there who are concerned that the mechanism of attachment is vague.
AFAICT, you're proxying some concerns from others at HP here? At least, that's the way I've understood the issue each time it has been raised since it came up with Ceilometer and MongoDB - "some people at HP have some concerns about AGPLv3 and we'd never deploy MongoDB".
I'm no fan (personally) of AGPLv3, but taking a stance that there must be a way of deploying OpenStack in production without requiring any AGPLv3 code to be deployed is a significant policy decision for the project and I don't think we've ever articulated the reasons clearly for it.
I've added a stub entry to the legal issues FAQ:
https://wiki.openstack.org/wiki/LegalIssuesFAQ#Licensing_of_non-library_depe...
Can we get it fleshed out with more specifics?
Great, some specifics from Yahoo!'s Open Source Director, Gil Yehudo: http://lists.openstack.org/pipermail/openstack-dev/2014-March/030510.html The issue is that the "intimate data communication" language is read by some as meaning applications which use an Apache licensed client library (aka driver) may not actually be considered a separate work and are then subject to the terms of the AGPLv3. Also, that while MongoDB, Inc. themselves say: http://www.mongodb.org/about/licensing/ http://blog.mongodb.org/post/103832439/the-agpl "we promise that your client application which uses the database is a separate work" the license is what's important, particularly when you think about what could happen in the future if MongoDB is acquired by a company with different objectives. IANAL, and I've spent 10 seconds thinking about this ... but the stance that Marconi or Ceilometer is a "dynamically linked subprogram" that MongoDB is "specifically designed to require" (by any means), seems highly questionable. (To repeat my intent here - we need to dig into the details of these concerns because, if OpenStack makes important policy decisions based on these concerns, we are least lending some credence to the concerns. If they are completely indefensible, I don't think we should do it.) Mark.
On Thu, Mar 20, 2014 at 08:44:39AM +0000, Mark McLoughlin wrote:
Great, some specifics from Yahoo!'s Open Source Director, Gil Yehudo:
http://lists.openstack.org/pipermail/openstack-dev/2014-March/030510.html
The issue is that the "intimate data communication" language is read by some as meaning applications which use an Apache licensed client library (aka driver) may not actually be considered a separate work and are then subject to the terms of the AGPLv3.
I do not understand this part of Gil Yehuda's argument -- an Apache-licensed driver is per se engaged in "intimate data communication" with MongoDB?
Also, that while MongoDB, Inc. themselves say:
http://www.mongodb.org/about/licensing/ http://blog.mongodb.org/post/103832439/the-agpl
"we promise that your client application which uses the database is a separate work"
the license is what's important, particularly when you think about what could happen in the future if MongoDB is acquired by a company with different objectives.
But that statement is part of the license as to the code that exists now, and if the issue is concern about future versions, well, the upstreams of other library and non-library dependencies might someday alter their licensing too. Experience if anything suggests that present-day AGPL code tends to later on become Apache-licensed.
IANAL, and I've spent 10 seconds thinking about this ... but the stance that Marconi or Ceilometer is a "dynamically linked subprogram" that MongoDB is "specifically designed to require" (by any means), seems highly questionable.
I have to say "highly questionable" is an understatement to me; it is preposterous to suppose that MongoDB, the thing that is AGPL-licensed, is "specifically designed to require" Marconi or Ceilometer or any part of them. By all means I encourage Gil to come up with a different theory of AGPL interpretation to explain why there is a problem here, but this one won't fly.
(To repeat my intent here - we need to dig into the details of these concerns because, if OpenStack makes important policy decisions based on these concerns, we are least lending some credence to the concerns. If they are completely indefensible, I don't think we should do it.)
I entirely agree. - RF
On 03/20/2014 10:27 AM, Richard Fontana wrote:
On Thu, Mar 20, 2014 at 08:44:39AM +0000, Mark McLoughlin wrote:
Great, some specifics from Yahoo!'s Open Source Director, Gil Yehudo:
http://lists.openstack.org/pipermail/openstack-dev/2014-March/030510.html
The issue is that the "intimate data communication" language is read by some as meaning applications which use an Apache licensed client library (aka driver) may not actually be considered a separate work and are then subject to the terms of the AGPLv3.
I do not understand this part of Gil Yehuda's argument -- an Apache-licensed driver is per se engaged in "intimate data communication" with MongoDB?
Also, that while MongoDB, Inc. themselves say:
http://www.mongodb.org/about/licensing/ http://blog.mongodb.org/post/103832439/the-agpl
"we promise that your client application which uses the database is a separate work"
the license is what's important, particularly when you think about what could happen in the future if MongoDB is acquired by a company with different objectives.
But that statement is part of the license as to the code that exists now, and if the issue is concern about future versions, well, the upstreams of other library and non-library dependencies might someday alter their licensing too. Experience if anything suggests that present-day AGPL code tends to later on become Apache-licensed.
IANAL, and I've spent 10 seconds thinking about this ... but the stance that Marconi or Ceilometer is a "dynamically linked subprogram" that MongoDB is "specifically designed to require" (by any means), seems highly questionable.
I have to say "highly questionable" is an understatement to me; it is preposterous to suppose that MongoDB, the thing that is AGPL-licensed, is "specifically designed to require" Marconi or Ceilometer or any part of them. By all means I encourage Gil to come up with a different theory of AGPL interpretation to explain why there is a problem here, but this one won't fly.
(To repeat my intent here - we need to dig into the details of these concerns because, if OpenStack makes important policy decisions based on these concerns, we are least lending some credence to the concerns. If they are completely indefensible, I don't think we should do it.)
I entirely agree.
++
On Thu, Mar 20, 2014 at 08:22:12AM +0000, Mark McLoughlin wrote:
I'm no fan (personally) of AGPLv3, but taking a stance that there must be a way of deploying OpenStack in production without requiring any AGPLv3 code to be deployed is a significant policy decision for the project and I don't think we've ever articulated the reasons clearly for it.
Such a policy would be unprecedented for any Apache License 2.0 project as far as I am aware. For comparisons look at the legal policies of the Apache Software Foundation, which don't go this far. I don't really care about the answer (as long as it doesn't create technical problems for OpenStack development and deployment -- unclear to me here) but I do care about the stated rationale. If the rationale is limited to something like 'the reality is that some users and Foundation members are sufficiently risk averse about AGPL that we feel we need to adopt this policy', so be it. - RF
On 3/20/14, 8:22 AM, Richard Fontana wrote:
I'm no fan (personally) of AGPLv3, but taking a stance that there must be a way of deploying OpenStack in production without requiring any AGPLv3 code to be deployed is a significant policy decision for the project and I don't think we've ever articulated the reasons clearly for it. Such a policy would be unprecedented for any Apache License 2.0
On Thu, Mar 20, 2014 at 08:22:12AM +0000, Mark McLoughlin wrote: project as far as I am aware. For comparisons look at the legal policies of the Apache Software Foundation, which don't go this far.
Such a policy needs to be made on a project-by-project basis, as well, especially w/r/t AGPL code. MongoDB/10Gen has communicated very clearly where they consider their copyright boundary to exist, and I believe that legally that functions as a waiver/license if they would ever end up being wrong (which I don't think they would, as I believe a network communication creates a copyright boundary). Thanks, Van
On Thu, Mar 20, 2014 at 08:31:51AM -0500, Van Lindberg wrote:
Such a policy needs to be made on a project-by-project basis, as well, especially w/r/t AGPL code. MongoDB/10Gen has communicated very clearly where they consider their copyright boundary to exist, and I believe that legally that functions as a waiver/license if they would ever end up being wrong (which I don't think they would, as I believe a network communication creates a copyright boundary).
I agree with this. There really isn't enough AGPL code in existence to necessitate a non-case-specific policy (apart from a policy that calls for case-specific treatment). - RF
We need to carefully consider the scope of the waiver, its enforceability and whether it could be modified in the future. -----Original Message----- From: Richard Fontana [mailto:rfontana@redhat.com] Sent: Thursday, March 20, 2014 6:46 AM To: Van Lindberg Cc: legal-discuss@lists.openstack.org Subject: Re: [legal-discuss] [openstack-dev] [Marconi] Why is marconi a queue implementation vs a provisioning API? On Thu, Mar 20, 2014 at 08:31:51AM -0500, Van Lindberg wrote:
Such a policy needs to be made on a project-by-project basis, as well, especially w/r/t AGPL code. MongoDB/10Gen has communicated very clearly where they consider their copyright boundary to exist, and I believe that legally that functions as a waiver/license if they would ever end up being wrong (which I don't think they would, as I believe a network communication creates a copyright boundary).
I agree with this. There really isn't enough AGPL code in existence to necessitate a non-case-specific policy (apart from a policy that calls for case-specific treatment). - RF _______________________________________________ legal-discuss mailing list legal-discuss@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss Please consider the environment before printing this email. The information contained in this email may be confidential and/or legally privileged. It has been sent for the sole use of the intended recipient(s). If the reader of this message is not an intended recipient, you are hereby notified that any unauthorized review, use, disclosure, dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please reply to the sender and destroy all copies of the message. To contact us directly, send to postmaster@dlapiper.com. Thank you.
I agree with Richard that we should clarity on the policy and rationale. However, OpenStack Foundation has a fundamentally different strategy to ASF so I don't think that their approach has much relevance. -----Original Message----- From: Richard Fontana [mailto:rfontana@redhat.com] Sent: Thursday, March 20, 2014 6:23 AM To: Mark McLoughlin Cc: legal-discuss@lists.openstack.org Subject: Re: [legal-discuss] [openstack-dev] [Marconi] Why is marconi a queue implementation vs a provisioning API? On Thu, Mar 20, 2014 at 08:22:12AM +0000, Mark McLoughlin wrote:
I'm no fan (personally) of AGPLv3, but taking a stance that there must be a way of deploying OpenStack in production without requiring any AGPLv3 code to be deployed is a significant policy decision for the project and I don't think we've ever articulated the reasons clearly for it.
Such a policy would be unprecedented for any Apache License 2.0 project as far as I am aware. For comparisons look at the legal policies of the Apache Software Foundation, which don't go this far. I don't really care about the answer (as long as it doesn't create technical problems for OpenStack development and deployment -- unclear to me here) but I do care about the stated rationale. If the rationale is limited to something like 'the reality is that some users and Foundation members are sufficiently risk averse about AGPL that we feel we need to adopt this policy', so be it. - RF _______________________________________________ legal-discuss mailing list legal-discuss@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss Please consider the environment before printing this email. The information contained in this email may be confidential and/or legally privileged. It has been sent for the sole use of the intended recipient(s). If the reader of this message is not an intended recipient, you are hereby notified that any unauthorized review, use, disclosure, dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please reply to the sender and destroy all copies of the message. To contact us directly, send to postmaster@dlapiper.com. Thank you.
To be clear - any potential policy in this area we're talking about would be an addition to the TC's requirements for new projects: https://github.com/openstack/governance/blob/master/reference/incubation-int... My hope is that members of this list can help inform whether catering for this "AGPL fear" is a reasonable thing for the TC to do - i.e. whether this legal risk aversion is in any way reasonable. Mark. On Thu, 2014-03-20 at 14:15 +0000, Radcliffe, Mark wrote:
I agree with Richard that we should clarity on the policy and rationale. However, OpenStack Foundation has a fundamentally different strategy to ASF so I don't think that their approach has much relevance.
-----Original Message----- From: Richard Fontana [mailto:rfontana@redhat.com] Sent: Thursday, March 20, 2014 6:23 AM To: Mark McLoughlin Cc: legal-discuss@lists.openstack.org Subject: Re: [legal-discuss] [openstack-dev] [Marconi] Why is marconi a queue implementation vs a provisioning API?
On Thu, Mar 20, 2014 at 08:22:12AM +0000, Mark McLoughlin wrote:
I'm no fan (personally) of AGPLv3, but taking a stance that there must be a way of deploying OpenStack in production without requiring any AGPLv3 code to be deployed is a significant policy decision for the project and I don't think we've ever articulated the reasons clearly for it.
Such a policy would be unprecedented for any Apache License 2.0 project as far as I am aware. For comparisons look at the legal policies of the Apache Software Foundation, which don't go this far.
I don't really care about the answer (as long as it doesn't create technical problems for OpenStack development and deployment -- unclear to me here) but I do care about the stated rationale. If the rationale is limited to something like 'the reality is that some users and Foundation members are sufficiently risk averse about AGPL that we feel we need to adopt this policy', so be it.
- RF
_______________________________________________ legal-discuss mailing list legal-discuss@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/legal-discuss Please consider the environment before printing this email.
The information contained in this email may be confidential and/or legally privileged. It has been sent for the sole use of the intended recipient(s). If the reader of this message is not an intended recipient, you are hereby notified that any unauthorized review, use, disclosure, dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please reply to the sender and destroy all copies of the message. To contact us directly, send to postmaster@dlapiper.com. Thank you.
participants (5)
-
Mark McLoughlin
-
Monty Taylor
-
Radcliffe, Mark
-
Richard Fontana
-
Van Lindberg