Dear Simon;
Just to save people from having to wade through lots of text
unnecessarily, the major issue we are discussing here
is the "license by reference" aspect of the proposed TLP's BSD license
requirements.
On Jun 23, 2009, at 1:16 PM, Simon Josefsson wrote:
Marshall Eubanks <tme(_at_)americafree(_dot_)tv> writes:
Simon asked that this go to the IETF list.
Thanks for moving this back to the IETF list. I believe these
discussions should be public. Many considerations appears to have
been
made that the wider IETF community is unaware of.
At least in this case, there was no secrecy intended - I just hit
"reply all." It had
come to me with the distribution stripped out.
I would expect information like this to be part of the IETF Trust
minutes, but it seems no minutes have been published since September
2008: http://trustee.ietf.org/minutes.html
We are working on this and expect to get caught up soon - but minutes
will rarely capture
all of the details of such discussions.
Begin forwarded message:
From: Marshall Eubanks <tme(_at_)americafree(_dot_)tv>
Date: June 23, 2009 11:30:50 AM EDT
To: Simon Josefsson <simon(_at_)josefsson(_dot_)org>
Cc: Trustees <trustees(_at_)ietf(_dot_)org>
Subject: Re: [Trustees] Proposed Revisions to the IETF Trust
LegalProvisions (TLP)
On Jun 23, 2009, at 10:18 AM, Simon Josefsson wrote:
"Contreras, Jorge" <Jorge(_dot_)Contreras(_at_)wilmerhale(_dot_)com> writes:
4.e -- this new section clarifies the legend requirements for
Code
Components that are used in software under the BSD License.
In short,
the user must include the full BSD License text or a shorter
pointer
to it (which is set forth in Section 6.d)
...
6.d -- the BSD legend/pointer described in 4.e above
The text in 6.d doesn't work. Part of the BSD license (quoted in
your
document) is this paragraph:
Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the
documentation and/or other materials provided with the
distribution.
If you replace the BSD license with a pointer, you would violate
that
part of the BSD license.
To avoid simple mistakes when changing things related to the
BSD license
(which now appears to be the norm rather than the exception) I
believe
it would be a good idea for the IETF Trust to talk with people
and
organizations who understands open source licensing. I'm sure
the
Software Freedom Law Center could help here.
Simon (removing the large cc list):
This language was added after extensive review and consultation
with
open source experts, including members of the IESG. There are
several
open source projects (including some run by Yahoo) that use a
pointer
for the BSD license, rather than the full text. We do not think
this is
a violation of the BSD language. You may disagree, which is why
there
is a public comment period for these documents. But please don't
assume
that these decisions were taken rashly or without serious
consideration.
Can you name the open source projects that operate like this? I've
never heard of a model like this before, and I'm interested to
learn
about it if it is used successfully.
Dear Simon;
There was a lot of discussion about this inside the Trust, and I was
originally in favor of
sticking with the BSD 15 line template and was very dubious about a
"license by reference" approach. However, there was push-back on the
length of this (from, e.g. Pasi Eronen), and then Russ found out
that for YAHOO the
Before continuing the response, should we understand that the
rationale
for this change is to shorten the license text that has to be included
in derived works? Did the Trust do anything to identify whether the
wider IETF community feels this is a problem? In other words: on
whose
behalf is this change made?
We received complaints about the February 15th TLP in this regard.
If that is the rationale, has an alternative to the BSD license been
considered?
The answer is yes, alternatives were considered, but this is a
complicated issue.
Part of the advice we received from the legal people
we talked to was to use a common license choice, lest corporations
simply never use the code, to save
the expense of getting legal approval of the license. BSD seemed
to be strongly favored here, as something that is well known and used
by lots of parties. This advice, as
far as I can tell, was virtually unanimous, both to the Trust as a
whole, and to myself and others in our
individual discussions.
The GAP below seems simple, but that doesn't mean that corporate
counsel would regard it as simple. I do not
know. (In my experience is very hard to get a corporate counsel,
especially counsel you are not paying for, to
say that anything is OK. I am inevitably reminded of the J.R.R.
Tolkien's saying :
"Go not to the elves for counsel, for they will say both yes and no.")
All of this makes it hard for me to see the wisdom of adopting another
license.
The GNU All Permissive (GAP) license is comparable in size
to the excerpt in 6.d. The entire GAP license reads:
Copying and distribution of this file, with or without
modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved.
Another option is to describe the common practice that many open
source
packages are using: include a short blurb in the file or function that
contains the derived work, pointing to a file included in the
distribution.
Just as an aside, one thing that worried me about this was that we
would have little or no control over
packages using IETF code. It seems better to me to keep a notice close
to the code, instead
of requiring it in another file in a distribution that could be
removed entirely, say if the
distribution was used in another distribution.
YUI JavaScript library and the Django web framework (used in
datatracker.ietf.org) don't include the license terms in every
file.
The code contain this:
/*
Copyright (c) 2009, Yahoo! Inc. All rights reserved.
Code licensed under the BSD License:
http://developer.yahoo.net/yui/license.txt
It is not hard to find examples of this, both within Yahoo and
without.
See, e.g., http://developer.yahoo.com/yui/docs/AttributeProvider.js.html
This usage is typical and fine. In general, there are two reasons why
this usage is fine.
Can you provide a reference here ? This was not the legal reasoning
brought forth in the
discussions I was part of.
If there are any court cases that deal with this matter, we would love
to learn about them.
We were told by counsel that there was no court cases involving
license by reference and so, in their
absence, this would be in the end a matter of judgement on the part of
the Trust and the IETF. The proposed TLP thus results from our best
estimate of what is legally sound, informed of course by the Trust's
legal counsel.
Only one condition needs to hold:
1) The publisher of the material is not a "redistributor" of the code
under the BSD license.
2) The copyright holder includes the BSD license in the package.
Note that Yahoo includes the entire copy of the BSD license where it
has
used others code in the YUI package.
The new IETF policy text suggests that recipients redistribute code
components under the BSD license when they include only the
notification
text in section 6.d. I.e., not the entire BSD license text. Doing
that
would violate the letter of the BSD license. This is not the same
situation as for the Yahoo case, since the recipients of an IETF
work is
neither the copyright holder nor does the redistributed combined work
necessarily include the entire BSD license.
So, we researched the status of the BSD license in this regard.
I took it upon myself to query various people I know in the open
software community
That is excellent, and I applaud you for it.
I believe this background information is important for the community
to
know about, because information like this creates confidence in your
work. I'm curious why information like this is only communicated
re-actively. Is it due to lack of manpower? It may be that
communicating material like this pro-actively would create less work
in
the long term.
It could be. I did not communicate this because I just assumed it was
part of my job not to
approve anything without doing due diligence.
While the individual responses are private (I could certainly ask
people if they mind being quoted, but I wanted to get this out
today),
typical is this :
"Yahoo is following common practice."
They are indeed. My claim is that the new IETF policy would result in
situations where common practice is not followed.
I did not receive a single negative response.
Actually, one of the cut out responses said that re-distributors must
include the BSD template in the distribution. That is my concern.
I have asked them to comment publicly.
Regards
Marshall
/Simon
I also talked with corporate counsel from a large corporation with a
heavy IETF involvement, who at least did not object to this.
In addition, the other Trustees did their own research, and this was
discussed both internally and externally over a period of over 2
months.
And, of course, our own counsel, Jorge Contreras, researched this
and agrees with the feasibility of the license by reference
approach.
After all of this, the Trust developed consensus around the license
by reference option.
So, I feel that the Trustees have done due diligence here.
Of course, there is never a final word on these matters. If you know
reasons why this is inadvisable, I would be glad to hear them. That
is, of course, why all of these matters go to community review.
I of course extend this request to everyone. It is important to get
this right.
Regards
Marshall
Regards
Marshall
Which open source experts did you consult about licensing?
Providing background information and rationale behind changes when
posting drafts would give you the benefit of doubt about these
issues,
and would probably build more confidence in the change within the
IETF
community.
/Simon
_______________________________________________
Trustees mailing list
Trustees(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/trustees
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf