Help! Understanding Free and Open-Source Licenses

Hey everyone, I’m diving into the world of free and open-source software (FOSS), and I’m a bit confused about the different licenses involved. I’ve seen terms like “free,” “open-source,” and various license names like MIT and GPL, but I’m not entirely sure what the nuances are between them.

Here’s what’s really got me scratching my head: why is the source code not always included with some FOSS licenses? I thought the whole point of open-source was that anyone could see and modify the code, but that doesn’t seem to be the case for everything.

I’d really appreciate any insights you all could share! Any explanations of the different license types, examples of how they differ, and why some licenses might not include the source code would be incredibly helpful.

Thanks in advance for your help!

P.S. If you have any resources that explain FOSS licenses in a user-friendly way, please feel free to share them as well!

Hello! To find the official definition of Open Source look here: The Open Source Definition – Open Source Initiative

It should be (in some cases it must be provided upon request).

MIT license means that anyone can use the code for anything they want – no restrictions. GPL means that all projects that use the license must also license their code under the GPL (as well as conforming to a few other rules). MIT is a permissive license while GPL is a copyleft license.

See more here: Open-source license - Wikipedia

If you are an end user like me who do not know how really code, it doesn’t really matter. What matters is for other people being able to see and audit the code and hopefully the binary it produces turns out to be reproducible, meaning if anyone could compile it and still produce the same bit for bit binary code output. And if you do code, you can still sort of reverse engineer it especially with the help of coding AIs out there, so direct copy and pasting from other repos is no longer even needed.

A lot of licenses out there is due to ideological differences whether the code can be shared with companies that would like to have money making capabilities. Some people do not want their code to be monitizable and just want to be a community effort.

Licenses can still be changed from one to another depending on the source code owner/s whim. Things can change.

In the end licenses don’t really matter. Dont over sweat it. I’d argue its purely on the domain of lawyers and corporations.

Open source licenses must allow the code to be monetized per the OSI’s definition

I disagree. I feel that software freedom is something that is important for everyone as it also encourages innovation and (as you stated) allows the code to be auditable.

Disagree. VS Code is MIT licensed, so no issues right? Wrong - it’s rebundled with proprietary telemetry by Microsoft. What we probably want to use is VSCodium, which is the strict MIT build.

GPL software requires source code be available on request, meaning that the executable you are running you can have the source code. The above scenario is now illegal with this license, as Microsoft can’t bundle their own proprietary modules in the binary. I won’t go into the details of GPLv2 and v3, as that likely isn’t a concern.

AGPL takes it further and states that if you interact with the program over a network, the source code must be provided. So if you interact with a site running AGPL, you can audit what it does on the server. If I interact with AGPL software on the web (I.e. I believe Invidious is AGPL), then I have greater confidence in the site that is running it. Nothing will stop bad actors from uploading malicious software and pretend it’s fine, but there is at least some legal protection.

The confusion around OSI lead to copy left software to be called libre software, as free (as in user freedom) and open source has been co-opted to mean all open source licenses (free as in no cost), confusingly.

——

With that, any version of open source is greatly appreciated. Just double check if you have a non restrictive version of a program you are making sure it’s the build from original source and not rebundled with fun extras.

https://hiphish.github.io/blog/2023/10/18/grayjay-is-not-open-source/

Might help by giving an example.

Another big distinction is copyleft (GPL, AGPL, MPL) vs permissive (BSD, MIT, Apache).

Copyleft requires all forks to keep the same license or a compatible free license, thereby ensuring that the code will always remain free and open source. Permissive licenses basically say “here’s the code, do what you want” and others can “steal” the code to use it in a proprietary project without contributing back.

Hey all,

So I am continuing this OSS License conversation from another thread and will continue the conversation about this in another topic.

To point out why this is not the case and give us a simple mental model of these licenses, let me define my simple taxonomy of open source software licenses:

• Permissive licenses
• Copyleft licenses
• Open-washing licenses.

Disclaimer: I’m not a lawyer^™ none of this legal advice…in fact it’s mostly just plain and simple vibes which tend to influence human behavior and how people choose what to buy .

Permissive License Vibes

An author just writing software and showing it to the world. Anyone can copy the code and reference it, or don’t…whatever, as long as you don’t sue the author for any time, damage, and money loss this causes you for using this free code provided, it’s all cool.

For higher aspiring projects, there is also a community building vibe

Everything said previously, but with intent to build a community that shares the code based on trust. Ideally the work of individuals and companies who are incentivized to contribute to shift maintenance to the community who want the features share the same code. This license keeps a tribal pressure on the leadership of this community to act well among the community and always give them the opportunity to fork the code and can legally copy the previous code if there’s ever contention. If the authors or company with the power ever make a move that removes power from the community that they didn’t consent to, the community will fork.

These licenses would always be the case in an ideal world.

Examples of Permissive Licenses

Copyleft License Vibes

The authors of this code worked really hard on the code. The work is complicated, always evolving, and/or very early and not complete yet. It’s fastest to iterate in the core group as vetting and training new community members is a heavy lift. The authors value transparency, authenticity, and community so making the source available, enabling modification and contributions, community testing and auditing, and allowing you to run your own version is fine. However, they need to limit or control the the means of commercial distribution of the product, to ensure the core engineers of this code are paid for their work, and the paid + enterprise product meets the quality bar of the original authors.

Unfortunately, this means the community has less leverage if the authors do something unplanned and outside of what the community signed on for. This has value, but requires more trust that the authors won’t just use this license to stonewall public contributions and simply use this as a sales pipeline rather than a community to share ideas as we’ll discuss in the next bucket of licensing.

Examples of Copyleft Licenses

Open Washing License Vibes

This is a licensing category I just made up from the term openwashing. This sets up a license structure that uses similar language of copyleft licenses that aim to equivocate their license with an open code commons with bidirectional power and information. However, these licenses are legalese that provide unilateral power over code sharing which is limited by the profit-driven whims of the company leadership and shareholders. This technically is a source-available license, just not standardized, hard to interpret, and often provides unidirectional value creation from the community. It is source-available with proprietary vibes.

Examples:

• Elastic
• MongoDB
• Docker
• Hashicorp
• CockroachDB
• etc… sorry most are from my industry but sure there are plenty exmaples

The point?

So what do these “vibes” mean for users? Sounds like only folks with the code need to be concerned.

Well, this is where the governance politics and leverage come in. True power can be seen in git commit logs with who gets the most code submitted, who approves that code, who can effectively block the code, how open is the group to new contributors or contributions, and where are all the folks who contribute working for or what other motivations might they have? This is done simply by looking at the logs and having discussions with folks in the community like you would as someone who works in a new job learning how things run.

Do you do all this work by yourself? Hell no! This is why we’re on a privacy community to build consensus through open journalistic techniques to investigate findings. Open source projects are transparent but this stuff takes time, similar to building good privacy practices that is done on this forum/site.

Licensing tends to be the first layer heuristic in understanding where a project might stand in all of these governance specifics. The next layer is tapping into the community, learning the politics, and then making an informed decision on what you adopt based on verifiable sources. As a community gets better at learning fact from fiction, the profit-driven actors are required to move with the community rather than their highest paying customers who ironically would end up wanting the innovative solution the community reaches through consensus.

If all this sounds rhetorical, here’s a real life story where this happened in a community I was involved in.

Personal anecdote where this influenced a $2+ billion buyout

I was in a format war that was won despite both technologies Delta Lake (spec) and Apache Iceberg (spec) both having the Apache v2.0 license, open libraries, and feature parity, if you compare the number of pull requests by company you quickly see that the majority was done by the company behind the project, Databricks had strong control over the project.

image1575×856 124 KB

Big tech among other large Fortune 100 businesses caught onto this and used Iceberg, but and this led to the realization that if you use Iceberg, you won’t get locked into storing all your data with one company. Competing businesses started to adopt Iceberg, until ultimately Databricks purchased the startup created by the founders. This buyout was a huge win for users as this now pushes all vendors to use the same open format.

So, the lesson here is, don’t underestimate the power and leverage of proper licensing, and well-informed communities.

Open source is a pluralistic movement and evolves much like language. Every community is different and even my take up here won’t apply in every case. So just remember it’s all about vibes and storytelling and understanding how to be the best agent you can be as a consumer which shapes the economy around a project.

Now on to reply to @ianopolous’s related question on a separate thread.

What limitations do you think come from AGPL? Anyone is free to take, modify and run it, and build companies on it as long as they release their source modifications to the public.

For checks and balances I think there are several effective options.

1. Peergos LTD doesn’t own the copyright on the current peergos code, it is owned by the individual contributors. this defends against re-licensing against the communities interests, which is common.
2. Independent implementations

Background

As mentioned above, I’m still not a lawyer and these are pragmatic developer vibes to dig at the heart of how my brain summarizes these licenses…not legal advice.

AGPL 3.0 falls under the copyleft licenses mentioned above. Similar to GPL 3.0, anyone who is not the copyright owners of the code (typically the authors and subsequent maintainers) aren’t able to sublicense the software. Which disables some big company from grabbing the open sourced code that a community (and likely a core of maintainers like Peergos) work hard to develop and maintain, and sticks it behind a bit of code, their logos, and recompiles the code!

AGPL is more or less an adaption that needed to be made to adapt the terminology to SaaS applications as stated here:

Example

Although this wasn’t for a sublicense issue, a recent newsworthy violation of the AGPLv3 occurred when Truth social copied and modified Mastodon’s code without distributing the original source code or attribution. This didn’t violate the sublicensing clause, which is the more impactful clause, but still didn’t offer credit to the original project.

For sake of example, assume you did have to pay to use Truth Social and it was being done for profit, Mastodon and Software Freedom conservancy would have had a stronger case.

Why do I prefer having my foot in a permissive and copyleft project communty?

Using the AGPL licensing and any copyleft licensing has plenty of valid uses, but also leaves a power gap open that could potentially be exploited. I mention this in detail in the previous post.

Unfortunately, this means the community has less leverage if the authors do something unplanned and outside of what the community signed on for. This has value, but requires more trust that the authors won’t just use this license to stonewall public contributions and simply use this as a sales pipeline rather than a community to share ideas as we’ll discuss in the next bucket of licensing.

It can also avoid healthy competition and choice.

As @ianopolous mentions:

Peergos LTD doesn’t own the copyright on the current peergos code

This is very healthy setup of course, and vests the decision making power with the authors.

The question is, where do the authors currently work and what might their biases be? From the contributors code, there are four authors that have made more than a single commit contribution and 11 contributors total. Those four authors all work for Peergos LTD based on looking at the profile names and this team page.

I am btw no stranger to the BDFL model. It is quite an effective model provided you call a spade a spade. In that instance, a lot of people trusted the BDFL maintainers as they had the clearest and most inclusive vision for the community despite all three of them working for the same venture capital funded company I worked for.

Now you state there’s currently no financial incentive (also good to know), and you and Kevin have been working on this project for a long time so that alone tells me this isn’t some VC get-rich-quick scheme and something you believe in. But there’s no crystal ball to this formation of power vested in four humans when it comes to providing future optionality and enabling choice to the community regardless of how pure and benevolent your intentions are.

I am curious what you mean by “Independent implementations”. To me this would be something like Hubzilla, which is under a permissive license, and enables anyone to not only copy the code, but fork it and make a version of their own that can provide features or a competitive product to Peergos. It also provides an overlap with the Fediverse protocols which may be incentivizing to many.

So all around I like just having that there to provide options and leverage to this very interesting market.

What I think would be the most ideal option, would be cross compatible protocols that make migration between or use of both Hubzilla and Peergos possible without a lot of lockin to users. That’s likely getting ahead of ourselves.

So yeah, curious to hear your thoughts and anyone else’s thoughts and critiques on the my licensing and open source political takes.

I feel like I should drill in on one aspect of copyleft and GPL licenses that @ianopolous points out that I missed out on.

Let’s say another company wanted to come along and build their own version of Peergos called “Neargos”, where they took ~10 years of work of @ianopolous and the other co-authors work, added a feature (or not) and just slap the new “Neargos” labels on it and profit $$.

As @ianopolous suggests, this is possible in the copyleft code today. Provided Neargos’ only plan is to take whatever GPL code is created by the hard work of Peergos team members and community, and run the service, then they are legally fine.

Generally though, a community would see right through this and realize that there’s no incentive to use Neargos as they are taking advantage of the community’s hard work and would likely have those most knowledgeable working on the service they pay for.

So Neargos decides they are going to hire two software engineers and a product specialist to build new features to attract customers to their service. So Neargos does this and are ready to deploy NeargosX which is literally just an Elon Musk version of Peergos that adds useless AI features. However, since Peergos is licensed under AGPL, Neargos realizes they must license their AI features under AGPL and publish the source code for all to see!!

This has a lot of positive effects as NeargosX can’t just copy a bunch of hard work from Peergos, add a small feature, then capitalize off work they didn’t do. In theory, this makes it to where the community much less likely to have one single company monopolizing the market since everyone can study and even modify the features of any modification of the code.

Permissive licenses on the other hand don’t have this requirement. Assuming Peergos was licensed under Apache 2.0, then Neargos would be able to make NeargosX a proprietary feature, keep the small sliver of code for themselves, and profit!

So why would anyone ever choose to make their code permissive and not copyleft then?

The details vary from community to community and project to project, but the best summary I’ve seen was adapted from here:

permissive licences aim for maximum adoption which leads to higher innovation of code, while copyleft aim for maximum openness of code.

1. Company’s want to avoid lawsuits so adopting code with GPL libraries is a last resort and will choose a less valuable permissive library over copyleft
2. Company’s definitely want to reserve the right to build a feature and profit off of it, even if it’s not currently in their wheelhouse
3. Fewer companies adopting the copyleft projects can lead to smaller ecosystem unless the copyleft one just crushes any remote desire to use the alternatives
4. Smaller ecosystem if they do occur, will lead to stagnation of adoption and other tools moving faster

So permissive licenses generally encourage a faster flow of adoption and innovation while copyleft ensures the original developers keep the software and the incentives in check through legal guarantees.

I think there are ways to split up software either by making shared standards where core libraries are permissively licensed (this ensures the ecosystem can flourish and be interoperable), while the specific implementations are licensed under GPL.

One example of this is the Matrix specification while the primary innovators of Matrix who founded the chat server/clients called Element, license their synapse server implementation under AGPL, along with Android and ios phone apps.

Anyone could in theory take the code that Element publishes and make their own version which copies the entire Element codebase, and their changes, licenses them under the GPL, and makes those avialable as well, however, they can also just make their own servers or clients on their own and license them how they see fit.

This to me is one of my favorite middle ground strategies to enable a more free flow of ideas, while keeping the implementation details somewhat protected from the unfortunate capitalistic opportunists we live with today.

I hope this more accurately answers your question @ianopolous and sheds light on how I think having Hubzilla and Peergos share some sort of permissive licensed protocol together.

This provides consumers with peace of mind that they will be buying into a much more open market of ideas rather than entirely betting on your team, although it’s a fine bet, this is a radically early space for your ideas despite you being even further ahead than the rest of us.

Adding a bridge between you and Hubzilla also enables some cross pollination to Fediverse protocols like ActivityPub and Nomadic Identity.

This is also my understanding. My opinion for maximizing freedoms (and privacy via license choice for end users) is that web applications should be AGPL, client apps GPLv2+, most shared libraries as LGPL (less important for end users), and less “useful” applications and shared libraries that are dead or have little left to innovate can be permissive or just public domain.

With that, I’d never trust a locked down protocol for non business ventures, as it just hinders adoption and usage and the ability to continue it after the owners move away from it. So many proprietary codecs are a pain in the butt for this reason, but somehow got enough adoption to deal with them.

everything should be AGPL

This Skewed Zepplin leans copyleft…

Do you mean all open source projects should be AGPL or that most of what @overdrawn98901 suggested should be AGPL?

In an ideal world, correct. But why would AGPL matter for software only running on the client? Wouldn’t GPLv2+ be good enough?

because someone can still take GPL code (parts or whole) and make it available over the network and they wouldn’t have to disclose source.

imo any case where you have a GPL program, it should really just be AGPL no matter what

Fair enough. My post should have been saying it’s geared towards end user protection, not maximizing freedom, which I accidentally conflated. The balance is definitely in adoption (by corpos if we are being honest) vs maintaining the distribution of the software.

Yes, but as my example points out, this is describing the competitive ecosystems.

Someone trying to interpret licenses might see this and believe getting involved in or licensing software under permissive licensing is bad in every case.

If that’s what you think could you at least elaborate why you think permissive licenses are always bad in every case?

I purely meant in the context of maximizing freedoms.
Copyleft licenses should be considered right to repair licenses.
Permissive licenses do not afford such guarantees and are ultimately hostile to the user.

I understand why people might consider using a permissive license and if they do that is their choice to do so.

As an aside, your explanations were excellent, I’m not disagreeing with you as a whole.

I’ll specify more about where my cynicism comes in for copyleft licensing from an anarchist perspective.

GPL is law-induced sharing of code if you want to build competition. Laws are ultimately rules enforced by states, which gain authority through threat of violence and imprisonment.

It’s ironic that people use the blanket statement that copyleft always improves freedoms when it ultimately relies on a the state and its legal economy to work.

Permissive licenses also rely on this legal economy, but simply to try amd avoid nonsensical lawsuits for how an author’s code is used, versus trying to curb economic behavior through legal threat.

Using state-backed legal enforcement to encourage good behavior is philisophically separated from an ecosystms that permissive licensing tends to encourage which os free flow of ideas and innovation regardless of economic intent.

That said, dreaming of philisophical ideals to say everything should be permissive, versus a dose of realism that a delicate application of both copyleft and permissive licensing is called for. For example, the Matrix spec/protocol being permissive and various competitive and community implementations being both copyleft and permissive to the author’s discretion. This protects developers like you from opportunists like “NeargosX” in my example above while encouraging a larger ecosystem and openness for healthy competitive variants of implementations.

Living in the reality that we do live in various state-backed legal systems and economies with large corporate actors that want to exploit healthy developer economies and profit off their work for free is why copyleft privides value and much needed legal protections to avoid that exploitation. This also assumes the state will correctly interpret AGPL, but that’s another can of worms.

So I think permissive is ideal when free flow of ideas and adoption is most important, copyleft is best for areas of high risk for profiteer exploitation of developers and the community’s code.

There are still practical downsides to “maximization of freedoms” when it comes to the AGPL.

In theory, there aren’t. But in practice, issues arise.

Say for example there’s an upstream software project of mine called Project A. this Project A is licensed under the permissive Apache 2.0.

My project Project B is for sake of example a longtime fork of Project A, and is currently also Apache 2.0.

There’s another project Project C that has code I want to incorporate into my project, but it’s licensed under the AGPL.

Now, for the longest time, being a good FOSS citizen, I have upstreamed as much as possible and relevant from my Project B to Project A, and I want to be able to continue doing so. However, if I include code from Project C in my Project B, I will be required to release the distributed software as AGPL, not Apache 2.0. Now, this doesn’t suddenly change the license of the existing code of course, but it does mean that any upstream contributions now have to be done with exceeding caution. Upstream might not want to be forced to distribute binaries under the AGPL, and so they will want a guarantee that none of my upstreamed patches contain any AGPL code.

While this is feasible in very simple situations, it becomes complicated after code has been mixing and mingling. What code was originally from the AGPL codebase? What was appended, modified, adjusted, etc? Many devs simply aren’t going to waste time dealing with tracking this minutiae, and simply prohibit AGPL changes to keep things simple.

TLDR: licenses like the AGPL can have a negative impact on the freedoms of FOSS developers, especially when there’s an existing ecosystem where all the projects in that ecosystem are using a permissive license and frequently sharing code