Dnscrypt-proxy: github.com/facebookgo/atomicfile and github.com/facebookgo/pidfile have problematic licenses

Created on 10 Jul 2020  路  19Comments  路  Source: DNSCrypt/dnscrypt-proxy

We tried to submit updated dnscrypt-proxy2 to openSUSE and it was rejected with:

```
Those are not considered free software:

dnscrypt-proxy-2.0.44/vendor/github.com/facebookgo/atomicfile/patents
dnscrypt-proxy-2.0.44/vendor/github.com/facebookgo/pidfile/patents
````

These repos are now archived, so unlikely to be updated to remove patents clause. Would it be possible to replace them?

Most helpful comment

Anyway, that was a good opportunity to remove two unneeded dependencies!

All 19 comments

That's a misunderstanding of the license and patent grant. The patent grant is not about copyright law, and is granting additional rights beyond what a copyright license can provide.

I suggest reading the license and the patent grant file. There is no patent clause in the copyright license. I saw this on Twitter (https://twitter.com/jedisct1/status/1281545061222821888) and was curious how it could be that these weren't licensed under open source licenses but it's not actually true.

Thanks for trying to submit this to openSUSE!

Thanks, @thestinger ! It might indeed be a misunderstanding on their end. Understandably, a patents file doesn鈥檛 inspire confidence.

That being said, these modules are trivial, so maybe we should just go ahead and reimplement them, especially since they are apparently no longer maintained (thanks for bringing this to my attention!)

Well, I would believe you @thestinger but getting a lawyer putting a stamp on it is unlikely. Thanks @jedisct1 for understanding.

To explain why the clause is not compatible with open source: the grant is not the problem, the termination clause is. And Facebook terminated this license as it's very controversial

The danger is very small meanwhile as Facebook is part of https://www.openinventionnetwork.com/community-of-licensees/ - but it's still not an open source license, so an update is welcome.

The license is at https://github.com/facebookarchive/atomicfile/blob/master/license. The https://github.com/facebookarchive/atomicfile/blob/master/patents file is explicitly granting additional rights beyond the license by giving a patent license. If you don't want this additional grant of rights, you could just not use it. It's a separate file providing a patent grant. It's not part of the main license.

Also, since when does open source software require patent grants from the authors? What about patents not owned by the authors of the software?

Do we have an ETA for the release?

The dependencies have been removed, but I'm still puzzled about what patents would possibly apply here and why these dependencies were not considered opensource, unlike explicitly stated in the license.

/cc @daaku

Do we have an ETA for the release?

Whenever it's ready :)

The renaming of blacklist/whitelist everywhere, in particular, needs quite a bit of testing to make sure that it doesn't break too many existing configurations.

I'd love to also be able to release this after dnsdist 1.5 is released (fixing bugs affecting dnscrypt-proxy), so we can finally get rid of the temporary workarounds for Quad9 et al.

Understandably, a patents file doesn鈥檛 inspire confidence.

Does the lack of an explicit patent grant inspire confidence? For example, DNSCrypt does not provide an explicit patent grant. Implicit patent grants for software are an untested legal theory. If DNSCrypt contributors own relevant patents, they could potentially succeed in lawsuits against users of the software not obtaining patent licenses. Regardless, it's not necessarily the authors of the software who own relevant patents.

The dependencies have been removed, but I'm still puzzled about what patents would possibly apply here and why these dependencies were not considered opensource, unlike explicitly stated in the license.

They granted the right to use their patents under certain terms beyond what most lawyers consider the BSD license to provide. If you're happy with the terms of the BSD license, you could use it under that without accepting the additional grant. It's explicitly marked as an additional grant and is separate from the license.

If permissive patent grants are required for software to be open source, DNSCrypt itself is not really open source, because explicit patent grants have been found to be required in general. I've never heard it claimed that a permissive patent grant is required for software to be open source. The Apache 2 license contains a termination clause for the patent grant in retaliation for a lawsuit.

Quote from the Apache 2 license:

  1. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.

Anyway, that was a good opportunity to remove two unneeded dependencies!

Facebook has been removing the patents files from their repositories for some time. I no longer work at Facebook, so I don't have the ability to do this. Maybe open an issue and hopefully someone will take a look?

OpenBSD considers GPL non-free too, for very valid reasons. Unlike the Apache 2 license, there is no clause about patents in the license for this legacy Facebook software. It's an additional grant separate from the license. It's just very strange to me for an additional grant of rights to be considered less free than not having the option of it. Facebook clearly considered the BSD license to not provide a more permissive patent grant. Removing an additional grant isn't making the software more permissively licensed.

@daaku Doesn't seem relevant anymore to DNSCrypt. I just found the whole thing strange.

I'd love to also be able to release this after dnsdist 1.5 is released (fixing bugs affecting dnscrypt-proxy), so we can finally get rid of the temporary workarounds for Quad9 et al.

https://blog.powerdns.com/2020/07/30/dnsdist-1-5-0-released/

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Hasshu picture Hasshu  路  4Comments

Marco-vW picture Marco-vW  路  6Comments

EstherMoellman picture EstherMoellman  路  5Comments

Ambitious-Dreamer picture Ambitious-Dreamer  路  4Comments

Sak94664 picture Sak94664  路  5Comments