Licensing change: MPL

[gdude2002]

The MIT licence used for KordEx is very permissive - it essentially allows anyone to do anything with projects licensed under it, as long as the same licence notice is included with all derivatives.

This is fine for some projects, but given how the software landscape has been changing over time, I would be more comfortable with something a bit less permissive. Having looked over things, I think the MPL might be a good match.

The main thing I'm concerned about when it comes to KordEx's licensing is that, under the MIT, anyone can take KordEx, create a new version of it, and keep their changes to themselves. To me, this goes against the spirit of the open-source community - but on the other hand, I'm not willing to use a viral (or Stallman-based) licence like the GPL. Additionally, most open-source licences allow for private use without disclosure, and don't consider network use to be a form of distribution.

While the MPL is no different, I feel it strikes a good balance - requiring modifications to files that are part of KordEx to remain open source when modified, while still allowing bots and other modifications to be distributed (or not) under whatever licence the author feels meets their purposes.

---

Obviously, as an open-source project, everyone who has contributed to KordEx would need to give their permission for a licence change going forward. For that reason, I'd like to request that permission from the following list of people:

• [x] @Akarys42
• [x] @ByteAlex
• [x] @darkerbit
• [x] @decorator-factory
• [x] @Distractic
• [x] @DRSchlaubi
• [x] @Forbidden-A
• [x] @Galarzaa90
• [x] @gdude2002
• [x] @ks129
• [x] @leocth
• [x] @qbosst
• [x] @Scotsguy
• [x] @SpaceClouds42
• [x] @sschr15
• [x] @Tom-The-Geek

The above list includes known translators, at least as far as I was able to dig up. Obviously, anonymous contributions can't be provably tied to any particular person, so it's not going to be possible to get permission from those that didn't create an account to contribute translations - but since they're anonymous, I doubt that's going to be an issue here.

To give your permission, please respond to this issue with an explicit declaration that you're OK with this licensing change. If you're not, let's chat - I'd be happy to consider alternative licences as well!

Approvals must be placed below this comment, unless a previous comment explicitly provides approval for the change to the MPL.

Old version of this issue

The following text is provided for historical purposes, from an earlier version of this discussion.

Old version of this issue

### We're currently discussing other licences, as the EUPL turned out to likely require bots to be licenced under it. The current candidate is the EPL (Eclipse Public Licence) 2.0. --- The MIT licence used for KordEx is [very permissive](https://choosealicense.com/licenses/mit/) - it essentially allows anyone to do anything with projects licensed under it, as long as the same licence notice is included with all derivatives. This is fine for some projects, but given how the software landscape has been changing over time, I would be more comfortable with something a bit less permissive. ~~Having looked over things, I think [the EUPL](https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12) might be a good match.~~ The main thing I'm concerned about when it comes to KordEx's licensing is that, under the MIT, anyone can take KordEx, create a new version of it, and keep their changes to themselves. To me, this goes against the spirit of the open-source community - but on the other hand, I'm not willing to use a viral (or Stallman-based) licence like the GPL. ~~The EUPL seems to strike the right balance to me, as it requires disclosure of source changes in all situations where it makes sense to modify KordEx:~~ * ~~When distributing compiled versions~~ * ~~When distributing source code~~ * ~~When using it to provide a SaaS solution (a Discord bot in our case)~~ ~~The EUPL does not require projects that link with KordEx to be licensed under the EUPL. From my reading of it (and I'm not a lawyer), it seems that exceptions are made for interfaces and data models, or generally anything needed for an implementation to happen. By including a copy of the licence in the final KordEx JARs, this should cover pretty much any case that could come up - allowing bots that use KordEx to use whatever licence they wish.~~ --- Obviously, as an open-source project, everyone who has contributed to KordEx would need to give their permission for a licence change going forward. For that reason, I'd like to request that permission from the following list of people: - **DENIED:** @ByteAlex - **DENIED:** @Scotsguy - [x] @Akarys42 - [x] @darkerbit - [x] @decorator-factory - [x] @Distractic - [x] @DRSchlaubi - [x] @Forbidden-A - [x] @Galarzaa90 - [x] @ks129 - [x] @leocth - [x] @qbosst - [x] @SpaceClouds42 - [x] @sschr15 - [x] @Tom-The-Geek The above list includes known translators, at least as far as I was able to dig up. Obviously, anonymous contributions can't be provably tied to any particular person, so it's not going to be possible to get permission from those that didn't create an account to contribute translations - but since they're anonymous, I doubt that's going to be an issue here. To give your permission, please respond to this issue with an explicit declaration that you're OK with this licensing change. If you're not, let's chat - I'd be happy to consider alternative licences as well!

[decorator-factory]

I'm OK with the licensing change

[pluiedev]

:rocket:

[pluiedev]

If it isn't clear, I approve of this change haha

[Distractic]

ok for me !

[sschr15]

wait shouldn't i also be required to allow since i basically partially redid mapping extension

oh well, I approve anyway

[gdude2002]

For some reason, you weren't in the contrib graph? Odd stuff

[gdude2002]

Yeah, looks like I'm also missing out on @Galarzaa90 according to the PR list, I'll add them

[Tom-The-Geek]

I am happy with the license change 👍

[Galarzaa90]

I'm good with the license change 👍🏼

[sschr15]

For some reason, you weren't in the contrib graph? Odd stuff

I'm guessing it's because it's not in the main branch right now?

[gdude2002]

Ah right, that's probably it, yeah

[spaceclouds42]

Sounds good 👍

[DRSchlaubi]

lgtm

[Forbidden-A]

I'm fine with whatever you decide gdude

[Akarys42]

I'm okay with the license change

[ks129]

👍from me!

[bosukas]

👍 all good

[darkerbit]

LGTM 👍

[Scotsguy]

I don't think the EUPL allows what you think it does. A derivative must be EUPL-licensed except when a) it is combined into a work licensed under a compatible license as listed in the Abbendum or b) the derivative work is, as defined by EU directive 2009/24/EC, using the EUPL-licensed work in a way that is "indispensable to obtain the information necessary to achieve the interoperability of an independently created program with other programs" (emphasis mine) The latter case applies for literally every license and is intended for the case where you want to replace a component in a system that communicates via proprietary protocols. Including the license text in bots is not sufficient, they must be open source and compatible.

See also: https://op.europa.eu/en/publication-detail/-/publication/c15c9e93-27e1-11ec-bd8e-01aa75ed71a1 https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:111:0016:0022:EN:PDF

European Union Public Licence (EUPL) : guidelines July 2021.

The EUPL is an open source software licence created by the European Commission. It is available in 23 languages and it can be used by all public and private software licensors. The EUPL enables public administrations, businesses and individuals to embrace the free/open source model to maximise their software development potential. The latest version of the licence – the EUPL v.1.2 – was published in 2017. It provides for wider compatibility with other open source licences compared to the previous version – EUPL v.1.1.

[ByteAlex]

I've tried to read up stuff on EUPL, and I wonder why you chose such a niche license. This will either lead to people who don't even care about licensing OR people who drop it because they don't understand the license.

I'm not a lawyer. I only check for TL;DRs

Reading this I understand as if everything which is using "kordex" need's to disclose source -> Reason for me to drop work on this library entirely. I do many customer projects and I'm not allowed to share or distribute code, so a EUPL licensed library cannot be considered.

Please consider using a commonly known license.

[gdude2002]

I'm on phone and don't have a ton of time right now, but I think I can respond to some of these concerns.

It's too niche

The EUPL is OSI-approved. As far as I'm concerned, if the OSI is happy to certify a license, I don't think it's all that niche. I also don't think the EU is a particularly niche org.

I'll have to disclose bot source

At the top of the license, the following definition is provided:

‘Derivative Works’: the works or software that could be created by the Licensee, based upon the Original Work or modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in the country mentioned in Article 15.

Additionally, the introduction page for the EUPL states the following:

Interoperable means that the EUPL is applied according to the European Law (Directive 91/250/EEC, re-codified 2009/24/EC), making clear that the covered interfaces, APIs and data structures may be freely copied and reused for implementing static or dynamic linking with any other independent component, without impacting the licence of this component;

These statements together read to me as an extension of European copyright law, which any code I write already comes under - and the specific interoperable mention above reads to me like linking is okay and wouldn't impact your ability to license (or not) your bots.

My only real concern with this relates to the compiled KordEx JARs. The question for me here is whether shading KordEx into your bot's JAR (as you'll have no other choice but to do in most cases) causes the entire bot to become a Derivative Work. If this is the case, then we'll need to keep looking - but discussions like this are one of the reasons to open an issue!

[gdude2002]

See also: op.europa.eu/en/publication-detail/-/publication/c15c9e93-27e1-11ec-bd8e-01aa75ed71a1

eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:111:0016:0022:EN:PDF

On this page, we have:

The unauthorised reproduction, translation, adaptation or transformation of the form of the code in which a copy
of a computer program has been made available constitutes an infringement of the exclusive rights of the author. Nevertheless, circumstances may exist when
such a reproduction of the code and translation of its form are indispensable to obtain the necessary infor­ mation to achieve the interoperability of an indepen­ dently created program with other programs. It has therefore to be considered that, in these limited circum­ stances only, performance of the acts of reproduction and translation by or on behalf of a person having a right to use a copy of the program is legitimate and compatible with fair practice and must therefore be deemed not to require the authorisation of the right­ holder.

This paragraph (that was partially quoted) seems to only apply to reproduction, modification and distribution in an unauthorized manner. It doesn't cover licensed uses, which we seem to be OK with given the earlier screenshot?

[Scotsguy]

The EUPL refers to the laws of EU countries and is therefore interoperable. This means that all the interfaces of the covered software (the APIs, formats, data structures) can be freely copied and reproduced in other independent works in order to build interoperability, e.g. combining software distributed under the EUPL with any other software
licensed differently, even under a proprietary licence. In such a combination or statically linked aggregation, every linked component will keep its primary licence, without any ‘viral effect’

(quoted from guidelines) "interfaces of the covered software" meaning not the covered software in its entirety "can be freely copied and reproduced in other independent works" independent works is the opposite of derived "without any ‘viral effect’" because a coypright license can't apply to you if the thing you're doing does not require you to adhere to copyright law in the first place

Regardless of the specifics, the EUPL is a copyleft license, and not a library-friendly one. How about the Mozilla Public License?

[gdude2002]

I had looked at the MPL, but it has a loophole whereby it only applies to individual files rather than the project - meaning you could stub out files or otherwise call out to your custom code without having to disclose it, even if it was an objective improvement to the project

[gdude2002]

I forgot to respond to the other point, I'm leaning on the "or statically linked aggregation" part of that quote here, but it doesn't seem they define what they mean by that,

Reading the licence itself, it only seems to state that derivative works need to include the licence notices from the original work, and a copy of the EUPL (which we can easily do by adding it into the JAR). It only seems to talk about disclosing the source for modified copies of the original work, from my reading.

It's not super long - anyone else want to take a look?

It does seem that this all hinges on what a derivative is. I can't think of another licence that meets what I've been talking about, though. Where do we go from here?

[Scotsguy]

5. Obligations of the Licensee [...]

Attribution right: [...] The Licensee must cause any Derivative Work to carry prominent notices stating that the Work has been modified and the date of modification.

Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this Distribution or Communication will be done under the terms of this Licence [...]. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the Work or Derivative Work that alter or restrict the terms of the Licence.

As for what a derivative work is:

In this Licence, the following terms have the following meaning: [...]

• ‘Derivative Works’: the works or software that could be created by the Licensee, based upon the Original Work or modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in the country mentioned in Article 15.

basically, ask a lawyer. even better, ask a court to rule on this. good luck.

i don't know any other licenses that have a network use clause, but are intended to be used for libraries. could you imagine finding something with that license deep in your dependency tree? that'd be hell

[gdude2002]

You mean their SaaS-as-usage clause? I really don't need that, tbh

[ByteAlex]

So TL;DR of EUPL is linked bins license is not spreading on the whole project, i.e. linked kordex wouldn't force me to align with EUPL?

[gdude2002]

That's what I thought, but if @Scotsguy disagrees then I don't think we can rely on that interpretation - so we'll need to keep looking.

Any ideas?

[gdude2002]

How about the Eclipse Public License?

From the FAQ:

4.22. If I write a module to add to a Program licensed under the EPL and distribute the object code of the module along with the rest of the Program, must I make the source code to my module available in accordance with the terms of the EPL?

No, as long as the module is not a Modified Work of the Program.

Otherwise, it seems to do what I talked about in the initial issue comment.

[ByteAlex]

There's like no TL;DR on EPLv2, aside from that I'm not a lawyer, I'm giving you my OK for any license change that will not make me to have my bot(s) using a linked binary from kordex open source. I'm okay with having all derivations to KordEx itself open sourced and I don't plan to sell KordEx as my own product, so those topics, can be touched by a license change without further approval from me.

BTW: You eventually want to check out Apache2.0 or MPL, those may fit your use case.

[ByteAlex]

There's like no TL;DR on EPLv2, aside from that I'm not a lawyer, I'm giving you my OK for any license change that will not make me to have my bot(s) using a linked binary from kordex open source. I'm okay with having all derivations to KordEx itself open sourced and I don't plan to sell KordEx as my own product, so those topics, can be touched by a license change without further approval from me.

BTW: You eventually want to check out Apache2.0 or MPL, those may fit your use case.

• I need to be able to distribute my bot(s) in a commercial matter, so that may not change too. Other than these points, you should be good.

[gdude2002]

Having looked (again) over numerous licences, I've decided that really we should... just go MPL. It doesn't cover every situation I have concerns about, but it's the closest we're going to get.

An FAQ is available here.

To ratify this change, I'll need to once again ask for permission from each of our contributors. I apologize for the extra notifications, here - I've had a hard time figuring out where to go on this issue, The below list includes people who haven't already agreed to this change above:

• @Akarys42
• @darkerbit
• @decorator-factory
• @Distractic
• @DRSchlaubi
• @Galarzaa90
• @ks129
• @leocth
• @qbosst
• @Scotsguy
• @SpaceClouds42
• @sschr15
• @Tom-The-Geek

I've also updated the original issue with a new list.

[sschr15]

I’ll accept this, seems good enough given what I’ve read

[spaceclouds42]

Sounds good to me!

[Scotsguy]

I am okay with relicensing under the Mozilla Public License.

[qt-haskell]

I've tried to read up stuff on EUPL, and I wonder why you chose such a niche license. This will either lead to people who don't even care about licensing OR people who drop it because they don't understand the license.

I'm not a lawyer. I only check for TL;DRs

Reading this I understand as if everything which is using "kordex" need's to disclose source -> Reason for me to drop work on this library entirely. I do many customer projects and I'm not allowed to share or distribute code, so a EUPL licensed library cannot be considered.

Please consider using a commonly known license.

I agree

[decorator-factory]

LGTM

[bosukas]

👍

[darkerbit]

Looks fine to me 👍

[Distractic]

👍

[pluiedev]

👍

On Dec 9, 2021, at 00:05, Gareth Coles @.***> wrote:

Having looked (again) over numerous licences, I've decided that really we should... just go MPL. It doesn't cover every situation I have concerns about, but it's the closest we're going to get.

An FAQ is available here https://www.mozilla.org/en-US/MPL/2.0/FAQ/.

To ratify this change, I'll need to once again ask for permission from each of our contributors. I apologize for the extra notifications, here - I've had a hard time figuring out where to go on this issue, The below list includes people who haven't already agreed to this change above:

@Akarys42 https://github.com/Akarys42 @darkerbit https://github.com/darkerbit @decorator-factory https://github.com/decorator-factory @Distractic https://github.com/Distractic @DRSchlaubi https://github.com/DRSchlaubi @Galarzaa90 https://github.com/Galarzaa90 @ks129 https://github.com/ks129 @leocth https://github.com/leocth @qbosst https://github.com/qbosst @Scotsguy https://github.com/Scotsguy @SpaceClouds42 https://github.com/SpaceClouds42 @sschr15 https://github.com/sschr15 @Tom-The-Geek https://github.com/Tom-The-Geek I've also updated the original issue with a new list.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Kord-Extensions/kord-extensions/issues/115#issuecomment-988948191, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFK6N7VRZVUG7GVFWL3GSCTUP563BANCNFSM5JEZSWJA. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[ks129]

👍

[Akarys42]

Consider this as an approval for any license you might choose @gdude2002

[DRSchlaubi]

:+1:

[Tom-The-Geek]

MPL also sounds good :thumbsup:

[Galarzaa90]

Sounds good 👍🏼

[gdude2002]

Alright folks, it seems we've reached consensus. Thanks for everyone's input - I'll get this done ASAP!

[gdude2002]

Apparently I forgot to close this - whoops!