Thread: Clarifications of licences on pgfoundry

Clarifications of licences on pgfoundry

From
Simon Riggs
Date:
I notice that there are more than a few projects on pgfoundry that are
marked as "BSD licence" but then the project files don't contain any
mention of the licence details. In some cases, projects are also clearly
marked Copyright of people or organizations.

For example, pg_batch is clearly marked "BSD licence", yet the docs and
many of the files are marked "Copyright (c) 2010, NIPPON TELEGRAPH AND
TELEPHONE CORPORATION".

pg_lesslog does contain a BSD-looking licence in the COPYRIGHT file, but
is also marked with copyrights.

My understanding is that we had a policy of copyright novation to the
PGDG. Is that not followed up for pgfoundry projects? I think we should
move to a policy of explicit licencing.

In the absence of a licence file, when a project is marked "BSD licence"
on pgfoundry I think it is safe to presume that the licence for those
files is the same as PostgreSQL's licence.

-- Simon Riggs           www.2ndQuadrant.com



Re: Clarifications of licences on pgfoundry

From
Dave Page
Date:
On Tue, May 18, 2010 at 6:57 AM, Simon Riggs <simon@2ndquadrant.com> wrote:
>
> I notice that there are more than a few projects on pgfoundry that are
> marked as "BSD licence" but then the project files don't contain any
> mention of the licence details. In some cases, projects are also clearly
> marked Copyright of people or organizations.

I agree that projects should make their licence clear. Gurjeet and I
were just talking about this in relation to Slony, which has only a
copy of the PostgreSQL licence tucked away in an SGML file in the guts
of the tarball, with no text at all to say it's the licence used for
Slony, and not just for PG.

> For example, pg_batch is clearly marked "BSD licence", yet the docs and
> many of the files are marked "Copyright (c) 2010, NIPPON TELEGRAPH AND
> TELEPHONE CORPORATION".

Don't mix up copyright and licence. They are not the same thing at all.

> pg_lesslog does contain a BSD-looking licence in the COPYRIGHT file, but
> is also marked with copyrights.
>
> My understanding is that we had a policy of copyright novation to the
> PGDG. Is that not followed up for pgfoundry projects? I think we should
> move to a policy of explicit licencing.

No - pgFoundry projects are licenced and copyright-attributed as their
authors see fit (as long as it's an open source licence of course).

> In the absence of a licence file, when a project is marked "BSD licence"
> on pgfoundry I think it is safe to presume that the licence for those
> files is the same as PostgreSQL's licence.

The PostgreSQL Licence is not the same as any of the BSD variants, so
that is not a safe presumption to make.

-- 
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise Postgres Company


Re: Clarifications of licences on pgfoundry

From
Simon Riggs
Date:
On Tue, 2010-05-18 at 07:53 +0100, Dave Page wrote:

> > For example, pg_batch is clearly marked "BSD licence", yet the docs and
> > many of the files are marked "Copyright (c) 2010, NIPPON TELEGRAPH AND
> > TELEPHONE CORPORATION".
> 
> Don't mix up copyright and licence. They are not the same thing at all.

I didn't mix those things up, I just used them in the same sentence.
They are two aspects of "ownership" and appear to offer conflicting
messages, which is a concern to some users.

> > pg_lesslog does contain a BSD-looking licence in the COPYRIGHT file, but
> > is also marked with copyrights.
> >
> > My understanding is that we had a policy of copyright novation to the
> > PGDG. Is that not followed up for pgfoundry projects? I think we should
> > move to a policy of explicit licencing.
> 
> No - pgFoundry projects are licenced and copyright-attributed as their
> authors see fit (as long as it's an open source licence of course).

Yes, are they open source licences?

> > In the absence of a licence file, when a project is marked "BSD licence"
> > on pgfoundry I think it is safe to presume that the licence for those
> > files is the same as PostgreSQL's licence.
> 
> The PostgreSQL Licence is not the same as any of the BSD variants, so
> that is not a safe presumption to make.

If, as you say, the licence is unclear then whether-or-not it is an open
source licence must also be unclear.

The copyright holders can change the licence in future as they see fit,
as we've witnessed on other formerly open source projects.

Since the licence is unclear now and the future is subject to change, I
think its safe to say that those projects are fairly unsafe for open
source users.

I'm sure the various other Telco companies out there don't want to hear
that they are using software that NTT might decide in the future to
contest as to whether it was open source or not. Nothing against NTT,
though the principle is clear and effects everything on pgfoundry.

That puts a fairly large hole in recommending that people visit
pgFoundry. That either needs to fixed or users will no longer be able to
trust PgFoundry.

-- Simon Riggs           www.2ndQuadrant.com



Re: Clarifications of licences on pgfoundry

From
Dave Page
Date:
On Tue, May 18, 2010 at 9:06 AM, Simon Riggs <simon@2ndquadrant.com> wrote:
> On Tue, 2010-05-18 at 07:53 +0100, Dave Page wrote:
>
>> > For example, pg_batch is clearly marked "BSD licence", yet the docs and
>> > many of the files are marked "Copyright (c) 2010, NIPPON TELEGRAPH AND
>> > TELEPHONE CORPORATION".
>>
>> Don't mix up copyright and licence. They are not the same thing at all.
>
> I didn't mix those things up, I just used them in the same sentence.
> They are two aspects of "ownership" and appear to offer conflicting
> messages, which is a concern to some users.

No, copyright is about ownership. The licence is a right granted by
the copyright holders to other to govern their *use* of the code.

>> No - pgFoundry projects are licenced and copyright-attributed as their
>> authors see fit (as long as it's an open source licence of course).
>
> Yes, are they open source licences?

All the options on pgFoundry are, yes.

>> The PostgreSQL Licence is not the same as any of the BSD variants, so
>> that is not a safe presumption to make.
>
> If, as you say, the licence is unclear then whether-or-not it is an open
> source licence must also be unclear.

Not at all. If it's listed on www.opensource.org, then a licence is
"open source". Why do you think I busted a gut to get the PostgreSQL
licence approved when we realised it wasn't BSD?

> The copyright holders can change the licence in future as they see fit,
> as we've witnessed on other formerly open source projects.
>
> Since the licence is unclear now and the future is subject to change, I
> think its safe to say that those projects are fairly unsafe for open
> source users.

That is the case for *anything*. We could change the PostgreSQL
licence if we wanted, but it would take a huge amount of effort and
approval of every contributor ever whose work could be considered an
artistic contribution.

With PostgreSQL we rely on the sheer number of contributors to ensure
the licence will never actually change. We cannot have such a
guarantee for most smaller projects of course - simply attributing
copyright to a non-existent legal entity such as PGDG (or as I
understand it, even an actual entity) doesn't actually change who
legally owns the copyright.

To get the protection I think you seek, I believe we'd need to create
a legal entity to own the copyright and then have every contributor to
anything on pgFoundry sign a copyright assignment agreement that
grants the legal entity copyright on the current and all future
versions of that work, as hosted on there. And even then, there's no
guarantee that the legal entity couldn't be bought or change it's
charter, unless there's some way to irrevocably build things into its
statutes.

Of course, as you know I'm not a lawyer but have spent a fair bit
of^W^W^Wfar too much time talking to them about this sort of stuff, so
I at least *think* I know what I'm talking about :-)

-- 
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise Postgres Company


Re: Clarifications of licences on pgfoundry

From
Simon Riggs
Date:
On Tue, 2010-05-18 at 09:33 +0100, Dave Page wrote:

> >> No - pgFoundry projects are licenced and copyright-attributed as their
> >> authors see fit (as long as it's an open source licence of course).
> >
> > Yes, are they open source licences?
> 
> All the options on pgFoundry are, yes.
> 
> >> The PostgreSQL Licence is not the same as any of the BSD variants, so
> >> that is not a safe presumption to make.
> >
> > If, as you say, the licence is unclear then whether-or-not it is an open
> > source licence must also be unclear.
> 
> Not at all. If it's listed on www.opensource.org, then a licence is
> "open source". Why do you think I busted a gut to get the PostgreSQL
> licence approved when we realised it wasn't BSD?

Dave, this is important and so this thread must have a clear resolution,
so we must stick to a single point and be clear about our logic and our
statements.

You're saying these two things, I think, or if you or anybody else
disagrees, please so clearly.

* When project realised that the PostgreSQL licence wasn't actually a
BSD licence, that PostgreSQL was clarified to be the TPL, yet pgfoundry
was not covered by that clarification for some reason.

* In the absence of any licence text in any of the files of a project on
a certain date, then if the project is advertised on PgFoundry on that
date as having a "BSD licence" then the software will be covered by 
http://www.opensource.org/licenses/bsd-license.php 

-- Simon Riggs           www.2ndQuadrant.com



Re: Clarifications of licences on pgfoundry

From
Greg Stark
Date:
On Tue, May 18, 2010 at 4:06 AM, Simon Riggs <simon@2ndquadrant.com> wrote:
> If, as you say, the licence is unclear then whether-or-not it is an open
> source licence must also be unclear.

I would suggest you, or anyone else who notices, open bugs on any
packages you want to use for which you find no LICENSE file matching
the license asserted in pgfoundry.

Are there so many that we need a more organized mass effort? Do we
need automated checks for this?

> The copyright holders can change the licence in future as they see fit,
> as we've witnessed on other formerly open source projects.

This is always true. The protection open source licenses have for this
is that they're irrevocable. So while NTT could stop releasing future
work under an open source license, the code which was already released
would still be available under the license it was released under and
anyone who wants to could pay anyone willing to support it without
asking NTT for permission.

The question that arises then is whether pgfoundry archives the source
it has in a way that the project maintainer can't delete. If an author
decides to stop releasing a package and deletes the source from
pgfoundry can we get the last version they released from pgfoundry and
put it back up as an orphaned project or with a new set of
maintainers? As long as we have the infrastructure to do that
conveniently I think we're protected against this danger.


-- 
greg


Re: Clarifications of licences on pgfoundry

From
Dave Page
Date:
On Tue, May 18, 2010 at 9:59 AM, Simon Riggs <simon@2ndquadrant.com> wrote:
> Dave, this is important and so this thread must have a clear resolution,
> so we must stick to a single point and be clear about our logic and our
> statements.

OK. I thought you were talking about copyright and licences though.

> You're saying these two things, I think, or if you or anybody else
> disagrees, please so clearly.
>
> * When project realised that the PostgreSQL licence wasn't actually a
> BSD licence, that PostgreSQL was clarified to be the TPL, yet pgfoundry
> was not covered by that clarification for some reason.

No. The licences never changed on anything - all we did was get it
approved by the OSI, and clarify our *naming* of the licence in
PostgreSQL (and pgAdmin). It's entirely up to the maintainers of each
project on pgFoundry to decide whether the licence text or the licence
name is what they intend, and to carify accordingly for their
projects.

> * In the absence of any licence text in any of the files of a project on
> a certain date, then if the project is advertised on PgFoundry on that
> date as having a "BSD licence" then the software will be covered by
> http://www.opensource.org/licenses/bsd-license.php

Yes, I believe that is a fair and safe assumption.



-- 
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise Postgres Company


Re: Clarifications of licences on pgfoundry

From
Simon Riggs
Date:
On Tue, 2010-05-18 at 06:32 -0400, Greg Stark wrote:
> On Tue, May 18, 2010 at 4:06 AM, Simon Riggs <simon@2ndquadrant.com> wrote:
> > If, as you say, the licence is unclear then whether-or-not it is an open
> > source licence must also be unclear.
> 
> I would suggest you, or anyone else who notices, open bugs on any
> packages you want to use for which you find no LICENSE file matching
> the license asserted in pgfoundry.

I'm not personally going to do this, though I will point out to people
the dangers of imprecisely licenced software when they ask.

> Are there so many that we need a more organized mass effort? Do we
> need automated checks for this?

I would say so. 

> > The copyright holders can change the licence in future as they see fit,
> > as we've witnessed on other formerly open source projects.
> 
> This is always true. The protection open source licenses have for this
> is that they're irrevocable. So while NTT could stop releasing future
> work under an open source license, the code which was already released
> would still be available under the license it was released under and
> anyone who wants to could pay anyone willing to support it without
> asking NTT for permission.
> 
> The question that arises then is whether pgfoundry archives the source
> it has in a way that the project maintainer can't delete. If an author
> decides to stop releasing a package and deletes the source from
> pgfoundry can we get the last version they released from pgfoundry and
> put it back up as an orphaned project or with a new set of
> maintainers? As long as we have the infrastructure to do that
> conveniently I think we're protected against this danger.

Well, whoever runs pgfoundry.org gets to make that decision. They may
choose how they respond if someone says "I request X, in the name of
PostgreSQL and open source, ...". 

There may or may not keep archived copies. If they just keep a latest
backup, then once the developer quietly deletes stuff then its gone
forever. Who could monitor that to make sure it never takes place??

-- Simon Riggs           www.2ndQuadrant.com



Re: Clarifications of licences on pgfoundry

From
Peter Geoghegan
Date:
> That is the case for *anything*. We could change the PostgreSQL
> licence if we wanted, but it would take a huge amount of effort and
> approval of every contributor ever whose work could be considered an
> artistic contribution.

I doubt it. Do you think that every single contributor is contactable?
Haven't some died? My guess is that it would be completely impossible.

> With PostgreSQL we rely on the sheer number of contributors to ensure
> the licence will never actually change. We cannot have such a
> guarantee for most smaller projects of course - simply attributing
> copyright to a non-existent legal entity such as PGDG (or as I
> understand it, even an actual entity) doesn't actually change who
> legally owns the copyright.
>
> To get the protection I think you seek, I believe we'd need to create
> a legal entity to own the copyright and then have every contributor to
> anything on pgFoundry sign a copyright assignment agreement that
> grants the legal entity copyright on the current and all future
> versions of that work, as hosted on there. And even then, there's no
> guarantee that the legal entity couldn't be bought or change it's
> charter, unless there's some way to irrevocably build things into its
> statutes.

IANAL, but I know that there was a similar situation when Trolltech
still existed and controlled the Qt framework. It was dual licensed
GPL2/proprietary (it is now dual LGPL/proprietary). Contributors were
required to sign reams of paperwork, which had to be sent out by fax
(I'm not sure why), to assign the copyright to Trolltech. Thankfully,
that situation has changed under Nokia - contributors retain the
copyright, and there is minimal red tape. Contributors are now asked
to grant Qt Software a non-exclusive right to re-use code as a part of
Qt, the first time they submit code for inclusion.

Regards,
Peter Geoghegan


Re: Clarifications of licences on pgfoundry

From
Andrew Dunstan
Date:

Simon Riggs wrote:
> That puts a fairly large hole in recommending that people visit
> pgFoundry. That either needs to fixed or users will no longer be able to
> trust PgFoundry.
>
>   

pgFoundry is a resource we provide the community. The projects there are 
the responsibility of their individual owners. We are not going to start 
being the license police. I at least have neither the time to do that 
nor any interest in doing it. If people want to use what is on pgFoundry 
then it is up to them to make sure it has whatever licence meets their 
requirements.

What we should do is add the PostgreSQL license to the list of available 
licenses and make sure it is the default for new projects.

cheers

andrew


Re: Clarifications of licences on pgfoundry

From
Stefan Kaltenbrunner
Date:
On 05/18/2010 07:32 AM, Andrew Dunstan wrote:
> 
> 
> Simon Riggs wrote:
>> That puts a fairly large hole in recommending that people visit
>> pgFoundry. That either needs to fixed or users will no longer be able to
>> trust PgFoundry.
>>
>>   
> 
> pgFoundry is a resource we provide the community. The projects there are
> the responsibility of their individual owners. We are not going to start
> being the license police. I at least have neither the time to do that
> nor any interest in doing it. If people want to use what is on pgFoundry
> then it is up to them to make sure it has whatever licence meets their
> requirements.

I agree there - pgfoundry is just the resource provider, we are not a
licence police (and given that none of the pgf admins is an actual
lawyer there is no sense in even trying).
People wanting to get some sort of "indemnification" or whatever need to
look into commercial providers (or use distribution provided packages
for stuff because those are usually very well checked for licence stuff
in all major linux distributions).


> 
> What we should do is add the PostgreSQL license to the list of available
> licenses and make sure it is the default for new projects.

I can look into that...


Stefan


Re: Clarifications of licences on pgfoundry

From
Simon Riggs
Date:
On Tue, 2010-05-18 at 07:32 -0400, Andrew Dunstan wrote:
> 
> Simon Riggs wrote:
> > That puts a fairly large hole in recommending that people visit
> > pgFoundry. That either needs to fixed or users will no longer be able to
> > trust PgFoundry.
> >

> pgFoundry is a resource we provide the community. The projects there are 
> the responsibility of their individual owners. We are not going to start 
> being the license police. I at least have neither the time to do that 
> nor any interest in doing it. If people want to use what is on pgFoundry 
> then it is up to them to make sure it has whatever licence meets their 
> requirements.

Agreed, though that significantly lessens the value of that resource for
everybody. If somebody would like to try to improve that by attempting
to improve or police the licencing, it would be appreciated.

> What we should do is add the PostgreSQL license to the list of available 
> licenses and make sure it is the default for new projects.

Good idea.

-- Simon Riggs           www.2ndQuadrant.com



Re: Clarifications of licences on pgfoundry

From
Stefan Kaltenbrunner
Date:
On 05/18/2010 09:22 AM, Simon Riggs wrote:
> On Tue, 2010-05-18 at 07:32 -0400, Andrew Dunstan wrote:
>>
>> Simon Riggs wrote:
>>> That puts a fairly large hole in recommending that people visit
>>> pgFoundry. That either needs to fixed or users will no longer be able to
>>> trust PgFoundry.
>>>
> 
>> pgFoundry is a resource we provide the community. The projects there are 
>> the responsibility of their individual owners. We are not going to start 
>> being the license police. I at least have neither the time to do that 
>> nor any interest in doing it. If people want to use what is on pgFoundry 
>> then it is up to them to make sure it has whatever licence meets their 
>> requirements.
> 
> Agreed, though that significantly lessens the value of that resource for
> everybody. If somebody would like to try to improve that by attempting
> to improve or police the licencing, it would be appreciated.

even if somebody steps up and tries to to that - we have hundreds of
projects on pgf and I think it is impossible to do anything that would
actually provide some sort of "guarantee" that the licence stuff is
properly done fore every project which is the only thing that would
prevent you to do your own research or evaluation. However it makes
sense to the the projects you where you ran into an issue about so it
can be fixed (technically this is simply a bug that needs to be reported).

> 
>> What we should do is add the PostgreSQL license to the list of available 
>> licenses and make sure it is the default for new projects.
> 
> Good idea.

done


Stefan


Re: Clarifications of licences on pgfoundry

From
Josh Berkus
Date:
On 05/18/2010 01:57 AM, Simon Riggs wrote:
> I notice that there are more than a few projects on pgfoundry that are
> marked as "BSD licence" but then the project files don't contain any
> mention of the licence details. In some cases, projects are also clearly
> marked Copyright of people or organizations.

yeah, this is due to one of many bugs with gForge.  The submitter is 
required to choose a license on submission of a project request ... but 
that information is then discarded and doesn't end up in the project page.

--                                   -- Josh Berkus                                     PostgreSQL Experts Inc.
                           http://www.pgexperts.com
 


Re: Clarifications of licences on pgfoundry

From
Stefan Kaltenbrunner
Date:
On 05/20/2010 01:58 PM, Josh Berkus wrote:
> On 05/18/2010 01:57 AM, Simon Riggs wrote:
>> I notice that there are more than a few projects on pgfoundry that are
>> marked as "BSD licence" but then the project files don't contain any
>> mention of the licence details. In some cases, projects are also clearly
>> marked Copyright of people or organizations.
> 
> yeah, this is due to one of many bugs with gForge.  The submitter is
> required to choose a license on submission of a project request ... but
> that information is then discarded and doesn't end up in the project page.

huh? that does not make any sense at all - the licence the submitter
chooses _IS_ displayed on the main overview page of the project (see for
example: http://pgfoundry.org/projects/pgbouncer/).


Stefan


Re: Clarifications of licences on pgfoundry

From
Josh Berkus
Date:
> huh? that does not make any sense at all - the licence the submitter
> chooses _IS_ displayed on the main overview page of the project (see for
> example: http://pgfoundry.org/projects/pgbouncer/).

That doesn't happen automatically -- after acceptance, the project owner 
needs to select a license a second time.  That's why so many projects 
have no license.


--                                   -- Josh Berkus                                     PostgreSQL Experts Inc.
                           http://www.pgexperts.com
 


Re: Clarifications of licences on pgfoundry

From
"Andrew Dunstan"
Date:
On Thu, May 20, 2010 3:06 pm, Josh Berkus wrote:
>
>> huh? that does not make any sense at all - the licence the submitter
>> chooses _IS_ displayed on the main overview page of the project (see for
>> example: http://pgfoundry.org/projects/pgbouncer/).
>
> That doesn't happen automatically -- after acceptance, the project owner
> needs to select a license a second time.  That's why so many projects
> have no license.
>


How to do that is far from clear.

cheers

andrew