[Bug 1122267] New: MongoDB SSPL v1 license and the DFSG
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 Bug ID: 1122267 Summary: MongoDB SSPL v1 license and the DFSG Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: All OS: All Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: ilya@ilya.pp.ua QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Here is the original text from the Debian bugzilla. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915537 I would like your opinion on whether MongoDB's new SSPL license is suitable for inclusion in the main archive. To give a bit of background, MongoDB was previously distributed under a mixed AGPL-3.0/Apache-2.0 license. On 2018-10-15, upstream did a commit replacing AGPL-3.0 with the new Server Side Public License Version 1[1] — of which MongoDB is the steward. The same change was backported to two stable branches, with the 3.6.9 and 4.0.4 stable revisions carrying the new license. MongoDB has submitted the license to OSI for review[2]; the discussion there is still ongoing, but the initial response seems to be negative. In essence, the license (at least v1 which is currently in use) is almost identical to AGPL-3.0, with the exception of Section 13, which states:
13. Offering the Program as a Service.
If you make the functionality of the Program or a modified version available to third parties as a service, you must make the Service Source Code available via network download to everyone at no charge, under the terms of this License. Making the functionality of the Program or modified version available to third parties as a service includes, without limitation, enabling third parties to interact with the functionality of the Program or modified version remotely through a computer network, offering a service the value of which entirely or primarily derives from the value of the Program or modified version, or offering a service that accomplishes for users the primary purpose of the Program or modified version.
“Service Source Code” means the Corresponding Source for the Program or the modified version, and the Corresponding Source for all programs that you use to make the Program or modified version available as a service, including, without limitation, management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software, all such that a user could run an instance of the service using the Service Source Code you make available.
What this section says (at least to my eyes), is that the SSPL requires *all software* interfacing with MongoDB to form a "service" to be licensed under the SSPL too. This is a much broader restriction than linking, but still does not seem to violate DFSG #9. It is also not a universal restriction, but one that is based on use/field of endeavor: + The same ancillary software, when made part of a "MongoDB service", must be licensed under the SSPL, while when used for other purposes may carry any license. + Conversely, when building a service around MongoDB, you are only allowed to use SSPL-licensed software to build that service, something that may turn out to be impractical or even impossible. Note that this does not violate DFSG #6, as it does not prohibit *using* MongoDB itself for specific purposes, but it places heavy restrictions on *other* software you are able to use alongside MongoDB to build a service (for instance you can use bacula to backup your personal MongoDB instance, but you can't use bacula to backup your MongoDB-as-a-service unless bacula switches to SSPL). This has been somewhat rectified in v2, which was submitted to OSI for review[3], but the spirit remains. Also note that judging whether something is a "MongoDB service" depends on how much of its value it derives from MongoDB, or whether its primary purpose is "MongoDB", criteria that are both rather vague in themselves. Finally, I worry that "enabling third parties to interact with the functionality of the Program […] remotely through a computer network" could be interpreted to also include Debian packages, in which case the above restrictions would apply to the Debian infrastructure as well. Given the above and the fact that I'm not aware of any similar precedent in the archive, I would like your opinion on the license's DFSG compatibility. My personal view is that while the license does not violate the DFSG directly, it also does not agree with the DFSG's spirit (esp. DFSG #6). If we deem the license to be DFSG-incompatible, then MongoDB will most likely have to be removed from the archive eventually; keeping the last AGPL-licensed version around without the ability to cherry-pick commits from upstream is not viable (definitely so for inclusion in stable), given the size and the complexity of the codebase. Regards, Apollon -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1122561 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 http://bugzilla.opensuse.org/show_bug.cgi?id=1122267#c1 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aplanas@suse.com, | |astieger@suse.com, | |richard.palethorpe@suse.com Assignee|bnc-team-screening@forge.pr |aplanas@suse.com |ovo.novell.com | --- Comment #1 from Andreas Stieger <astieger@suse.com> --- Maintainers can you please get in touch with legal? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 http://bugzilla.opensuse.org/show_bug.cgi?id=1122267#c2 --- Comment #2 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Andreas Stieger from comment #1)
Maintainers can you please get in touch with legal?
Sure! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 http://bugzilla.opensuse.org/show_bug.cgi?id=1122267#c3 --- Comment #3 from Alberto Planas Dominguez <aplanas@suse.com> --- There is a opinion from SUSE about the new SSPLv1 license from MongoDB in relation with OBS. I think that is very close to the one that other projects and communities have taken, so let me copy this paragraph than comes from an internal communication. --
Reading the comments, it is my view that we should _not_ put MongoDB with SSPLv1 into OBS, and we should take time for a decision about a future MongoDB with SSPLv2. --
MongoDB updated in November the SSPLv1 to a new SSPLv2 that is also under OSI review: https://opensource.org/LicenseReview122018 As MongoDB is currently released only under SSPLv1 there is a decision about the relation between this license and OBS, that is not to publish or release any SSPLv1 code in OBS. Even if it is yet to be seen, there are arguments to believe that v1 will not be approved by OSI. For SSPLv2 we need to wait a bit more. @Илья Индиго: Is it OK to close the bug for now, or do you want to maintain it open? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 http://bugzilla.opensuse.org/show_bug.cgi?id=1122267#c4 Илья Индиго <ilya@ilya.pp.ua> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED --- Comment #4 from Илья Индиго <ilya@ilya.pp.ua> --- Thank you for response! This bug is needed to block bugs about an outdated version MongoDB, for example #1122561. I think this bug should be closed only when or it is decided to supply MongoDB in Non-free repositories or the MongoDB developers will switch to an acceptable license. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 Arjen de Korte <suse+build@de-korte.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse+build@de-korte.org -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 http://bugzilla.opensuse.org/show_bug.cgi?id=1122267#c5 --- Comment #5 from Arjen de Korte <suse+build@de-korte.org> --- Nine months have passed and MongoDB is still available (and being maintained) in Factory and therefore released in Tumbleweed. Is this intentional? Can development continue with for instance MongoDB 4.2 and might this eventually land in Factory, or am I just wasting my time on that? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 http://bugzilla.opensuse.org/show_bug.cgi?id=1122267#c6 --- Comment #6 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Arjen de Korte from comment #5)
Nine months have passed and MongoDB is still available (and being maintained) in Factory and therefore released in Tumbleweed. Is this intentional?
I can see that the one in factory is still under AGPL-3.0, and this is OK
Can development continue with for instance MongoDB 4.2 and might this eventually land in Factory, or am I just wasting my time on that?
No, 4.2 will not land in Factory, as is under SSPLv1 license, and we cannot redistribute this software : ( Technically the last SR in the devel project, that update the license, is also not OK, but as we do not redistribute it via Tumbleweed nor Leap, maybe is not so wrong. But now that the license in the devel project changed, a SR to Factory would trigger a review from legal, that I would expect that will decline the SR. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 http://bugzilla.opensuse.org/show_bug.cgi?id=1122267#c7 --- Comment #7 from Arjen de Korte <suse+build@de-korte.org> --- (In reply to Alberto Planas Dominguez from comment #6)
(In reply to Arjen de Korte from comment #5)
Nine months have passed and MongoDB is still available (and being maintained) in Factory and therefore released in Tumbleweed. Is this intentional?
I can see that the one in factory is still under AGPL-3.0, and this is OK
No, that is not OK. Any MongoDB release after Oct 16 2018 is SSPL-1.0. The latest version in factory is 3.6.13 which was released Jun 10 2019, so this is well after that date. So although the license in the .spec file says 'AGPL-3.0', this is wrong and actually should be 'SSPL-1.0'. The last MongoDB 3.6 release under the AGPL-3.0 would have been 3.6.8, released Sep 19 2018.
Can development continue with for instance MongoDB 4.2 and might this eventually land in Factory, or am I just wasting my time on that?
No, 4.2 will not land in Factory, as is under SSPLv1 license, and we cannot redistribute this software : (
Clear.
Technically the last SR in the devel project, that update the license, is also not OK, but as we do not redistribute it via Tumbleweed nor Leap, maybe is not so wrong.
I beg to differ. MongoDB is *still* being distributed through Tumbleweed.
But now that the license in the devel project changed, a SR to Factory would trigger a review from legal, that I would expect that will decline the SR.
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 http://bugzilla.opensuse.org/show_bug.cgi?id=1122267#c8 --- Comment #8 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Arjen de Korte from comment #7)
(In reply to Alberto Planas Dominguez from comment #6)
(In reply to Arjen de Korte from comment #5)
Nine months have passed and MongoDB is still available (and being maintained) in Factory and therefore released in Tumbleweed. Is this intentional?
I can see that the one in factory is still under AGPL-3.0, and this is OK
No, that is not OK. Any MongoDB release after Oct 16 2018 is SSPL-1.0. The latest version in factory is 3.6.13 which was released Jun 10 2019, so this is well after that date. So although the license in the .spec file says 'AGPL-3.0', this is wrong and actually should be 'SSPL-1.0'.
The last MongoDB 3.6 release under the AGPL-3.0 would have been 3.6.8, released Sep 19 2018.
: ( we need to revert that, or request the removal then. Thanks for pointing the problem!
Can development continue with for instance MongoDB 4.2 and might this eventually land in Factory, or am I just wasting my time on that?
No, 4.2 will not land in Factory, as is under SSPLv1 license, and we cannot redistribute this software : (
Clear.
Technically the last SR in the devel project, that update the license, is also not OK, but as we do not redistribute it via Tumbleweed nor Leap, maybe is not so wrong.
I beg to differ. MongoDB is *still* being distributed through Tumbleweed.
Under AGPL-3.0, but as you noted, the license do not match the code. That is why it was, wrongly, distributed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 http://bugzilla.opensuse.org/show_bug.cgi?id=1122267#c9 --- Comment #9 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Alberto Planas Dominguez from comment #8)
(In reply to Arjen de Korte from comment #7)
The last MongoDB 3.6 release under the AGPL-3.0 would have been 3.6.8, released Sep 19 2018.
: ( we need to revert that, or request the removal then.
Thanks for pointing the problem!
https://build.opensuse.org/request/show/742116 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 http://bugzilla.opensuse.org/show_bug.cgi?id=1122267#c10 --- Comment #10 from Arjen de Korte <suse+build@de-korte.org> --- Now that MongoDB will be removed from Tumbleweed as well, boo#1122561, boo#1149102 and boo#1147037 can probably be closed as WONTFIX as well. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 http://bugzilla.opensuse.org/show_bug.cgi?id=1122267#c11 --- Comment #11 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Arjen de Korte from comment #10)
Now that MongoDB will be removed from Tumbleweed as well, boo#1122561, boo#1149102 and boo#1147037 can probably be closed as WONTFIX as well.
+1, thanks! Also some Python packages (python-Flask-PyMongo, python-flask-mongoengine) will need the same consideration. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1122267 http://bugzilla.opensuse.org/show_bug.cgi?id=1122267#c12 Alberto Planas Dominguez <aplanas@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #12 from Alberto Planas Dominguez <aplanas@suse.com> --- As mongodb was dropped, I think that we can close it. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com