• Classification of the APSL as non-DFSG-compliant

    From John Paul Adrian Glaubitz@21:1/5 to All on Mon Apr 20 09:10:01 2020
    XPost: linux.debian.ports.powerpc

    Hello!

    I would like to adopt the package hfsprogs which is required for debian-installer
    on Apple PowerBook and PowerMac.

    Since 2012, there has been a bug report opened against the claiming that the package is not DFSG-compliant due to the APSL license and I have some doubts
    in the current situation.

    For one, it seems that the claim that hfsprogs is licensed under APSL-2.0 [2] is not correct. Looking at the sources upstream, the various source code
    files have at most APSL-1.2 [3, 4, 5] and not 2.0 as claimed in the Debian package.

    Secondly, for the APSL-1.2, it seems that the only clause that makes the license non-DFSG-compliant is this one:

    (c) You must make Source Code of all Your Deployed Modifications publicly
    available under the terms of this License, including the license grants
    set forth in Section 3 below, for as long as you Deploy the Covered Code
    or twelve (12) months from the date of initial Deployment, whichever is
    longer. You should preferably distribute the Source Code of Your Deployed
    Modifications electronically (e.g. download from a web site); and

    It was claimed in [6] that this clause makes the APSL-1.2 non-DFSG-compliant as it's
    not possible for Debian to keep every single modification around for at least 12 months.

    This claim may have been valid in 2001, but I think it does not hold up for 2020 since source code to packaging in Debian is usually maintained in
    Salsa or Github and therefore keeping all modifications available for 12
    months and longer, plus there is Debian Snapshots [7] which keeps a older versions of a package around as well - including source code.

    Given these circumstances, is it still justified to claim that the APSL-1.2
    is non-DFSG-compliant? Note, I'm particularly talking about version 1.2 and
    not version 2.0 as 1.2 is used even in the latest version of the HFS filesystem utilities that we need for debian-installer on Apple PowerMacs [8].

    For the APSL-2.0, the situation seems more complicated [9] but a re-evaluation would be welcome here as well but necessary at the moment as I'm interested
    in getting the hfsprogs package updated.

    Adrian

    [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666707
    [2] https://sources.debian.org/src/hfsprogs/332.25-11/debian/copyright/
    [3] https://opensource.apple.com/source/diskdev_cmds/diskdev_cmds-332.25/newfs_hfs.tproj/newfs_hfs.c.auto.html
    [4] https://opensource.apple.com/source/diskdev_cmds/diskdev_cmds-332.25/fsck_hfs.tproj/fsck_hfs.c.auto.html
    [5] https://opensource.apple.com/source/diskdev_cmds/diskdev_cmds-332.25/mount_hfs.tproj/mount_hfs.c.auto.html
    [6] https://lists.debian.org/debian-legal/2001/09/msg00103.html
    [7] http://snapshot.debian.org/package/hfsprogs/
    [8] https://opensource.apple.com/source/hfs/hfs-522.0.9/APPLE_LICENSE.auto.html
    [9] https://lists.debian.org/debian-legal/2004/06/msg00573.html

    --
    .''`. John Paul Adrian Glaubitz
    : :' : Debian Developer - glaubitz@debian.org
    `. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
    `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Tobias Frost@21:1/5 to Mihai Moldovan on Mon Apr 20 10:30:01 2020
    On Mon, Apr 20, 2020 at 10:06:23AM +0200, Mihai Moldovan wrote:
    * On 4/20/20 9:03 AM, John Paul Adrian Glaubitz wrote:
    Secondly, for the APSL-1.2, it seems that the only clause that makes the license non-DFSG-compliant is this one:

    (c) You must make Source Code of all Your Deployed Modifications publicly
    available under the terms of this License, including the license grants
    set forth in Section 3 below, for as long as you Deploy the Covered Code
    or twelve (12) months from the date of initial Deployment, whichever is
    longer. You should preferably distribute the Source Code of Your Deployed
    Modifications electronically (e.g. download from a web site); and

    It was claimed in [6] that this clause makes the APSL-1.2 non-DFSG-compliant as it's
    not possible for Debian to keep every single modification around for at least
    12 months.

    This claim may have been valid in 2001, but I think it does not hold up for 2020 since source code to packaging in Debian is usually maintained in Salsa or Github and therefore keeping all modifications available for 12 months and longer, plus there is Debian Snapshots [7] which keeps a older versions of a package around as well - including source code.

    It may or may not fail the Desert Island Test, depending on how broad "publicly"
    is interpreted.

    For sure it fails the Dissident Test.

    While it may not be a huge (technical) problem for the Debian Project to comply
    to this term specifically, any user (and modifier) of this code would need to find a way to publish their own modifications for at least the given time - and
    maybe even longer based on their "deployment" (which includes current usage). This sounds like a pretty difficult thing to do for individuals.



    Mihai


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Paul Adrian Glaubitz@21:1/5 to Tobias Frost on Mon Apr 20 10:50:01 2020
    On 4/20/20 10:28 AM, Tobias Frost wrote:
    This claim may have been valid in 2001, but I think it does not hold up for >>> 2020 since source code to packaging in Debian is usually maintained in
    Salsa or Github and therefore keeping all modifications available for 12 >>> months and longer, plus there is Debian Snapshots [7] which keeps a older >>> versions of a package around as well - including source code.

    It may or may not fail the Desert Island Test, depending on how broad "publicly"
    is interpreted.

    For sure it fails the Dissident Test.
    Does it? The part which requires the availability of the source changes explicitly
    talks about deployment of the software, i.e. distribution, not personal use which
    would be the criteria for the dissident test.

    If I'm using the software for myself and modify it, I'm free to keep the modifications
    to myself unless I distribute the software, so I don't think the clause would fail
    the test.

    Adrian

    --
    .''`. John Paul Adrian Glaubitz
    : :' : Debian Developer - glaubitz@debian.org
    `. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
    `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Paul Adrian Glaubitz@21:1/5 to Mihai Moldovan on Mon Apr 20 11:20:03 2020
    On 4/20/20 11:04 AM, Mihai Moldovan wrote:
    * On 4/20/20 10:48 AM, John Paul Adrian Glaubitz wrote:
    For sure it fails the Dissident Test.
    Does it? The part which requires the availability of the source changes explicitly
    talks about deployment of the software, i.e. distribution, not personal use which
    would be the criteria for the dissident test.

    If I'm using the software for myself and modify it, I'm free to keep the modifications
    to myself unless I distribute the software, so I don't think the clause would fail
    the test.

    Yes, but the Dissident Test explicitly includes distribution to friends.

    I don't think that sharing your software with friends qualifies to the term "Software Deployment" that Apple is talking about here. Personal Use is explicitly excluded from the deployment term, even when the source is distributed.

    In 1.4, the license states:

    1.4 "Deploy" means to use, sublicense or distribute Covered Code other than
    for Your internal research and development (R&D) and/or Personal Use,
    and includes without limitation, any and all internal use or distribution
    of Covered Code within Your business or organization except for R&D use
    and/or Personal Use, as well as direct or indirect sublicensing or
    distribution of Covered Code by You to any third party in any form or manner.

    It's pretty obvious from this clause that the requirement to provide the sources
    of your modifications for at least 12 months applies to commercial distribution only.

    Adrian

    --
    .''`. John Paul Adrian Glaubitz
    : :' : Debian Developer - glaubitz@debian.org
    `. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
    `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Tobias Frost@21:1/5 to John Paul Adrian Glaubitz on Mon Apr 20 12:20:02 2020
    On Mon, Apr 20, 2020 at 11:13:48AM +0200, John Paul Adrian Glaubitz wrote:
    On 4/20/20 11:04 AM, Mihai Moldovan wrote:
    * On 4/20/20 10:48 AM, John Paul Adrian Glaubitz wrote:
    For sure it fails the Dissident Test.
    Does it? The part which requires the availability of the source changes explicitly
    talks about deployment of the software, i.e. distribution, not personal use which
    would be the criteria for the dissident test.

    If I'm using the software for myself and modify it, I'm free to keep the modifications
    to myself unless I distribute the software, so I don't think the clause would fail
    the test.

    Yes, but the Dissident Test explicitly includes distribution to friends.

    I don't think that sharing your software with friends qualifies to the term "Software Deployment" that Apple is talking about here. Personal Use is explicitly excluded from the deployment term, even when the source is distributed.

    In 1.4, the license states:

    1.4 "Deploy" means to use, sublicense or distribute Covered Code other than
    for Your internal research and development (R&D) and/or Personal Use,
    and includes without limitation, any and all internal use or distribution
    of Covered Code within Your business or organization except for R&D use
    and/or Personal Use, as well as direct or indirect sublicensing or
    distribution of Covered Code by You to any third party in any form or manner.

    It's pretty obvious from this clause that the requirement to provide the sources
    of your modifications for at least 12 months applies to commercial distribution
    only.

    Distributing to friends may cross the line of personal use. And !"personal use" != "commercial use".
    (I define "personal use" as individual use; not use of a group.)

    Also, there may be an Dissident Inc; also that needs the Dissident Test to pass.

    The last sentence reads to me that distributiong to 3rd parties is Deployment. Your dissident friend is a "third party".

    However, if it is the intention of that paragraph that commercial use is to be treated differently, this alone would alone is a reason to call a license non-free (DFSG 6).

    Adrian

    --
    .''`. John Paul Adrian Glaubitz
    : :' : Debian Developer - glaubitz@debian.org
    `. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
    `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Paul Adrian Glaubitz@21:1/5 to Tobias Frost on Mon Apr 20 12:30:01 2020
    On 4/20/20 12:15 PM, Tobias Frost wrote:
    It's pretty obvious from this clause that the requirement to provide the sources
    of your modifications for at least 12 months applies to commercial distribution
    only.

    Distributing to friends may cross the line of personal use. And !"personal use" != "commercial use".
    (I define "personal use" as individual use; not use of a group.)

    Also, there may be an Dissident Inc; also that needs the Dissident Test to pass.

    The last sentence reads to me that distributiong to 3rd parties is Deployment.
    Your dissident friend is a "third party".

    However, if it is the intention of that paragraph that commercial use is to be
    treated differently, this alone would alone is a reason to call a license non-free (DFSG §6).

    How is that different from the GPL-2 which mandates three years of distribution for non-personal distribution. I have the impression that you are applying double-standards here.

    Any commercial product using GPL-2 must share the source code publicly, the same applies to the APSL-1.2. There is no difference.

    Adrian

    --
    .''`. John Paul Adrian Glaubitz
    : :' : Debian Developer - glaubitz@debian.org
    `. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
    `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Tobias Frost@21:1/5 to John Paul Adrian Glaubitz on Mon Apr 20 12:40:01 2020
    On Mon, Apr 20, 2020 at 12:22:52PM +0200, John Paul Adrian Glaubitz wrote:
    On 4/20/20 12:15 PM, Tobias Frost wrote:
    It's pretty obvious from this clause that the requirement to provide the sources
    of your modifications for at least 12 months applies to commercial distribution
    only.

    Distributing to friends may cross the line of personal use. And !"personal use" != "commercial use".
    (I define "personal use" as individual use; not use of a group.)

    Also, there may be an Dissident Inc; also that needs the Dissident Test to pass.

    The last sentence reads to me that distributiong to 3rd parties is Deployment.
    Your dissident friend is a "third party".

    However, if it is the intention of that paragraph that commercial use is to be
    treated differently, this alone would alone is a reason to call a license non-free (DFSG 6).

    How is that different from the GPL-2 which mandates three years of distribution
    for non-personal distribution. I have the impression that you are applying double-standards here.

    Any commercial product using GPL-2 must share the source code publicly, the same applies to the APSL-1.2. There is no difference.

    No. the GPL requires you only to give the sources to the recipient of the work, not to everyone which is the defintiopn of "publicily" [1].

    [1] https://dictionary.cambridge.org/dictionary/english/publicly

    Adrian

    --
    .''`. John Paul Adrian Glaubitz
    : :' : Debian Developer - glaubitz@debian.org
    `. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
    `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Tobias Frost@21:1/5 to John Paul Adrian Glaubitz on Mon Apr 20 13:40:01 2020
    On Mon, Apr 20, 2020 at 01:14:15PM +0200, John Paul Adrian Glaubitz wrote:
    On 4/20/20 12:32 PM, Tobias Frost wrote:
    Any commercial product using GPL-2 must share the source code publicly, the
    same applies to the APSL-1.2. There is no difference.

    No. the GPL requires you only to give the sources to the recipient of the work,
    not to everyone which is the defintiopn of "publicily" [1].

    I don't see any difference from a distribution point of view. Apple's APSL
    is even less restrictive than the GPL-2 here as it does not require you
    to share your modifications among your friends or for R&D. The GPL-2
    requires that, the APSL not.

    That is not the point. Excess distribution is the problem. I have to offer the code to people I have not interacted with.
    (And the license does not say anything about friends, just about RD departements)

    Furthermore, the question that is relevant for the dissident test - that
    was used as argument for calling the license non-free - is whether sharing your modifications with your friends would require you to make these modifications public. And that is clearly not the case.

    As said, IMHO, distributing to the friend of a dissident is considered as Deployment.

    And, devdisk_cmds (which is what hfsprogs is derived from) is part of the Fedora main distribution [1]. So RedHat's lawyers seem to agree that the license can be considered free. It's not distributed in openSUSE for the moment, but as a SUSE employee, I should be able to ask our lawyers.

    In any case, I will be contacting Apple now and I will ask for their assessment
    as I don't think we're getting further in this discussion if the goal posts keep moving.

    You should contact ftp masters. their opinion is authorative in Debian.
    Not that of Fedora, Red Hat and not that of Apple.

    But maybe Apple is willing to relicnese it to Apache 2.0, then it would be worth a try. (ASFAIK they did so with some projets having this license)

    Thanks,
    Adrian

    [1] https://src.fedoraproject.org/rpms/hfsplus-tools/

    --
    .''`. John Paul Adrian Glaubitz
    : :' : Debian Developer - glaubitz@debian.org
    `. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
    `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Paul Adrian Glaubitz@21:1/5 to Tobias Frost on Mon Apr 20 13:20:01 2020
    On 4/20/20 12:32 PM, Tobias Frost wrote:
    Any commercial product using GPL-2 must share the source code publicly, the >> same applies to the APSL-1.2. There is no difference.

    No. the GPL requires you only to give the sources to the recipient of the work,
    not to everyone which is the defintiopn of "publicily" [1].

    I don't see any difference from a distribution point of view. Apple's APSL
    is even less restrictive than the GPL-2 here as it does not require you
    to share your modifications among your friends or for R&D. The GPL-2
    requires that, the APSL not.

    Furthermore, the question that is relevant for the dissident test - that
    was used as argument for calling the license non-free - is whether sharing
    your modifications with your friends would require you to make these modifications public. And that is clearly not the case.

    And, devdisk_cmds (which is what hfsprogs is derived from) is part of the Fedora main distribution [1]. So RedHat's lawyers seem to agree that the license can be considered free. It's not distributed in openSUSE for the moment, but as a SUSE employee, I should be able to ask our lawyers.

    In any case, I will be contacting Apple now and I will ask for their assessment as I don't think we're getting further in this discussion if the goal posts keep moving.

    Thanks,
    Adrian

    [1] https://src.fedoraproject.org/rpms/hfsplus-tools/

    --
    .''`. John Paul Adrian Glaubitz
    : :' : Debian Developer - glaubitz@debian.org
    `. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
    `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Francesco Poli@21:1/5 to All on Mon Apr 20 22:50:02 2020
    On Mon, 20 Apr 2020 13:39:19 +0200 Tobias Frost wrote:

    On Mon, Apr 20, 2020 at 01:14:15PM +0200, John Paul Adrian Glaubitz wrote:
    [...]
    I don't see any difference from a distribution point of view. Apple's APSL is even less restrictive than the GPL-2 here as it does not require you
    to share your modifications among your friends or for R&D. The GPL-2 requires that, the APSL not.

    That is not the point. Excess distribution is the problem. I have to offer the
    code to people I have not interacted with.
    (And the license does not say anything about friends, just about RD departements)

    Exactly.

    Dear John, as has already been told you by Tobias and Mihai, the key
    difference between the GNU GPL v2 and the APSL v1.2 (here) is that
    the GPL only requires to make source code available to recipients of
    object code, while the APSL requires to make source code *publicly*
    available, if you just send modified object code of one friend (which
    is a third party) or even if you just use modified object code
    internally within your business or organization (for anything that is
    not R&D or personal use).

    Moreover, the APSL always requires you to continue making source code *publicly* available for at least 12 months, while the written offer is
    only *one* of the options to comply with the GPL: the other option is
    offering source code along with object code and never having to worry
    again about the thing.


    Furthermore, the question that is relevant for the dissident test - that was used as argument for calling the license non-free - is whether sharing your modifications with your friends would require you to make these modifications public. And that is clearly not the case.

    As said, IMHO, distributing to the friend of a dissident is considered as Deployment.

    I agree with Tobias here.
    Quoting the [APSL v1.2]:

    [...]
    | 1.4 "Deploy" means
    [...]
    | as well as
    [...]
    | distribution of Covered Code by You to any third party in any form
    | or manner.
    [...]

    [APSL v1.2]: <https://opensource.apple.com/source/hfs/hfs-522.0.9/APPLE_LICENSE>

    [...]
    But maybe Apple is willing to relicnese it to Apache 2.0, then it would be worth a try. (ASFAIK they did so with some projets having this license)

    This would be a good outcome.
    I really hope Apple may be persuaded to re-license hfsprogs under the
    terms of the [Apache License v2.0].

    [Apache License v2.0]: <https://www.apache.org/licenses/LICENSE-2.0.txt>


    --
    http://www.inventati.org/frx/
    There's not a second to spare! To the laboratory! ..................................................... Francesco Poli .
    GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEygERR5zS79/7gjklPhwn4R9pv/4FAl6eChcACgkQPhwn4R9p v/6BXw//RaCGUd2IocNoIG50BroikK3WR6UY0Vh6H/kGWRgwNx/vmUD7H0DmTSEu U5Wh6bOiJj+o+f5bwnzvt/D7y7i9v3PyIHBdRDCWrxBoHefLuGLfdR348HKUYa+5 2TaMRqwdLVaNtFuKVDRyqBLaHlVyeJRssyK6zZh59lHJmBCy3nQ/0fzNKtkn5CBg l3aYwEY6bk38gh4lp+uxdxoynGWdORcr/B2J0YlpVLqSPG1c8wWgGhHIG3NJnGYJ axdcAUfI9Ra0EcMENWvwFjHUi6amBCJuPlrSNyHnomoGlWQqJCxKi8M76q8HZCOj X2VL41do5Mjg50pFChbMdHPrkza2U3hVUvQEtemKrR5V1cSDLYmtwQdykVmUDEd+ G0Pi9akAyHkR7/uqSL1tcnVhoxz5/sBbJTLR628I1Q1W9Gs88+6NS33Q0KfG66Hh hLBWouTYmruua7+G+jOQ3NMKKeofEzdqcuCW7VMNm2WbT3CQj7nJSwD5FKPYznwn c0bYv5wUwAyJuhQ5z1YC9uU96fm8aitpI2WeK1Mxl4peM2lxESl1GqC+7aqWJ87r KeRSgZ5fadgvQ5SHqRpRoG16n6fexOV0SVeFqMI32peLVRelh4diCIoM2SWLH03C +kFgo9DvbuB5hH7vJSciOSF4EH7vIthO