responses to licensing discussion - Mailing list pgsql-general

Thanks to all for their thoughts and comments on the proposed
license language I posted yesterday.  I'll try and respond to all
the points I heard in this one mail, rather than fill everyone's
inbox with more replies.  And I'm also sending this only to
-general, to cut down on cross-posting...

Two major concerns that a lot of people seem to have are the
Virginia jurisdiction question and the line about seeing the license
before you can download/install/etc.  These both relate to the UCITA
statute, which as Rusty said in his introduction, is intended to
exempt you the developers from any future liability by people using
PostgreSQL.  (Well, actually it was written to exempt commercial
developers, but the same protections apply to open source
hackers...)  I know there's a lot of FUD out there about UCITA, and
there may even be some legitimacy to some of the consumer end-user
fears about what evil Microsoftish companies might do to people that
buy their software (er, that is, *rent* their software).  But the
reason we're so interested in applying UCITA protections to
PostgreSQL developers is that, duh, we plan on contributing to the
code base as well, and we don't want to get sued.  As someone
mentioned in an earlier post, the bad guys (Oracle, MS, etc.) will
increasingly see PostgreSQL as a threat - it just seems prudent, and
in everyone's interest, to tighten up what a number of legal eagles
have observed to be liability risks for the developers.  So I'll
take each of the two points separately:

The non-US folks, who I'll grant may well be a majority ;-), are
concerned about the jurisdiction in Virginia.  The reason we suggest
this is that *naming* a jurisdiction is better than leaving it empty
- any lawyer will tell you that - so you try and claim jurisdiction
somewhere you think will be friendly to the people you want to
protect.  With all due respect to the rest of the world, the UCITA
provisions in Virginia and Maryland, soon to make their way across
the rest of the US, lead the world in protecting developers from
liability - and that's our goal.  Without a specified jurisdiction,
the aggrieved party can shop around for where *he* thinks he has the
best shot of screwing you.  Chris Bitmead said he's "not bound by"
UCITA, but that's not the point ... we're trying to bind the users,
who might decide to try and sue him.  That chose of
law/jurisdiction, BTW, is different from choice of *venue* - Sevo
Stille worried that he might have to travel to Virginia for his day
in court.  The two things are separate.

On a related note, if PostgreSQL is being marketed in the US, it
will be subject to US law - regardless of where the project says
it's "based."  Did anyone see the BBC report that Microsoft was
going to move to Canada to escape US antitrust action?  Despite
being totally false (but funny), it also wouldn't have mattered for
the same reason- Microsoft products sold in the US would be subject
to US law, regardless of where the company was based.

The second point, forcing a click-through or some other mechanism
before a user downloads/installs the software, gets at the same
issue.  As a developer, you only get the protection of UCITA if the
user *agrees* to the license... right now, just having it in the
tarball or on the CD doesn't meet that test.  There needs to be some
proactive mechanism that signifies user acceptance of the terms, or
else the license is just words.  The recent passage in the US of
digital signature legislation affirms the various mechanisms by
which you can do that.

Some other threads that I'll try and respond to:

BSD vs. GPL:  As per usual, there's a great deal of misinformation
out there about what exactly the GNU Public License does.  For
starters, for all of you who are concerned about lawyerliness,
length, etc., have you ever read the dang thing?
(http://www.opensource.org/licenses/gpl-license.html)  It's also
worth noting that the GPL has not yet had its day in court - and
there are a fair number of legal experts out there who say that it
might not hold up.  To us at Great Bridge, the BSD language is much
more likely to survive the next few years.  I said in my first note
that we want to make sure the code to PostgreSQL stays open in
perpetuity; several people said, well, GPL does that, so why don't
you go GPL?  The answer is, we're not trying to be GPL - as several
of the CORE members reiterated.  We think this is still very much a
BSD license, and I guess at some point, we ought to drag the OSI
into it to get their view.  I agree with those who have said the
last thing the world needs is another open source license.  The
Mozilla PL, and its imitators such as our friends at Interbase, are
one good argument there (blecch-
http://www.mozilla.org/MPL/MPL-1.0.html).

Previous contributions:  A couple of people asked, ok, so this is a
proposed solution for future code contributions - what about the
existing stuff?  We'd suggest that anyone who is currently
contributing patches could say, in effect, "this goes retroactively
for everything else I've committed in the past" - which granted
wouldn't get us all the way there, but probably close to 80%.
Again, the goal is indemnifcation of the developers who aren't
coverered as Berkeley-era contributors.  Our lawyers tell us this is
do-able if people want to do it.  Thoughts?

Finally, a note to all of those who might be suspicious of Great
Bridge's role in all of this.  Clearly we have an agenda - we want
to make sure that in addition to its technical near-parity with
Oracle et al (getting nearer every day), PostgreSQL has the business
underpinning to survive in the commercial world.  Or better yet,
survive at the intersection of the open source and commercial
worlds.  We believe, as an article of faith, that PostgreSQL and
other open source projects are only going to get better, and eclipse
their closed/proprietary counterparts in performance, functionality,
user base, etc.  We intend to build a business that will further and
support that process - and we have every intention of being
responsible, proactive members of the open source community in so
doing.  We're not asking you to trust us, to take our word for
anything, etc.; we realize that we'll have to prove ourselves, as
hackers *and* as marketers before anyone necessarily believes a word
we say.  But we are asking you to keep an open mind, and not to jump
to conclusions about us.

In the spirit of open source, we've started this discussion as kind
of a proposed "legal patch" - and seriously encourage as much
qualified peer review as is possible.  So I'd second Tom Lane's
suggestion that other people's lawyers look at this- particularly
those of you outside the US.  But remember that all things being
equal, the lawyers (hisss....) are in fact the equivalent of the
hackers here.  Just as you wouldn't expect them to comment
intelligently on your code, the arcana of license agreements (and to
a lesser extent, copyrights) are their domain - and it will be other
peoples' lawyers that make trouble in the future, if there ever is
any.  So I'd urge everyone to take a deep breath and let's get as
much *qualified* comment on this as we can.  Also, if anyone wants
to talk lawyer to lawyer to our corporate counsel, I'd be happy to
arrange that; please contact me privately off-list.

Thanks,
Ned