 Hello everybody I'm John Sullivan. I'm the executive director. It's a free software foundation. I Want to start by saying that I am not a lawyer and I am definitely not anybody here's lawyer And that will become readily apparent anyway as I address the topics in this talk I'm going to talk about the AGPL primarily from a policy Perspective I think licenses obviously are very important in the way that they actually function in court and in the law But they also serve as important statements of mutual purpose set ground rules for cooperation and that's one reason I've always really appreciated this dev room is because it's the licensing licensing and legal and policy dev room that acknowledges those two purposes together I'm also feeling a little bit guilty Slash embarrassed about kind of pulling a buzzfeed title for the presentation here. At least it's not Five things you'll be shocked to learn about the AGPL or something like that. I will try it's a to deliver it here And I want to thank you to say thanks to Tom Bradley Karen and Fontana for putting this together year after year I really appreciate the chance to speak here on behalf of the free software foundation And I also hope to see everybody on Monday at copy left cops. I'll be talking about a Different network freedom related issue, which is proprietary JavaScript and copy left JavaScript Which Karen and Bradley also talked about the keynote this morning so Partly because of my own inadequacies and partly because of events that have happened since I submitted this proposal Back in November. I can't actually cover everything that I put in the abstract in 25 minutes I am here most importantly to talk about why people should use the AGPL who out there is saying otherwise and Why I think many of the criticisms that we're hearing lately are are basically off the mark And that's some of the efforts that we're seeing to start drafting new licenses To address similar problem areas is what the AGPL seeks to tackle our premature That being said I also think the FSEF should take some responsibility For the current state of affairs and these things happening because I don't think that we've been out there advocating enough for this license or building up the materials to help people use it and That's something that I Intend to try and change. I think we have been working on that already And I'm hoping that some of you will help us do that the resources that you see that are on your network for the GPL Grew up over many years and were informed by many of the questions that we were sent by the public many of the lawyers We've worked with over the years and we want to put more focus along those lines on the AGPL And I hope by doing that we'll actually come to understand where some legitimate issues might be how we might want to fix them whether they can be fixed through Publications about the intention behind particular wordings or whether we do need to draft new licenses or new versions of licenses It's also kind of a pet topic of mine as I'm very concerned about sort of self-fulfilling prophecies in our community When people say things like copy left is declining. Nobody's using the GPL or nobody's using the AGPL Those things can actually become the factor that drives people away from using those things those statements are acts and a lot of people out there make their decisions based on Wanting to go with the flow and be a good collaborator and I think that can cause Negative effects and I think that's happening to some extent with the AGPL So that's why you know part of this I saw Karen give a great keynote years ago called stand up for the GPL And I'm hoping that those of you who support the AGPL and use it for your projects or enjoy using AGPL software We'll stand up for the AGPL and help push back against this claim that people aren't using it or that it's not a license That helps protect freedom on the network So and that's the short statement of how the AGPL differs from the GPL It's not only triggered by distribution but by running a service with modified program over the network. This is the Full legal code for that a clause like this was originally part of early drafts of GPL v3 Well at the very early part and it was dropped in order to build consensus around GPL v3 and be able to move forward with that We kept the AGPL and the afero clause as a separate license And obviously from the title of this talk I'm saying that there are people out there claiming that nobody is using the AGPL. But in fact Everyone in their dependencies are using the AGPL I Won't give the source till you're done reading but This article says that thirteen point five percent of code bases contained AGPL like license components and that's the Use of the AGPL has ramped by almost an order of magnitude So these numbers come from black duck who We can't put too much confidence in and I've I've criticized their publications about the use of copy left because their Data is not published the software they use to count licenses is not published And nobody can verify the results because you can't reproduce the experiment essentially But people quote black duck numbers that us all the time about how copy left in GPL are Declining so the AGPL according to black duck is increasing. I Am also going to walk through a few of my favorite AGPL projects just to back that up a little bit more One of my favorites was when the Department of Defense chose the AGPL for one of their projects as part of their big push into free software and They chose AGPL three or later for this web-based Service that helps manage legal proceedings within the military so court marshals and things like that And what's cool about that is not only that it's AGPL and then it's free software But their reason for doing it is because this is software that's used within a court proceeding where people's lives you know careers are at stake and they said that Everybody in that process needs to have a right to see how the data is being handled by the software and the only license That could guarantee that for a network service or help that the network services the AGPL Lots of other projects use the AGPL CRM which is the donor database system used by the FSF Wikimedia EFF lots of other people around the world Poll that is I just learned about recently as a very cool piece of software for organizing conversations about contentious issues Used by governments like Canada, Taiwan universities like Columbia Mail pile Webmail client aiming at user-friendly fast interface with encryption Mastodon people might have heard of that recently right can your social which is kind of a predecessor to mastodon and still on its own right Player in the decentralized social networking space getting a media goblin and pixel-fed both for your software and media sharing platforms Berkeley TV Pelican static site generator and I wanted to highlight that One thing I'm going to touch on is the way debates about license choices are happening within projects and pelican as a Bug an issue open where people are trying to persuade them to switch away from the AGPL other people are arguing against that That's an example of conversations. I'm going to talk more about in a few minutes next cloud calendar ring notes Contact management you can sync with their phone pretty much a full replacement for Google cloud or iCloud F droid server So if you have an Android phone you can get only free software applications the server side is AGPL Anki does a pet favorite project of mine for flashcards. It's responsible for my terrible German But the software is great Get annex distributed file synchronization So there's there's so many more and then there's a new net there's which recently changed AGPL There's dev sources, which has been an incredibly important tool for analyzing and searching all the source code in Debian The web UI for the software heritage project that was mentioned on this panel with AGPL Sorry wait, oh, that's terrible Sorry, I've just received news that MongoDB is no longer under the AGPL. Thanks Richard I Also need to highlight that I did not Do my due diligence and diving into these projects. There are other factors in their governance and Structures which may matter so some of these projects may have CLA's Which may undermine the usefulness of the AGPL and could be objectionable on their own right the fact remains that they do all Publish AGPL versions that are affordable under that license so Also forgot to mention the searching for repositories on github that are licensed under the AGPL Returns seventy thousand and three results Excluding known forks. So why and when to use the AGPL People often write free software take a copy of that software because they want the code to be shared right so it was a rude awakening when technology developed such that companies were able to take that code and Run services including modified versions of that software without providing the source code as copy left would normally require you to do Many businesses were also bothered by this and not just individual developers Because it's sort of a betrayal of the copy left bargain and undermine that sense of shared purpose that I talked about at the very beginning You can see that this is a very moderate recommendation of the AGPL. It says We recommend using the new affair of GPL as a license for programs often used on servers The reason this is a very mild Recommendation for a specific situation is because we want to be very careful not to over promise what the AGPL can achieve Because there are so many freedom and ethical issues involved in network services and computing on the network That are about more than the license of the software So we want to be careful about that, but I would still you know personally argue for a very expansive definition of Programs often used on servers because a program that today doesn't seem to be useful on a server Can very easily turn out next year to be a part of someone's server offering and that that happened in the past He would have thought that you knew units was a program that would be used on a server But now most search engines if you type something into the search bar about a conversion will return a result you know inches to centimeters and Likely that many of those are using a program like units on the back end So but to understand this a little bit better. I like to start with what the AGPL does not help with I mentioned that basket of issues that relate to network freedom So even if the software is AGPL if it's on someone else's server and you don't have access to that You don't have the ability to add your own to make your own modifications on that server You still don't have freedom right the server operator has freedom. You don't have Freedom it doesn't solve the problem of service as a software substitute or sorry So yeah service as a software substitute if you're using somebody else's server to edit your photos make your documents You still don't have control over the software that you're using to do those things similarly the AGPL does not ensure that the Server operator will do a good job keeping up with security patches Does not ensure that the server operator will not do other sorts of bad things like run a program that logs all the traffic on the server totally separate from the AGPL work And do something bad with your data So this license is not going to help with with those things And it's not going to stop big companies from running your software because like any free software license which restricts freedom zero And allows commercial activity Part of the bargain it allows other people to use that work commercially The benefit is it's reciprocal And the potential is always there for other people to do the same thing What the AGPL does help with Portability and decentralization So a lot of the problems that we face in the current network world have to do with monopolies and silos, you know the facebook's Of the world AGPL is part of the solution for addressing this because it allows multiple operators To run the same platform users can move from one to the other when they don't like particular bits of bad behavior in each place The night has put this on the doesn't help with this But I think the AGPL Can help with these things It can help with security because if we believe that free software is a precondition to Genuine security Then a server operator that publishes their source code and invites people to inspect it and accepts patches That applies them should be in a better security position than a server operator that does not do that Likewise other kinds of bad behavior bad privacy policies Can be checked by the decentralization and silo effect because if users Don't like facebook's new privacy policy and they have the option to move to another Facebook like thing with all of their data They would be able to do that and just like free software In the traditional sense checks distribution of malware Or inclusion of malware the same thing can happen on the network So it does help with those things We just need to be very careful not to over promise that it solves for them because other steps are required Security patches have to be applied You know and there has to be options to get the data out not just the software, etc and Don't forget that using hvl means you're you're contributing free software back to the community and and step away from assessing That one service and remember that free software can be repurposed And other ways beyond what it was originally written for So anybody who is publishing their code under the hvl is already doing a positive thing Even if they're not providing the best data portability or something like that because they're making an active contribution to the free software community They're respecting their users And that helps advance free software as a whole So Critics of the hvl who might disagree with some of these things. Well, uh, some argue that the hvl is too strong How many people have seen this policy before cat Well, it doesn't get much clearer Google's policy it says Warning code licensed under the canoe frail general public license may not be used At google may not in capitals The reason seems to be because They are worried that the hvl is so potentially strong or expansive that it could force them to accidentally have to publish unpublished software or Publish proprietary software under a free license But it goes so far as to say do not install hvl license programs on your workstation Google issue of laptop or a google issued phone without explicit authorization So don't even think about next cloud, you know, don't even think about any of those programs that we listed before But it goes a little bit deeper than this. So in fact, uh, google employees have Directly asked authors of hvl programs to re-license their work. This is a quote from joey hess Somebody that I look up to you Quite a bit in free software. He's done a lot of amazing work Saying that he's been approached several times By google employees who would like to use the software asking him to change the license This doesn't mean that this is an official google policy or that these people were acting with uh, you know under the direction of somebody But google employees apparently asked him to use Also to google's credit and these employees credit They were asking him to switch to the gpl which is still a copy of that license Rather than to a lax permissive license, but Still it's pressure against A clause which accomplishes important things for user freedom. So I also read this policy as a challenge to software developers out there That's part of why google google's policy says there risks outweigh the benefits So I take this as a challenge for everybody to write more and better software under the agpl Make those benefits greater and make these policies have to be reconsidered On the other side we have the agpl is too weak So a little moggo tb joke moggo tb Has come around, you know, they're they're feeling they've been a very important and popular agpl project for quite a while And they've recently decided that they think they need a new license the server side public license Because they Think that enforcement of the agpl against people they think are violating it would be too expensive and difficult And if you look at the wording of the new license, they seem to want more Of the software related to the application to have to be released I'll talk more about that in a second But fundamentally this seems to be an argument throughout the agpl is too weak too too weak because it's difficult to enforce Or too weak because it doesn't have a strong enough copy left clause to require publication of more of the key elements So they feel that some competitors or people are taking away their business by offering a moggo tb in a service setting without Having to contribute back So that gives us a few It's not just moggo tb. There's been a couple others That are publishing new licenses or new license clauses In order to try to address competition from what they call, you know cloud offerings The server side public license still wants to be a free license It's been submitted to osi for approval osi except for still Discussing the license But their goal seems to be to still have a free and open license Uh ubos and redis took a different approach. They are very upfront in saying that their versions are to address some similar issues are not free They're both essentially non-commercial clauses so In ubos's case the personal public license says that you need to ask for permission as an organization to use the software as an individual You can continue to use it under the gpl And redis as chris talked about earlier uses the commons clause plus the patchy to essentially make a Uh non-commercial requirement so You know, we can see that one of the main reasons that some some people out there don't want you to use the hpl for your software is because They might want to use your software And using your hpl software might require them to release some of their proprietary or unreleased software, which is often Uh services software substitute Another reason is that the hpl isn't working well enough for helping them make money So, you know besides the fact that I think some of these criticisms are Um questionable on face. There's also the issue of having different goals And so, you know, this is our goal, right? We're trying to make a world where all software is free software You just can do everything they need to do with free software And at the same time we're working on on developing, you know, what are the standards for Freedom on the network Just like we have the four freedoms for free software I think there are successful business models under the hpl and I enjoy discussing them but Those business models need to be framed within the ground rules That respect this uh larger goal They also on the other side need to respect freedom zero and this is Um why I think the afero clause didn't go Further to begin with is because the freedom to run software on your own server Um without being forced to publish things Uh is part of freedom zero and we have to find, you know, that balance that intersection where it's uh makes sense to Ask server operators to contribute code back when they are actually They're not distributing but they are offering a public service or service to customers And the, you know, dystopian opposite of Forcing you to publish your thoughts or to, you know, publish your software Just because you wrote it and have it on your hard drive like that's that's not right either Right, so we have to to navigate between those two things On the enforcement topic all I want to say is that uh, you know, any license With a copy of the clause is going to require enforcement in order to make it effective We hope that all enforcement will be done in accordance with the Principles of community oriented gpl enforcement, which I think work just as well for the agpl And You know, I'm not sure that adding more requirements to a license is a way to address enforcement concerns Um, I think companies should be first of all funding the enforcement efforts done by nonprofits Uh, the enforcement done by conservancy by the fsf helps create a norm and a culture Where people follow the licenses and that will benefit, you know, other copy left holders as well And I think companies should consider Working with nonprofits or reconsider the model of whether they have to be the copyright owners of the software Just because they're generating a business around it. Those two things don't necessarily have to be To go together and I think there's companies out there that uh That have viable business models around software. They don't hold the copyright to you. That's free software. That's part of the point, right? So I'm gonna ask you to help um and several ways here, you know, first of all freedom first money second Like I said, you know Thanks We got to you we got three we have a movement, right? Yeah, uh, we want commercial activity to be welcome in the free software community. It's important In fact, you know attempts to prohibit commercial activity is against the principles of software freedom But the ground rules for respecting freedom are just that they're the ground rules Money comes after that challenge is to find ways to have viable businesses within those parameters And don't forget that it's those ground rules that created all the software to begin with And so it gets suspicious when people try to kick the ladder away Take what was created and then follow different rules going forward Use the hpl v3 for your software or any later version if you don't trust the fsf You can specify a proxy option who can make the decision But as I was alluding to earlier if there are issues and we do need to release new issues of license It's helpful if you have already given permission to go along with that Or given an organization permission to make the decision about whether a new version of license published is good for the project Use the snazzy logo Be visible like I said if you're out there using the hpl using hpl software or even better writing it Talk about that Participate in some of the comment threads that are out there arguing about licensing choices and please if your employer Has a licensing policy or a product that's licensed in a way that's inconsistent where the copy left license are with the agpl Please don't go to projects and ask the projects to change their license so that you can use them at work Um, I know it's awesome to use free software at work And we want everybody to be able to do that and I have deep empathy for that But try to change your employer's licensing policy Rather than asking every free software project to become a permissible licensed project so that it can be used in the product that you're working on And fork when necessary And thanks to chris for being part of the effort chris lamb for being part of the effort on that with The commons clause redis labs modules Here's a pipe dream of mine choose a license.com. Can we get agpl on the front page? Here's my first stab it suggests a text that fits in with the other licenses that are listed there It is a qualitatively different license That addresses different concerns that are currently addressed by any of the offerings that are there now Also, I just noticed today that apache is no longer on the front page I don't know when that happened Uh, but this one talked about self fulfilling prophecies earlier Um, choose a license.com Is really, you know, has a big influence on what licenses people choose for their project one of the first things they see We're here to help you I admitted at the beginning that we haven't done as much as we could have But we are here to help and if you have questions about the agpl Uh, please write to us licensing at fsf.org Thank you I think I want them at time, right? We got a couple minutes for questions Way in the back So it's an opportunity for me to work out Hey, uh, thanks for the talk. What's your opinion on lesser a cheap ale or la cheap ale? I mean, it's not like official license, but I see pretty often Yeah, I um, I think that uh, that's uh I'm I personally think it's a good idea and I would like to see us Um, get some of the people who have also told me that they think it's a good idea I would like to get some of the people together And start talking about how to move forward with With it And what kind of drafting process might be appropriate? Hi, thanks for your talk Are there measures in agpl to force or at least encourage network operators to be transparent about the changes they made They make on the the software that they are serving to the customers like as a software user As a like a mastodon user, how can I know that? That's the network operator has changed the software in the server Can agpl help me in that with this? um, so Not just by being a license There may be some sort of technical things you can build in if you're the author of an agpl Program some technical things you may be able to build in to help you recognize What software has been altered, but that kind of gets back to that list of things the agpl doesn't Solve you're still trusting the software operator um, but you know, that's not that different to me than gpl compliance in general because How many of us get a binary and then get what a company claims to be source code and sort of assume they're the same thing We and without reproducible builds you can't 100 percent verify That either so it's kind of a similar dynamic I know as if you were able to get a legal process to start then there would be legal tools available to You know find out what was actually running on the Server so at some point that information would would become known But yeah up front No, whatever the server they have total control of the software. So you put some hash there. They could just change the hash Okay, two questions Recently saw That program that was proprietary for a long time became realized under the agpl So there are still people Who are used the license? Yeah, that's a very do you remember the project? Awesome Good news is always nice really quick question because they promise one last one one second Thank you. Uh, when I've tried to use the agpl The legal counsel I've received is that the redistribution clause the copy left clause Is too vague and it's hard to figure out the parameters around when it applies and in reading it looks like that was Some people see that as one of the goals of the license is to keep that really vague and and potentially expansive to the point where the micro blog Or the static page generator you mentioned it was the content that's that's written in that system under the agpl How how can we describe Where the limits are so that we can reduce that fud and help people feel comfortable using it feeling like it's That they can understand the consequences Yeah, I I understand where that's coming from and I think that one of the things that we need is a better So right now we have a few questions about the agpl in the gpl f aq And I think we need to build out a more developed list of questions about the agpl specifically Um, again, some of these questions are very similar to the questions about what what makes a derivative work When you're distributing something covered under the gpl that you've modified and the fsf does want to help people Does want to help people get a clear understanding about that Um, there's also, you know, it's to be fair only so far that we should go in helping proprietary software makers Understands how far they can go with proprietary incorporation Before the copy that provisions trigger Uh, but it's not intentionally being vague. It's just you know, we have we have to focus on our priorities for what our mission is All right, let's thank john