|
SCALE: The life and times of the AGPL
ByNathan Willis
March 13, 2013
AtSCALE 11x in Los Angeles, Bradley Kuhn of the Software Freedom
Conservancy presented
a unique look at the peculiar origin of the Affero GPL
(AGPL). The AGPL was created to solve the problem of application
service providers (such as Web-delivered services) skirting copyleft
while adhering to the letter of licenses like the GPL, but as Kuhn
explained, it is not a perfect solution.
The history of AGPL has an unpleasant beginning, middle, and end,
Kuhn said, but the community needs to understand it. Many people
think of the AGPL in conjunction with the "so-called Application
Service Provider loophole"—but it was not really a
loophole at all. Rather, the authors of the GPLv2 did not foresee the
dramatic takeoff of web applications—and that was not a failure,
strictly speaking, since no one can foresee the future.
In the late 1980s, he noted, client-server applications were not yet
the default, and in the early 1990s, client/server applications
running over the Internet were still comparatively new. In addition,
the entire "copyleft hack" that makes the GPL work is centered around
distribution, as it functions in copyright law. To the
creators of copyleft, making private modifications to a work has never
required publishing one's changes, he said, and that is the right
stance. Demanding publication in such cases would violate the user's
privacy.
Nevertheless, when web applications took off, the
copyleft community did recognize that web services represented a
problem. In early 2001, someone at an event told Kuhn『I won’t
release my web application code at all, because the GPL is the BSD
license of the web.』 In other words, a service can be built on
GPL code, but can incorporate changes that are never shared with the
end user, because the end user does not download the software
from the server. Henry Poole, who founded the web service
company Allseer to assist nonprofits with fundraising, also understood
how web applications inhibited user freedom, and observed that
"we have no copyleft." Poole approached the Free
Software Foundation (FSF) looking for a solution, which touched off
the development of what became the AGPL.
Searching for an approach
Allseer eventually changed its name to Affero, after which the AGPL
is named, but before that license was written, several other ideas to
address the web application problem were tossed back and forth between
Poole, Kuhn, and others. The first was the notion of『public
performance,』which is a concept already well-established in copyright
law. If running the software on a public web server is a public
performance, then perhaps, the thinking went, a copyleft license's
terms could specify that such public performances would require source
distribution of the software.
The trouble with this approach is that "public performance" has
never been defined for software, so relying on it would be somewhat
unpredictable—as an undefined term, it would not be clear when
it did and did not apply. Establishing a definition for『public
performance』in software terms is a challenge in its own right, but
without a definition for software public performance, it would be
difficult to write a public performance clause into (for example) the
GPL and guarantee that it was sufficiently strong to address the web
application issue. Kuhn has long supported adding a public
performance clause anyway, saying it would be at worst a "no op," but
so far he has not persuaded anyone else.
The next idea floated was that of the Ouroboros, which in antiquity
referred to a serpent
eating its own tail, but in classic computer science
terminology also meant a program that could generate its own source
code as output. The idea is also found in programs known as quines,
Kuhn said, although he only encountered the term later.
Perhaps the GPL could add a clause requiring that the program be able
to generate its source code as output, Kuhn thought. The GPLv2
already requires in §2(c) that an interactive program produce a
copyright notice and information about obtaining the license. Thus,
there was a precedent that the GPL can require adding a "feature" for
the sole purpose of preserving software freedom.
The long and winding license development path
In September 2002, Kuhn proposed adding the『print your own source
code』feature as §2(d) in a new revision of the GPL, which would then
be published as version 2.2 (and would serve as Poole's license
solution for Affero). Once the lawyers started actually drafting the
language, however, they dropped the "computer-sciencey" focus of the
print-your-own-source clause and replaced it with the AGPL's
now-familiar "download the corresponding source code" feature
requirement instead. Poole was happy with the change and incorporated
it into the AGPLv1. The initial draft was "buggy," Kuhn said, with
flaws such as specifying the use of HTTP, but it was released by the
FSF, and was the first officially sanctioned fork of the GPL.
The GPLv2.2 (which could have incorporated the new Affero-style
source code download clause) was never released, Kuhn said, even
though Richard Stallman agreed to the release in 2003. The reasons
the release was never made were mostly bad ones, Kuhn said, including
Affero (the company) entering bankruptcy. But there was also internal
division within the FSF team. Kuhn chose the "wrong fork," he said,
and spent much of his time working on license enforcement actions technical work,
which distracted him from other tasks. Meanwhile, other FSF people
started working on the GPLv3, and the still-unreleased version 2.2
fell through the cracks.
Kuhn and Poole had both assumed that the Affero clause was safely
part of the GPLv3, but those working on the license development
project left it out. By the time he realized what had happened, Kuhn
said, the first drafts of GPLv3 appeared, and the Affero clause was
gone. Fortunately, however, Poole insisted on upgrading the AGPLv1,
and AGPLv3 was written to maintain compatibility with GPLv3. AGPLv3
was not released until 2007, but in the interim Richard Fontana wrote
a "transitional" AGPLv2 that projects could use to migrate from AGPLv1
to the freshly-minted AGPLv3. Regrettably, though, the release of
AGPLv3 was made with what Kuhn described as a "whimper." A lot of
factors—and people—contributed, but ultimately the upshot
is that the Affero clause did not revolutionize web development as had
been hoped.
The Dark Ages
In the time that elapsed between the Affero clause's first
incarnation (in 2002) and the release of AGPLv3 (in 2007), Kuhn said,
the computing landscape had changed considerably. Ruby on
Rails was born, for example, launching a widely popular web
development platform that had no ties to the GPL community.
"AJAX"—which is now known simply as JavaScript, but at the time
was revolutionary—became one of the most widely-adopted way to
deliver services. Finally, he said, the possibility of
venture–capital funding trained new start-ups to build their
businesses on a『release everything but your secret
sauce』model.
Open source had become a buzzword-compliance checkbox to tick, but
the culture of web development did not pick copyleft licenses, opting
instead largely for the MIT License and the three-clause BSD License.
The result is what Kuhn called "trade secret software." It is not
proprietary in the old sense of the word; since it runs on a server,
it is not installed and the user never has any opportunity to get it.
The client side of the equation is no better; web services deliver
what they call "minified" JavaScript: obfuscated code that is
intentionally compressed. This sort of JavaScript should really be
considered a compiled JavaScript binary, Kuhn said, since it is
clearly not the "preferred form for modifying" the application. An
example snippet he showed illustrated the style:
try{function e(b){throw b;}var i=void 0,k=null;
function aa(){return function(b){return b}}
function m(){return function(){}}
function ba(b){return function(a){this[b]=a}}
function o(b){ return function(){return this[b]}}
function p(b){return function(){return b}}var q;
function da(b,a,c){b=b.split(".");c=c||ea;
!(b[0]in c)&&c.execScript&&c.execScript("var "+b[0]);
for(var d;b.length&&(d=b.shift());)
!b.length&&s(a)?c[d]=a:c=c[d]?c[d]:c[d]={}}
function fa(b,a){for(var c=b.split("."),d=a||ea,f;f=c.shift();)
which is not human-readable.
Microsoft understands the opportunity in this approach, he added,
noting that proprietary JavaScript can be delivered to run even on an
entirely free operating system. Today, the "trade secret" server side
plus "compiled JavaScript" client side has become the norm, even with
services that ostensibly are dedicated to software freedom, like the
OpenStack infrastructure or the git-based GitHub and Bitbucket.
In addition to the non-free software deployment itself, Kuhn
worries that software freedom advocates risk turning into a
"cloistered elite" akin to monks in the Dark Ages. The monks were
literate and preserved knowledge, but the masses outside the walls of
the monastery suffered. Free software developers, too, can live
comfortably in their own world as source code "haves" while the bulk
of computer users remain source code "have-nots."
One hundred years out
Repairing such a bifurcation would be a colossal task. Among other
factors, the rise of web application development represents a
generational change, Kuhn said. How many of today's web developers have
chased a bug from the top of the stack all the way down into the
kernel? Many of them develop on Mac OS X, which is proprietary but is
of very good quality (as opposed to Microsoft, he commented, which was
never a long term threat since its software was always terrible...).
Furthermore, if few of today's web developers have chased a bug all
the way down the stack, as he suspects, tomorrow's developers may not
ever need to. There are so many layers underneath a web application
framework that most web developers do not need to know what happens in
the lowest layers. Ironically, the success of free software has
contributed to this situation as well. Today, the best operating
system software in the world is free, and any teenager out there can
go download it and run it. Web developers can get "cool, fun jobs"
without giving much thought to the OS layer.
Perhaps this shift was inevitable, Kuhn said, and even if GPLv2.2
had rolled out the Affero clause in 2002 and he had done the best
possible advocacy, it would not have altered the situation. But the
real question is what the software freedom community should do now.
For starters, he said, the community needs to be aware that the
AGPL can be—and often is—abused. This is usually done
through "up-selling" and license enforcement done with a profit
motive, he said. MySQL AB (now owned by Oracle) is the most prominent
example; because it holds the copyright to the MySQL code and offers
it under both GPL and commercial proprietary licenses, it can pressure
businesses into purchasing commercial proprietary licenses by telling
them that their usage of the software violates the GPL, even if it
does not. This technique is one of the most frequent uses of
the AGPL (targeting web services), Kuhn said, and "it makes me sick," because it goes directly
against the intent of the license authors.
But although using the AGPL for web applications does not prevent
such abuses, it is still the best option. Preserving software freedom
on the web demands more, however, including building more federated
services. There are a few examples, he said, including Identi.ca and
MediaGoblin, but the problem that such services face is the
"Great Marketing Machine." When everybody else (such as Twitter and
Flickr) deploys proprietary web services, the resulting marketing
push is not something that licensing alone can overtake.
The upshot, Kuhn said, is that『we’re back to catching up to
proprietary software,』just as GNU had to catch up to Unix in
earlier decades. That game of catch-up took almost 20 years, he said,
but then again an immediate solution is not critical. He is resigned
to the fact that proprietary software will not disappear within his
lifetime, he said, but he still wants to think about 50 or 100 years
down the road.
Perhaps there were mistakes made in the creation and deployment of
the Affero clause, but as Kuhn's talk illustrated, the job of
protecting software freedom in web applications involves a number of
discrete challenges. The AGPL is not a magic bullet, nor can it
change today's web development culture, but the issues that it
addresses are vital for the long term preservation of software
freedom. The other wrinkle, of course, is that there are a wide range
of opinions about what constitutes software freedom on the web. Some
draw the line at whatever software runs on the user's local machine
(i.e., the JavaScript components), others insist that public APIs and
open access to data are what really matters. The position advocated
by the FSF and by Kuhn is the most expansive, but because of it,
developers now have another licensing option at their disposal.
(Log in to post comments)
It's funny that all these discussions are ignoring the position of software developer's (web developers here) even if they are supposedly do all that for their sake.
Microsoft may preach that GPL is scary, viral and awful as long as it wants but the fact remains: compliance is not a problem for Joe Average Developer. Either s/he uses binary offered by someone else (and then 3c of GPLv2 or 6d of GPLv3 is easy to satisfy) or it's program in a source form (and then 3a of GPLv2 or 6d of GPLv3 is more-or-less automatically satisfied). Most "normal" programs don't encourage you to change the source, extensions are done via some form of plugins.
But AGPL is a problem for Jor Average Web-Developer. Most server-side frameworks basically encourage changes and it's easy to embed many-many things in them which you don't want to give to just anyone (think LWN: how that "source code release" process is going?). This means that AGPL is quickly becoming boogeymen. Compare number of GPL projects and number of AGPL project. Then compare amount of article-described "up-selling" abuse. People learn to avoid AGPL (and often GPL since it looks similar).
The fact that existing web software quickly becomes quite a mess after deployment (because there are local modifications you can not easily upgrade to latest-and-greatest version and because it's not upgraded it contains plethora of well-known security holes) is bad for other reason but till this mess will not be fixed AGPL can not change the situation.
if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software.
(I'm assuming "downloading a binary file via a manually clicked deep link from outside" is interaction. I am, of course, not a lawyer, and this is not legal advice.)
[A]ll these discussions are ignoring the position of software developer's (web developers here) even if they are supposedly do all that for their sake.
Be careful in your characterizations. `Open source' is for the developers; `Free Software' is for the users. I'm sure it's the latter that Mr. Kuhn is addressing.
|
|
