Hi,

For work, I was asked to deploy a TimescaleDB server and figured "bah,
that's C code, why isn't this in Debian!" I was about to file an RFP
when I tripped over the "unknown" license on their GitHub repository:

https://github.com/timescale/timescaledb/

I found that it's not actually licensed under an official, OSI-approved
free software license. A *part* of Timescale is licensed under
Apache-2.0, and that's fine, but a look at their LICENSE file:

https://github.com/timescale/timescaledb/blob/3c56d3ecebbf476293ff43ded142bc9e5087f6de/LICENSE

... which actually says:

All source code should have information at the beginning of its respective file
which specifies its licensing information.

* Outside of the "tsl" directory, source code in a given file is licensed
under the Apache License Version 2.0, unless otherwise noted (e.g., an
Apache-compatible license).

* Within the "tsl" folder, source code in a given file is licensed under the
Timescale License, unless otherwise noted.

When built, separate shared object files are generated for the Apache-licensed
source code and the Timescale-licensed source code. The shared object binaries
that contain `-tsl` in their name are licensed under the Timescale License.

Okay, so what's in that `tsl/` folder? there you have *another* LICENSE
file which is a custom license written specifically (presumably by
lawyers) for timescaleDB:

https://github.com/timescale/timescaledb/blob/3c56d3ecebbf476293ff43ded142bc9e5087f6de/tsl/LICENSE-TIMESCALE

I haven't read the entirety of it, but it's pretty clear to me that this
cannot be packaged in Debian at all, ever, under that license. Just
clause 2.2 (prohibiting use in "software-as-a-service") breaks clause 6
of the Debian free software guidelines. There's also limitations on modification and distribution, and (rather oddly I must say) a GPL-like contamination clause.

The SaaS clause looks a bit like the MongoDB-tyle of license (SSPL and friends), which the OSI hasn't actually made a formal decision on,
because MongoDB retracted their application:

https://opensource.org/LicenseReview032019

... but OSI actually made a *statement on that license explicitly saying
that it's not "open source":

https://opensource.org/sspl-not-open-source

No doubt the latter was previously discussed here, but I figured I would mention it for completeness's sake.

I should also state, for the record, that I am not a lawyer and the
above cannot, therefore, serve as legal advice.

Anyways, lots of fun, I almost have a headache now, but I figured I'd
drop this here because I haven't found a mention of TimescaleDB on any
Debian mailing list before. I figured I would save the trouble of future enthusiasts by sharing my research more broadly.

a.

PS: I don't think we'll use this at work, but you never know. Curious
folks can followup here:

https://gitlab.torproject.org/tpo/tpa/team/-/issues/40770

There's more juicy stuff regarding the way we can use Timescale at all ,
even if we disregard the "DFSG-style" discussion...

--
You can't get to the moon by climbing successively taller trees.
- Akin's Laws of Spacecraft Design

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAmKfeKAACgkQPqHd3bJh 2XvS8Qf9FKJG2KZYsL/D8SqfYlc3KNcgSDu2lg0sP9bYu4aSMCxMUEX3lyM4Qf2O auD9GEe8lCggyl9hFT9RYEfNCYK8KVXdnfSMizTr18ySMsGSmLMdrsJ3QU9yZ6t9 rQswy+ssj8rbjGuj1X+qezcrcY2tN/ZHdps7AKLryJxwAtYDuyZV01ZkIzcpBPPe hCVyD52jiOfHYqUDdvPcLQ2TJeCebt0gDUpDL9TrQqEq7Zg3pqmcPG1n9Gt81PG8 O8lYi1pLbLOVicYtmaxN5/aEP+vjgTgG1Mqt2KNOSXrmigdYEeNRDrB0nBO/2xxj LzxonF85Wi1UnnvVwpjsM2C0sVcJWQ==q2Un
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

It was pointed out to me that TimescaleDB has a "open core" model and
it's actually possible to build an "apache-2.0-only" version of the
program. The differences between the two are here:

https://docs.timescale.com/timescaledb/latest/timescaledb-edition-comparison/

... and guix actually made a package that removes the proprietary bits
here:

https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/databases.scm#n1315

a.
--
Tu connaîtras la vérité de ton chemin à ce qui te rend heureux.
- Aristote

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 07 Jun 2022 12:11:11 -0400 Antoine Beaupré wrote:

[...]

Okay, so what's in that `tsl/` folder? there you have *another* LICENSE
file which is a custom license written specifically (presumably by
lawyers) for timescaleDB:

https://github.com/timescale/timescaledb/blob/3c56d3ecebbf476293ff43ded142bc9e5087f6de/tsl/LICENSE-TIMESCALE

I haven't read the entirety of it,

Nor have I, but some parts of it look clearly non-free, as you yourself
point out.

but it's pretty clear to me that this
cannot be packaged in Debian at all, ever, under that license. Just
clause 2.2 (prohibiting use in "software-as-a-service") breaks clause 6
of the Debian free software guidelines.

[...]

Part of clause 2.2 states:

[...]
| 2.2 Prohibitions. Notwithstanding any other provision in this TSL
| Agreement, You are prohibited from (i) using any TSL Licensed Software to
| provide time-sharing services or database-as-a-service services, or to
| provide any form of software-as-a-service or service offering in which the
| TSL Licensed Software is offered or made available to third parties to
| provide time-series database functions or operations, other than as part of | Your Value Added Products or Services, or (ii) copying or distributing any
| TSL Licensed Software for use in any of the foregoing ways.
[...]

This really seems to fail DFSG#6 .

There are other parts of this license which appear to be blatantly
non-free, but I haven't studied them in detail...



--
http://www.inventati.org/frx/
There's not a second to spare! To the laboratory! ..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEygERR5zS79/7gjklPhwn4R9pv/4FAmKfu74ACgkQPhwn4R9p v/4zsBAAq9X0kl0YdvL2BgctzyAjcq6dbAzwLuOI4xPKxb1m8EwYG2mMOi+jz7O/ tfJe8TB6cqJw7CHhZjBzvEen+2+CAnp47LmL9+YTCctL1tMiyHPizT5A+01IF/i5 Xkwb2ZSdArjGO8bTqrfSixSf9O4cOTJQwZvBuoogK/CCqAD4mbsx5lt1+l/rWzuU V5Rzq5mlqUM3cgjLRosgVThu6X74doZTuyOd9s7CafhIebkDTSpZ+UiaGvDOV/ML YkW9Aaqo1exjAWVzN0jLpb8Y640wcE0usTAEubLXq78xrF9FcCElZIjOFu2S3wPS xTEvQnK5aIpaZ6Ua3ZGFKTkCTidkf8RhIe8j4aqI1t5r5U2IPCrSYP0c3eP22Z86 BCiNO0d6T6QtjYP9J7Z3wRC6uS656EJeINy72sPZ260tZwnhulgTNh9lflbPOH2q o1hKOSNlQveqZvWIXi2+6ZMhyvZv8+yLRAk/HA+uzCZPnWl3md9WyO4TODU7pzOW JCwzHwqKkVvrOFwCyEk+PSuRnYm64Twb3elfittGqVTx7SlEKihsSnJ3/n8YBF1T TfkeJY/egI89LJGtB2KMdOILDrPzT1MXKM00y4CIvLkwSVTP2aWAmTh2yDEcq/ae uomXNjO8UX0OqB6VsFDZvUZJfGVHLCVt

Dear Antoine,

It was pointed out to me that TimescaleDB has a "open core" model and
it's actually possible to build an "apache-2.0-only" version of the
program.

Yup, it looks like all files in the tsl/ directory are governed by the proprietary license, and can be excluded from builds:

https://github.com/timescale/timescaledb/blob/3c56d3ecebbf476293ff43ded142bc9e5087f6de/tsl/src/init.c#L64

Clearly some checks to make sure this 'APACHE-ONLY' flag actually
works would be useful for Debian's purposes! :)

Thanks for taking a look at this, Antoine. They could have been a bit
clearer in describing their 'open core' model, since it must have
confused quite a few would-be distro packagers by now!

Best wishes,

Sebastian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)