[arch-dev-public] Mongodb and SSPL
Yo! As probably some of you have realized, there is a discussion regarding mongodb and the relicense from AGPLv3 to SSPLv1. RedHat has dropped it from their repository[1], and Debian is assumed to follow suit[2]. This is mostly due SSPL not being considered a free-license. It is currently being reviewed by OSI for inclusion, but it is not looking bright currently[3]. The OSI discussion is for SSPLv2, but it's my understanding that they are essentially the same license with some fixups. Obviously, we don't care about the license being free nor OSI compliant. We only care if we are allowed to redistribute or not. Link to the current license text as of mongodb release 4.0.5: https://github.com/mongodb/mongo/blob/r4.0.5/LICENSE-Community.txt There is nothing in the SSPLv1 license text that prohibits us from distributing mongodb. There are however special requirements in the license we have to abide if we want to distribute modified source code. Currently the PKGBUILD does a few sed's in the source to build it. I believe this constitutes as modified source code under "0. Definitions". To “modify” a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a “modified version” of the earlier work or a work “based on” the earlier work. Under section "5. Conveying Modified Source Versions" the most relevant part for us is section "a)". a) The work must carry prominent notices stating that you modified it, and giving a relevant date. Which means we need to give some heads-up that the source is changed. The next section is "6. Conveying Non-Source Forms" where I am unsure what applies to us. One way to distribute the modified source is required, where 5 possible options are listed. I think "d)" fits us, where we can host a source package on `source.archlinux.org`. But I'm frankly a bit unsure what the entire paragraph entails for us. Some more input on this section would be great. The bugreport FS#61394 is already submitted requesting a license change from AGPLv3 to SSPLv1, so we should probably figure this out before changing the license appropriately[5]? -- Morten Linderud PGP: 9C02FF419FECBE16 [1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-bet... [2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915537#15 [3]: https://opensource.org/LicenseReview122018 [4]: https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packa... [5]: https://bugs.archlinux.org/task/61394
On 17/1/19 12:02 am, Morten Linderud via arch-dev-public wrote:
Yo!
As probably some of you have realized, there is a discussion regarding mongodb and the relicense from AGPLv3 to SSPLv1.
<snip>
Under section "5. Conveying Modified Source Versions" the most relevant part for us is section "a)".
a) The work must carry prominent notices stating that you modified it, and giving a relevant date.
Which means we need to give some heads-up that the source is changed.
I looked at what changes are made: # Broken tls13 support, removing to fix build sed -i '/counts.tls13/d' src/mongo/util/net/ssl_manager_openssl.cpp So I'd agree that is modified enough that the rest of the conditions apply. My conclusion is, having this package in the repos would require too much interpretation of a non-standard license to ensure compliance. Drop the package. Allan
On 2019/1/16 下午10:35, Allan McRae via arch-dev-public wrote:
Drop the package.
I have dropped the two packages (mongodb and wiredtiger) to the AUR, since I did not use MongoDB for quite some time anyway. Thanks for all the input here. -- Regards, Felix Yan
Someone sent me an off-list reply. I have forwarded it as it provides some additional information. ----- Forwarded message from Alexander Shpilkin <ashpilkin@gmail.com> ----- Date: Thu, 17 Jan 2019 17:09:54 +0300 From: Alexander Shpilkin <ashpilkin@gmail.com> To: Morten Linderud <foxboron@archlinux.org> Subject: Re: [arch-dev-public] Mongodb and SSPL User-Agent: alot/0.7 [I originally wrote this as a message to the list without realizing I can’t post there; feel free to send it wherever.] TL;DR: There’s enough FUD in the SSPL to make it unclear whether Mongo can, in fact, be distributed or not. Quoting Morten Linderud <foxboron@archlinux.org> (2019-01-16 15:02:55)
As probably some of you have realized, there is a discussion regarding mongodb and the relicense from AGPLv3 to SSPLv1. [...]
Obviously, we don't care about the license being free nor OSI compliant. We only care if we are allowed to redistribute or not.
[...]
There is nothing in the SSPLv1 license text that prohibits us from distributing mongodb.
I feel I should point out here that there’s uncertainty on part of both [debian-legal participants][1] and [Debian FTP masters][2] as to whether the distribution of binaries falls under the service restrictions. If it does, this would mean all software on the mirrors would need to be SSPL-compatible (in particular, non-GPL), which _would_ prohibit us. The SSPL authors [were asked][3] for their stance on this question, but do not appear to have answered. I think this is troubling in itself.
There are however special requirements in the license we have to abide if we want to distribute modified source code.
Currently the PKGBUILD does a few sed's in the source to build it. [...]
Note that the service restrictions (which are different from distribution restrictions) are applicable to both modified and unmodified versions; in fact, the original authors [declare][4] this to be among the design goals of the SSPL. [1]: https://lists.debian.org/debian-legal/2018/10/msg00008.html [2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915537#50 [3]: http://lists.opensource.org/pipermail/license-review_lists.opensource.org/20... [4]: http://lists.opensource.org/pipermail/license-review_lists.opensource.org/20... -- Alex Shpilkin ----- End forwarded message ----- -- Morten Linderud PGP: 9C02FF419FECBE16
participants (3)
-
Allan McRae
-
Felix Yan
-
Morten Linderud