Thread: Clarifications of licences on pgfoundry
I notice that there are more than a few projects on pgfoundry that are marked as "BSD licence" but then the project files don't contain any mention of the licence details. In some cases, projects are also clearly marked Copyright of people or organizations. For example, pg_batch is clearly marked "BSD licence", yet the docs and many of the files are marked "Copyright (c) 2010, NIPPON TELEGRAPH AND TELEPHONE CORPORATION". pg_lesslog does contain a BSD-looking licence in the COPYRIGHT file, but is also marked with copyrights. My understanding is that we had a policy of copyright novation to the PGDG. Is that not followed up for pgfoundry projects? I think we should move to a policy of explicit licencing. In the absence of a licence file, when a project is marked "BSD licence" on pgfoundry I think it is safe to presume that the licence for those files is the same as PostgreSQL's licence. -- Simon Riggs www.2ndQuadrant.com
On Tue, May 18, 2010 at 6:57 AM, Simon Riggs <simon@2ndquadrant.com> wrote: > > I notice that there are more than a few projects on pgfoundry that are > marked as "BSD licence" but then the project files don't contain any > mention of the licence details. In some cases, projects are also clearly > marked Copyright of people or organizations. I agree that projects should make their licence clear. Gurjeet and I were just talking about this in relation to Slony, which has only a copy of the PostgreSQL licence tucked away in an SGML file in the guts of the tarball, with no text at all to say it's the licence used for Slony, and not just for PG. > For example, pg_batch is clearly marked "BSD licence", yet the docs and > many of the files are marked "Copyright (c) 2010, NIPPON TELEGRAPH AND > TELEPHONE CORPORATION". Don't mix up copyright and licence. They are not the same thing at all. > pg_lesslog does contain a BSD-looking licence in the COPYRIGHT file, but > is also marked with copyrights. > > My understanding is that we had a policy of copyright novation to the > PGDG. Is that not followed up for pgfoundry projects? I think we should > move to a policy of explicit licencing. No - pgFoundry projects are licenced and copyright-attributed as their authors see fit (as long as it's an open source licence of course). > In the absence of a licence file, when a project is marked "BSD licence" > on pgfoundry I think it is safe to presume that the licence for those > files is the same as PostgreSQL's licence. The PostgreSQL Licence is not the same as any of the BSD variants, so that is not a safe presumption to make. -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com The Enterprise Postgres Company
On Tue, 2010-05-18 at 07:53 +0100, Dave Page wrote: > > For example, pg_batch is clearly marked "BSD licence", yet the docs and > > many of the files are marked "Copyright (c) 2010, NIPPON TELEGRAPH AND > > TELEPHONE CORPORATION". > > Don't mix up copyright and licence. They are not the same thing at all. I didn't mix those things up, I just used them in the same sentence. They are two aspects of "ownership" and appear to offer conflicting messages, which is a concern to some users. > > pg_lesslog does contain a BSD-looking licence in the COPYRIGHT file, but > > is also marked with copyrights. > > > > My understanding is that we had a policy of copyright novation to the > > PGDG. Is that not followed up for pgfoundry projects? I think we should > > move to a policy of explicit licencing. > > No - pgFoundry projects are licenced and copyright-attributed as their > authors see fit (as long as it's an open source licence of course). Yes, are they open source licences? > > In the absence of a licence file, when a project is marked "BSD licence" > > on pgfoundry I think it is safe to presume that the licence for those > > files is the same as PostgreSQL's licence. > > The PostgreSQL Licence is not the same as any of the BSD variants, so > that is not a safe presumption to make. If, as you say, the licence is unclear then whether-or-not it is an open source licence must also be unclear. The copyright holders can change the licence in future as they see fit, as we've witnessed on other formerly open source projects. Since the licence is unclear now and the future is subject to change, I think its safe to say that those projects are fairly unsafe for open source users. I'm sure the various other Telco companies out there don't want to hear that they are using software that NTT might decide in the future to contest as to whether it was open source or not. Nothing against NTT, though the principle is clear and effects everything on pgfoundry. That puts a fairly large hole in recommending that people visit pgFoundry. That either needs to fixed or users will no longer be able to trust PgFoundry. -- Simon Riggs www.2ndQuadrant.com
On Tue, May 18, 2010 at 9:06 AM, Simon Riggs <simon@2ndquadrant.com> wrote: > On Tue, 2010-05-18 at 07:53 +0100, Dave Page wrote: > >> > For example, pg_batch is clearly marked "BSD licence", yet the docs and >> > many of the files are marked "Copyright (c) 2010, NIPPON TELEGRAPH AND >> > TELEPHONE CORPORATION". >> >> Don't mix up copyright and licence. They are not the same thing at all. > > I didn't mix those things up, I just used them in the same sentence. > They are two aspects of "ownership" and appear to offer conflicting > messages, which is a concern to some users. No, copyright is about ownership. The licence is a right granted by the copyright holders to other to govern their *use* of the code. >> No - pgFoundry projects are licenced and copyright-attributed as their >> authors see fit (as long as it's an open source licence of course). > > Yes, are they open source licences? All the options on pgFoundry are, yes. >> The PostgreSQL Licence is not the same as any of the BSD variants, so >> that is not a safe presumption to make. > > If, as you say, the licence is unclear then whether-or-not it is an open > source licence must also be unclear. Not at all. If it's listed on www.opensource.org, then a licence is "open source". Why do you think I busted a gut to get the PostgreSQL licence approved when we realised it wasn't BSD? > The copyright holders can change the licence in future as they see fit, > as we've witnessed on other formerly open source projects. > > Since the licence is unclear now and the future is subject to change, I > think its safe to say that those projects are fairly unsafe for open > source users. That is the case for *anything*. We could change the PostgreSQL licence if we wanted, but it would take a huge amount of effort and approval of every contributor ever whose work could be considered an artistic contribution. With PostgreSQL we rely on the sheer number of contributors to ensure the licence will never actually change. We cannot have such a guarantee for most smaller projects of course - simply attributing copyright to a non-existent legal entity such as PGDG (or as I understand it, even an actual entity) doesn't actually change who legally owns the copyright. To get the protection I think you seek, I believe we'd need to create a legal entity to own the copyright and then have every contributor to anything on pgFoundry sign a copyright assignment agreement that grants the legal entity copyright on the current and all future versions of that work, as hosted on there. And even then, there's no guarantee that the legal entity couldn't be bought or change it's charter, unless there's some way to irrevocably build things into its statutes. Of course, as you know I'm not a lawyer but have spent a fair bit of^W^W^Wfar too much time talking to them about this sort of stuff, so I at least *think* I know what I'm talking about :-) -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com The Enterprise Postgres Company
On Tue, 2010-05-18 at 09:33 +0100, Dave Page wrote: > >> No - pgFoundry projects are licenced and copyright-attributed as their > >> authors see fit (as long as it's an open source licence of course). > > > > Yes, are they open source licences? > > All the options on pgFoundry are, yes. > > >> The PostgreSQL Licence is not the same as any of the BSD variants, so > >> that is not a safe presumption to make. > > > > If, as you say, the licence is unclear then whether-or-not it is an open > > source licence must also be unclear. > > Not at all. If it's listed on www.opensource.org, then a licence is > "open source". Why do you think I busted a gut to get the PostgreSQL > licence approved when we realised it wasn't BSD? Dave, this is important and so this thread must have a clear resolution, so we must stick to a single point and be clear about our logic and our statements. You're saying these two things, I think, or if you or anybody else disagrees, please so clearly. * When project realised that the PostgreSQL licence wasn't actually a BSD licence, that PostgreSQL was clarified to be the TPL, yet pgfoundry was not covered by that clarification for some reason. * In the absence of any licence text in any of the files of a project on a certain date, then if the project is advertised on PgFoundry on that date as having a "BSD licence" then the software will be covered by http://www.opensource.org/licenses/bsd-license.php -- Simon Riggs www.2ndQuadrant.com
On Tue, May 18, 2010 at 4:06 AM, Simon Riggs <simon@2ndquadrant.com> wrote: > If, as you say, the licence is unclear then whether-or-not it is an open > source licence must also be unclear. I would suggest you, or anyone else who notices, open bugs on any packages you want to use for which you find no LICENSE file matching the license asserted in pgfoundry. Are there so many that we need a more organized mass effort? Do we need automated checks for this? > The copyright holders can change the licence in future as they see fit, > as we've witnessed on other formerly open source projects. This is always true. The protection open source licenses have for this is that they're irrevocable. So while NTT could stop releasing future work under an open source license, the code which was already released would still be available under the license it was released under and anyone who wants to could pay anyone willing to support it without asking NTT for permission. The question that arises then is whether pgfoundry archives the source it has in a way that the project maintainer can't delete. If an author decides to stop releasing a package and deletes the source from pgfoundry can we get the last version they released from pgfoundry and put it back up as an orphaned project or with a new set of maintainers? As long as we have the infrastructure to do that conveniently I think we're protected against this danger. -- greg
On Tue, May 18, 2010 at 9:59 AM, Simon Riggs <simon@2ndquadrant.com> wrote: > Dave, this is important and so this thread must have a clear resolution, > so we must stick to a single point and be clear about our logic and our > statements. OK. I thought you were talking about copyright and licences though. > You're saying these two things, I think, or if you or anybody else > disagrees, please so clearly. > > * When project realised that the PostgreSQL licence wasn't actually a > BSD licence, that PostgreSQL was clarified to be the TPL, yet pgfoundry > was not covered by that clarification for some reason. No. The licences never changed on anything - all we did was get it approved by the OSI, and clarify our *naming* of the licence in PostgreSQL (and pgAdmin). It's entirely up to the maintainers of each project on pgFoundry to decide whether the licence text or the licence name is what they intend, and to carify accordingly for their projects. > * In the absence of any licence text in any of the files of a project on > a certain date, then if the project is advertised on PgFoundry on that > date as having a "BSD licence" then the software will be covered by > http://www.opensource.org/licenses/bsd-license.php Yes, I believe that is a fair and safe assumption. -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com The Enterprise Postgres Company
On Tue, 2010-05-18 at 06:32 -0400, Greg Stark wrote: > On Tue, May 18, 2010 at 4:06 AM, Simon Riggs <simon@2ndquadrant.com> wrote: > > If, as you say, the licence is unclear then whether-or-not it is an open > > source licence must also be unclear. > > I would suggest you, or anyone else who notices, open bugs on any > packages you want to use for which you find no LICENSE file matching > the license asserted in pgfoundry. I'm not personally going to do this, though I will point out to people the dangers of imprecisely licenced software when they ask. > Are there so many that we need a more organized mass effort? Do we > need automated checks for this? I would say so. > > The copyright holders can change the licence in future as they see fit, > > as we've witnessed on other formerly open source projects. > > This is always true. The protection open source licenses have for this > is that they're irrevocable. So while NTT could stop releasing future > work under an open source license, the code which was already released > would still be available under the license it was released under and > anyone who wants to could pay anyone willing to support it without > asking NTT for permission. > > The question that arises then is whether pgfoundry archives the source > it has in a way that the project maintainer can't delete. If an author > decides to stop releasing a package and deletes the source from > pgfoundry can we get the last version they released from pgfoundry and > put it back up as an orphaned project or with a new set of > maintainers? As long as we have the infrastructure to do that > conveniently I think we're protected against this danger. Well, whoever runs pgfoundry.org gets to make that decision. They may choose how they respond if someone says "I request X, in the name of PostgreSQL and open source, ...". There may or may not keep archived copies. If they just keep a latest backup, then once the developer quietly deletes stuff then its gone forever. Who could monitor that to make sure it never takes place?? -- Simon Riggs www.2ndQuadrant.com
> That is the case for *anything*. We could change the PostgreSQL > licence if we wanted, but it would take a huge amount of effort and > approval of every contributor ever whose work could be considered an > artistic contribution. I doubt it. Do you think that every single contributor is contactable? Haven't some died? My guess is that it would be completely impossible. > With PostgreSQL we rely on the sheer number of contributors to ensure > the licence will never actually change. We cannot have such a > guarantee for most smaller projects of course - simply attributing > copyright to a non-existent legal entity such as PGDG (or as I > understand it, even an actual entity) doesn't actually change who > legally owns the copyright. > > To get the protection I think you seek, I believe we'd need to create > a legal entity to own the copyright and then have every contributor to > anything on pgFoundry sign a copyright assignment agreement that > grants the legal entity copyright on the current and all future > versions of that work, as hosted on there. And even then, there's no > guarantee that the legal entity couldn't be bought or change it's > charter, unless there's some way to irrevocably build things into its > statutes. IANAL, but I know that there was a similar situation when Trolltech still existed and controlled the Qt framework. It was dual licensed GPL2/proprietary (it is now dual LGPL/proprietary). Contributors were required to sign reams of paperwork, which had to be sent out by fax (I'm not sure why), to assign the copyright to Trolltech. Thankfully, that situation has changed under Nokia - contributors retain the copyright, and there is minimal red tape. Contributors are now asked to grant Qt Software a non-exclusive right to re-use code as a part of Qt, the first time they submit code for inclusion. Regards, Peter Geoghegan
Simon Riggs wrote: > That puts a fairly large hole in recommending that people visit > pgFoundry. That either needs to fixed or users will no longer be able to > trust PgFoundry. > > pgFoundry is a resource we provide the community. The projects there are the responsibility of their individual owners. We are not going to start being the license police. I at least have neither the time to do that nor any interest in doing it. If people want to use what is on pgFoundry then it is up to them to make sure it has whatever licence meets their requirements. What we should do is add the PostgreSQL license to the list of available licenses and make sure it is the default for new projects. cheers andrew
On 05/18/2010 07:32 AM, Andrew Dunstan wrote: > > > Simon Riggs wrote: >> That puts a fairly large hole in recommending that people visit >> pgFoundry. That either needs to fixed or users will no longer be able to >> trust PgFoundry. >> >> > > pgFoundry is a resource we provide the community. The projects there are > the responsibility of their individual owners. We are not going to start > being the license police. I at least have neither the time to do that > nor any interest in doing it. If people want to use what is on pgFoundry > then it is up to them to make sure it has whatever licence meets their > requirements. I agree there - pgfoundry is just the resource provider, we are not a licence police (and given that none of the pgf admins is an actual lawyer there is no sense in even trying). People wanting to get some sort of "indemnification" or whatever need to look into commercial providers (or use distribution provided packages for stuff because those are usually very well checked for licence stuff in all major linux distributions). > > What we should do is add the PostgreSQL license to the list of available > licenses and make sure it is the default for new projects. I can look into that... Stefan
On Tue, 2010-05-18 at 07:32 -0400, Andrew Dunstan wrote: > > Simon Riggs wrote: > > That puts a fairly large hole in recommending that people visit > > pgFoundry. That either needs to fixed or users will no longer be able to > > trust PgFoundry. > > > pgFoundry is a resource we provide the community. The projects there are > the responsibility of their individual owners. We are not going to start > being the license police. I at least have neither the time to do that > nor any interest in doing it. If people want to use what is on pgFoundry > then it is up to them to make sure it has whatever licence meets their > requirements. Agreed, though that significantly lessens the value of that resource for everybody. If somebody would like to try to improve that by attempting to improve or police the licencing, it would be appreciated. > What we should do is add the PostgreSQL license to the list of available > licenses and make sure it is the default for new projects. Good idea. -- Simon Riggs www.2ndQuadrant.com
On 05/18/2010 09:22 AM, Simon Riggs wrote: > On Tue, 2010-05-18 at 07:32 -0400, Andrew Dunstan wrote: >> >> Simon Riggs wrote: >>> That puts a fairly large hole in recommending that people visit >>> pgFoundry. That either needs to fixed or users will no longer be able to >>> trust PgFoundry. >>> > >> pgFoundry is a resource we provide the community. The projects there are >> the responsibility of their individual owners. We are not going to start >> being the license police. I at least have neither the time to do that >> nor any interest in doing it. If people want to use what is on pgFoundry >> then it is up to them to make sure it has whatever licence meets their >> requirements. > > Agreed, though that significantly lessens the value of that resource for > everybody. If somebody would like to try to improve that by attempting > to improve or police the licencing, it would be appreciated. even if somebody steps up and tries to to that - we have hundreds of projects on pgf and I think it is impossible to do anything that would actually provide some sort of "guarantee" that the licence stuff is properly done fore every project which is the only thing that would prevent you to do your own research or evaluation. However it makes sense to the the projects you where you ran into an issue about so it can be fixed (technically this is simply a bug that needs to be reported). > >> What we should do is add the PostgreSQL license to the list of available >> licenses and make sure it is the default for new projects. > > Good idea. done Stefan
On 05/18/2010 01:57 AM, Simon Riggs wrote: > I notice that there are more than a few projects on pgfoundry that are > marked as "BSD licence" but then the project files don't contain any > mention of the licence details. In some cases, projects are also clearly > marked Copyright of people or organizations. yeah, this is due to one of many bugs with gForge. The submitter is required to choose a license on submission of a project request ... but that information is then discarded and doesn't end up in the project page. -- -- Josh Berkus PostgreSQL Experts Inc. http://www.pgexperts.com
On 05/20/2010 01:58 PM, Josh Berkus wrote: > On 05/18/2010 01:57 AM, Simon Riggs wrote: >> I notice that there are more than a few projects on pgfoundry that are >> marked as "BSD licence" but then the project files don't contain any >> mention of the licence details. In some cases, projects are also clearly >> marked Copyright of people or organizations. > > yeah, this is due to one of many bugs with gForge. The submitter is > required to choose a license on submission of a project request ... but > that information is then discarded and doesn't end up in the project page. huh? that does not make any sense at all - the licence the submitter chooses _IS_ displayed on the main overview page of the project (see for example: http://pgfoundry.org/projects/pgbouncer/). Stefan
> huh? that does not make any sense at all - the licence the submitter > chooses _IS_ displayed on the main overview page of the project (see for > example: http://pgfoundry.org/projects/pgbouncer/). That doesn't happen automatically -- after acceptance, the project owner needs to select a license a second time. That's why so many projects have no license. -- -- Josh Berkus PostgreSQL Experts Inc. http://www.pgexperts.com
On Thu, May 20, 2010 3:06 pm, Josh Berkus wrote: > >> huh? that does not make any sense at all - the licence the submitter >> chooses _IS_ displayed on the main overview page of the project (see for >> example: http://pgfoundry.org/projects/pgbouncer/). > > That doesn't happen automatically -- after acceptance, the project owner > needs to select a license a second time. That's why so many projects > have no license. > How to do that is far from clear. cheers andrew