Closed MuntashirAkon closed 2 years ago
@velitasali @Daksh777 Would you like to comment? Sorry for random tag.
Subject: Relicensing App Manager under AGPL3.0+ with OpenSSL exception
Message:
Dear contributors,
We are committed to make App Manager (<https://github.com/MuntashirAkon/AppManager>) a long lasting project that may last as long as Android (or any similar) operating system exists. In order to do that, we find it necessary to release it under a license that would enforce any derived project to contribute back to the original project i.e. App Manager. However, we find that our current license i.e. GNU General Public License version 3.0 or later (GPL3.0+) does not enforce this. As a result, we decided to relicense it to GNU Affero General Public License version 3.0 or later (AGPL3.0+).
In order to relicense the project, it is required by law to seek permission from all of the contributors. Therefore, we are informing the contributors of the change so that they can provide their consent. Here's what you can do:
1. Agree with the change by replying this email. To do that, your reply should include the following line: “I hereby grant Muntashir Al-Islam, the current owner of the project, App Manager, the right to change the project license to GNU Affero General Public License version 3.0 or later.” It is also recommended to change the license of your works, to do that, include the following clause: “I also request him (Muntashir Al-Islam) to change the license of my works to GNU Affero General Public License version 3.0 or later.”, or
2. Disagree with the change. In this case, you are not required to write a reply. But be aware that, if you disagree with the change, all your previous contributions will be deleted without any additional notice as required by the law.
Consequently, this email and any replies to the email will be kept indefinitely and/or will be made public. By replying to this email, you agree that your replies can be made public or share them to an attorney or a law enforcement agency when required, and that we may amend the messages to fix any grammatical or spelling mistakes.
Regards,
Muntashir Al-Islam
Owner, App Manager
Post Script:
1. Why AGPL3.0+ license? Under GPL3.0+, it's not necessary for a derived project to contribute back to the main project which is bad for us since this flexibility allows developers to fork a GPL3.0+ licensed project and make their contributions closed. AGPL3+ prevents that i.e. if you modify an AGPL3.0+ code and put it in Play Store without publishing the source code and/or contribute the changes back to the original project, we can take legal actions against you for violating the license terms.
2. Why OpenSSL exception? Future version of App Manager will use BoringSSL. BoringSSL has the OpenSSL license (along with MIT and ISC) which is incompatible with AGPL3.0+ license. In order to use BoringSSL, we must add an exception clause regarding OpenSSL.
Notice: We couldn't send an email to Jiří Kašpar info@wpsupportplus.eu whose contributions will be removed.
@gnuhead-chieb, @d4rkk3y and @Gitoffthelawn used users.noreply.github.com emails where the emails will never reach. So, they have to give their consent here and optionally, ask for amending their commits to include a new email address. (After the new license, all new commits will require signing off as we don't want any explicit certificate of origin.)
I agree relicensing to agpl.
I agree relicensing to agpl.
This is a legal agreement, simply saying that “I agree” won't do it. Read the instructions and follow accordingly.
I've sent an email to your Tutanota email address (your Weblate contributions are under that address), but it might not reach you due to an error on my end. Can you check, including the spam folder?
I didn't received emails from you.Anyway,I'll provide concent here.
@MuntashirAkon I hereby grant Muntashir Al-Islam, the current owner of the project, App Manager, the right to change the project license to GNU Affero General Public License version 3.0 or later.
Hi @MuntashirAkon,
This all sounds good, but before I issue consent (which I am currently planning on doing), can you explain a bit more what you mean by "The greatest loophole of GPL3+ is that the developers who modifies our code are not required to contribute to the original software"?
The biggest concern that I think you have is that someone will improve the code and make it closed-source. I think that's a fair and reasonable concern, and I support your effort to close that loophole. If the license is changed, besides authors of derivative projects making the source code open, will they have other obligations to "contribute to the original software"?
Also, the statement you are requesting includes that you are "the current owner" of the software. How does "ownership" work for projects with more than one contributor?
My regards, GOTL
can you explain a bit more what you mean by "The greatest loophole of GPL3+ is that the developers who modifies our code are not required to contribute to the original software"?
You explained it yourself:
The biggest concern that I think you have is that someone will improve the code and make it closed-source.
However, (A)GPL doesn't prevent one from making a project closed source when they don't distribute it. The primary difference between GPL and AGPL is that if you distribute the modified version of the software over network, AGPL forces you to publish the modifications. Personal/internal usage is never a problem though.
If the license is changed, besides authors of derivative projects making the source code open, will they have other obligations to "contribute to the original software"?
Contribution is not required, but as they have to provide their modifications, we can safely merge the changes if they seem important.
Also, the statement you are requesting includes that you are "the current owner" of the software. How does "ownership" work for projects with more than one contributor?
Not owner of the software but the owner of the project. I mean when you install a copy of App Manager, you become the owner of that copy (as opposed to license which doesn't make you the owner of the app). This is granted when the user clicks on “I agree” button of the disclaimer dialog. The project itself is owned by me simply because I created it, and the contributors own their contributions and respective licenses (which is currently GPL-3.0+) unless the contributor want to change is to something else. However, since we don't have a CLA, contributors were asked to sign-off their commits which acts as a developer certificate of origin (DCO). This isn't enforced as of today because I didn't think that it would reach so much audience. But this will be enforced after relicensing the project.
Thanks for the mention @mubashir-rehman
if you distribute the modified version of the software over network, AGPL forces you to publish the modifications. Personal/internal usage is never a problem though.
What exactly do you mean by "software over network"? Is it some sort of platform to distribute your modification?
Regarding what "over network" means in the license: https://www.gnu.org/licenses/gpl-faq.html#AGPLv3InteractingRemotely
Common examples of programs that would fall into this category include web and mail servers, interactive web-based applications, and servers for games that are played online.
Do you expect that somebody converts the App Manager application into a web server application and runs it as "Software as a Service" product? Distribution through e.g. Google Play is already covered by the term "to 'convey'" in the GPL:
To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.
When you convey a modified version in object code (all terms as defined by the GPL in section 0), section 6 applies, requiring that the author of the new project must "also convey the machine-readable Corresponding Source under the terms of this License".
So if I understood this correctly, using GPL or AGPL won't make much of a difference. No one is going to convert the app to a web application so there is actually no need for AGPL. In either of those, you have to release the source code if you are distributing a modified copy online. Correct me if I'm wrong.
I agree @Daksh777; additionally, according to https://opensource.stackexchange.com/a/1726, everybody already has permission to relicense (a derivative work of) App Manager under AGPL per section 13 of the GPL:
Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such.
(But not to add an OpenSSL exception, which the consent that @MuntashirAkon asks contributors to give doesn't actually mention.)
@Daksh777 it looks like it can be implied that (like the announcement states) the source code should be available on "demand" according to point 6 of GPLv3. Hence, can be kept closed source unless someone asks for the source which the developer can charge for, too. AGPLv3 seems similar with one clause of sharing over network and I don't understand the difference.
Do you expect that somebody converts the App Manager application into a web server application and runs it as "Software as a Service" product?
App Manager can be used as a SaaS product since it offers remote interaction (in which case you only have to disclose the source of the version of App Manager that the users use). The feature is disabled because users are only expected to run it locally. But it's possible to modify the source to enable it.
When you convey a modified version in object code (all terms as defined by the GPL in section 0), section 6 applies, requiring that the author of the new project must "also convey the machine-readable Corresponding Source under the terms of this License".
Yes. However, in (A)GPL, you are not required to supply the source code or links to the source code with the software, and you were only obliged to do so if the user requested them. Now, you can always write an EULA that states that asking for a source code terminates the agreement.
Everybody already has permission to relicense (a derivative work of) App Manager under AGPL per section 13 of the GPL.
This is only applicable for a derived work.
But not to add an OpenSSL exception, which the consent that @MuntashirAkon asks contributors to give doesn't actually mention.
This is a good point.
Actually, I'm glad that this discussion is taking place. We actually have a lot of licensing issues right now, one of which is disputed, i.e. GPL-2.0-only with classpath exception. GPL-2.0-only licenses are incompatible with (A)GPL-3.0 or later. But I wonder what this exception stands for. This sort of licenses could be used with Apache 2.0 but I don't know if that's the case with GPL-3.0. I think we have to adopt a Linux-like COPYING where it would be specifically stated that depending on the library and code usage, newer exceptions might be added to the license, but in any case, it shall be ensured that the exceptions are applicable to the corresponding library or file only and not the full source.
I am also thinking of separating translations from the original app (or move it to an orphan branch) since Weblate's libre plan doesn't offer any option control the contributors, and a few of the translators are actually trying to use it to their advantage by providing wrong/out-of-context translations.
App Manager can be used as a SaaS product since it offers remote interaction
Which parts of the app does this apply to? Since the whole app is so close to the Android system, this is hard to imagine for me.
This is only applicable for a derived work.
I think you may "combine any covered work [the previous version of the app] with a work licensed under version 3 of the GNU Affero General Public License [any latest contributions by you] into a single combined work [the next version of the app]".
Which parts of the app does this apply to? Since the whole app is so close to the Android system, this is hard to imagine for me.
I'll try to add a demonstration in the next version.
I think you may "combine any covered work [the previous version of the app] with a work licensed under version 3 of the GNU Affero General Public License [any latest contributions by you] into a single combined work [the next version of the app]".
Who's you here? Me or all contributors?
I talked with a GNU-Richard Stallman fan and they told me that the technology being used here is actually Service as a Software Substitute (never heard that term before) rather than Service as a Software which, unfortunately, isn't covered by the AGPL licenses. The way the article puts it, the entire cloud infrastructure at present seems to be SaaSS unless you host them yourself.
Who's you here? Me or all contributors?
Here, I specifically meant you. Others have already granted you the permission to cover their changes under AGPL through the GPL that they put their code under. You have already created a "'modified version' of an earlier work" because you "adapt[ed] all […] of the work in a fashion requiring copyright permission, other than the making of an exact copy" by adding new work on top of the existing work by contributors, which in turn is "based on" your work.
actually Service as a Software Substitute (never heard that term before) rather than Service as a Software [sic; you probably meant Software as a Service]
I think the former is just a dysphemistic term for certain instances of the latter.
which, unfortunately, isn't covered by the AGPL licenses
I don't think this is true (it would be for pure GPL though), since as a user, you are interacting with the software through a network. The problem here is that you don't have access to the binaries for tasks that you should be able to complete offline, like editing images in an online photo editor.
I don't think this is true (it would be for pure GPL though), since as a user, you are interacting with the software through a network. The problem here is that you don't have access to the binaries for tasks that you should be able to complete offline, like editing images in an online photo editor.
According to https://www.gnu.org/licenses/why-affero-gpl.en.html:
The GNU Affero GPL does not address the problem of Service as a Software Substitute (SaaSS).
Yes, because (according to them; same article, next paragraph):
SaaSS means that users use someone else's web server to do their own computing. This requires them to send their data to the server, which does their computing for them and sends the results back to them. SaaSS is an injustice because the users cannot control their computing when it's done that way.
If some program on this server is released under the GNU Affero GPL, the server is required to offer the users the corresponding source of that program. That is good, but having this source code does not give them control over the computing done on that server. It also does not tell them what other software may be running on that server, examining or changing their data in other ways.
So, according to the article, the problems are:
→ it's not possible to solve these problems through a license
Still, the software if of course covered, no matter how you call it.
Still, the software if of course covered, no matter how you call it.
Yeah, but even Invidious, Nitter, Peertube instances should fall under this definition if they're not self-hosted and/or audited. There could be some transparency requirement clause if you know what I mean.
@MuntashirAkon wrote: *...a few of the translators are actually trying to use it to their advantage by providing wrong/out-of-context translations."
That's not good. How are they trying to use it to their advantage? Can you illustrate with a couple examples?
I am @yzqzss , i received that email but cann`t reply it .(riseup.net: No Mx Record Found ).
I hereby grant Muntashir Al-Islam, the current owner of the project, App Manager, the right to change the project license to GNU Affero General Public License version 3.0 or later.I also request him (Muntashir Al-Islam) to change the license of my works to GNU Affero General Public License version 3.0 or later.
--
My Email: 2361769788@qq.com yzqzss@foxmail.com yzqzss@yandex.com My Github: @yzqzss
riseup.net: No Mx Record Found
Riseup is probably being blocked in your area.
Can you illustrate with a couple examples?
This happened in Russian translation and previously in Chinese (but I won't name anybody as I don't want to hurt anybody). There could be more but I wouldn't know unless I receive such reports (we only received these reports probably because we have a large number of Chinese and Russian users).
Weblate should really allow open source projects to customise its users like Transifex or Crowdin.
Wow! DCO is marked as spam on Weblate!
Can you illustrate with a couple examples?
This happened in Russian translation and previously in Chinese (but I won't name anybody as I don't want to hurt anybody). There could be more but I wouldn't know unless I receive such reports (we only received these reports probably because we have a large number of Chinese and Russian users).
Thanks. My question was ambiguous. I'm sorry and I'll be more specific. I meant how were translations used for the advantage of others? Did they add inappropriate links (spam, essentially), references to unrelated personal agendas, something else?
Weblate should really allow open source projects to customise its users like Transifex or Crowdin.
I agree. Also, I've long held that every translation service should, for every translation into another language, also show a machine translation of those translations into a language known by whomever is requesting the translation.
For example, if you wrote words in English, and someone translates your words into Latin, it should perform a machine translation of the Latin back into English to help ensure no "funny business" is going on.
I meant how were translations used for the advantage of others? Did they add inappropriate links (spam, essentially), references to unrelated personal agendas, something else?
As you can see in the above screenshot, Weblate has spam protections. What I meant is that collaborating in an open source project itself is an advantage, and Weblate seems to be a nice tool to do so since it arbitrarily allows anyone to interact directly with an open source project. Remember the Hacktoberfest incidents of last year? Most OSS are maintained by 1-3 people who contribute in their free time, and these sort of contributions just discourage them from collaborating to OSS ever again. Fortunately, in our case, we have some patient and dedicated translators who keep reverting their mess, but they'll eventually get tired and give up. Weblate, at least, should've allowed an option to restrict some users. Currently we have no choice but to make such strings read-only. This situation will only get worse as more and more projects are using Weblate for translating their projects.
@comradekingu: I gather that you are quite involved with Weblate, do you know any better way to handle the situation other than making such strings read-only? I've also decided to not keep Weblate as a collaborator to the project and do the pulls and pushes manually using git
and wlc
.
GPLv3+ does indemnify shipping bad strings inadvertently, but that is no excuse to do so. The premise for doing malice is the same whether you have roles, documents, or licenses. If it is possible, it isn't as if someone is going to start caring whether it is illegal as more important to them than actually being malicious. The willingness to be anti-social isn't secondary to the willingness to abide by what are effectively just rules saying not to.
@Gitoffthelawn Policing translations with managers and user roles is possibly the worst idea, other than the voting system defaults of Crowdin, and the UI of TX and Crowdin. It doesn't work, because it puts the workload on one manager, and it is in turn impossible for one or more people to know all languages or resolve conflicts in languages they don't know. Picking the manager(s) is thus the same as picking translation coordinators, for anyone. I have held all those roles, and I do pick my select translators for each respective language, given the time I spend fixing semantic errors. TL;DR Holding up translations with roles just means it is a first-takers problem, and you are likely to get stuff held up because some user requested the role first. Infuriating to deal with.
@MuntashirAkon Weblate does allow restricting users, https://docs.weblate.org/en/latest/admin/access.html I have yet to see it being a good idea though. With more contributors you are more likely to catch malice, given accrued vested interest is at stake, in losing your entire account. I think per user reviews would help, but that is another matter.
Hosted Weblate allows setting up reviewers specifically. https://hosted.weblate.org/access/app-manager/
As for the legality of uploading contributions, it is not specifically mentioned in https://hosted.weblate.org/legal/
https://weblate.org/en/terms/ says
3.5 The User agrees to refrain from use of the Service in bad faith and/or deliberately causing any damage to the Service.
However, it does state contributions are to be made under the respective license chosen,
IMO, the Developer's Certificate of Origin 1.1 for Linux (being GPLv2 only), is not needed for GPLv3+
It states
`By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or`
>(b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or
(c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.
Whereas the GPLv3+ states: (actual spaghetti unravelled at the bottom)
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged.
Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so.
Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License.
A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version".
Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.
If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.
If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all.
@MuntashirAkon Weblate does allow restricting users,
Yes, I know that but it's not available under Libre plan.
I think per user reviews would help, but that is another matter.
How would you appoint a reviewer? And what capabilities do they have in particular? Anybody seems to translate directly anyway without enabling suggestion voting which is impossible for a project like this. Also, there is no per app language reviewer. The amount of sacrifice that we have to make to stick to Weblate seems to be very high. For instance, until new version came out, I had to create and run a string fixer script. Anyway, I appreciate that fact that at least they are trying.
3.5 The User agrees to refrain from use of the Service in bad faith and/or deliberately causing any damage to the Service.
The choice of words seem not very transparent and well defined (thus opening a wider range of possibilities of being getting kicked). Even our discussion here could end up being a “bad faith”.
I didn't understand what's wrong with the point (b). If you modify a GPL'd work, it has to be GPL'd under the terms of the license. But if you modify an Apache-2.0 licensed work that you copied from another project, you can use either GPL or Apache-2.0, because the work is not yet under GPL. When you finally commit that work to a GPL'd project i.e. you've authorised the work to be used under GPL, any further modification would have to be under GPL. How does that break (b)? Or, do we need to replace under the same open source license (unless I am permitted to submit under a different license) with under the same open source license or GPL-3.0-or-later? Any contribution you make on Weblate automatically falls under GPL because the project is already under GPL which enforces that the modifications also have to be under GPL.
My problem with b is the same as with a and c, that it is mentioned at all. I find this client license agreement unwarranted, and I never sign any. Having one prevents good contributions, and I don't think does anything meaningful in preventing bad ones. Suggestion voting doesn't actually work. If to say it should hold up translations, consistency suffers, and contributions go down because of having to deal with it all.
Per user reviews don't exist. If they did you wouldn't have to handpick reviewers. Each translator could just keep a shorthand of reviewers they trust, and I would only use it to prioritize the order in which each and every string is reviewed by me. I don't trust anyone to do good work, and there is no reason I should.
That would however help each good translator scale. Right now the only real way is to stay on top of all changes for a language as they happen. You can search by reviewers other than yourself, but that is no replacement. Picking reviewers is the same premise as roles or picking out good translations from bad ones. Each translation onto itself as valued by each user is what matters, that is the only way to ultimately ensure quality.
My problem with b is the same as with a and c, that it is mentioned at all.
I think any contributor would agree on these terms because they are being enforced implicitly on any open source project. Having them as a document saves the maintainers from the liability which is not covered by GPL. Anyway, this is for testing purposes and has since been removed. However, I have to modify the CLA to include a fact that each contributor have to accept an OpenSSL exception clause (specifically BoringSSL library) so that when this is added, I don't have to explicitly ask for permissions for this from all contributors. BoringSSL is a requirement for our project as GNU TLS and OpenSSL do not provide SPAKE2.
The OpenSSL exception clause is as follows:
Additional permission under GNU GPL version 3 section 7
If you modify this Program, or any covered work, by linking or
combining it with the OpenSSL project's "OpenSSL" library (or a
modified version of that library), containing parts covered by
the terms of OpenSSL/SSLeay license, the licensors of this
Program grant you additional permission to convey the resulting
work. Corresponding Source for a non-source form of such a
combination shall include the source code for the parts of the
OpenSSL library used as well as that of the covered work.
This is what I've came up with right now but it may or may not be perfect:
I, the contributor, agree to licence all my contributions to this project under
the terms of the GNU General Public License 3.0 or any later version (GPL-3.0-or-later) with the
OpenSSL exception, except any dual licensed files (one being the GPL-3.0-or-later and other being any open source license) such as graphics work and documentations related to
App Manager.
The OpenSSL exception is as follows:
Additional permission under GNU GPL version 3 section 7
If you modify this Program, or any covered work, by linking or
combining it with the OpenSSL project's "OpenSSL" library (or a
modified version of that library), containing parts covered by
the terms of OpenSSL/SSLeay license, the licensors of this
Program grant you additional permission to convey the resulting
work. Corresponding Source for a non-source form of such a
combination shall include the source code for the parts of the
OpenSSL library used as well as that of the covered work.
Oops, wrong button.
Suggestion voting doesn't actually work. If to say it should hold up translations, consistency suffers, and contributions go down because of having to deal with it all.
Per user reviews don't exist. If they did you wouldn't have to handpick reviewers. Each translator could just keep a shorthand of reviewers they trust, and I would only use it to prioritize the order in which each and every string is reviewed by me. I don't trust anyone to do good work, and there is no reason I should.
That would however help each good translator scale. Right now the only real way is to stay on top of all changes for a language as they happen. You can search by reviewers other than yourself, but that is no replacement. Picking reviewers is the same premise as roles or picking out good translations from bad ones. Each translation onto itself as valued by each user is what matters, that is the only way to ultimately ensure quality.
Ah, so no moderation is possible. The old way of sending patches via a mailing list used to be better. What's your experience with Transifex? Does it offer anything better?
Transifex is just plain awful. Egregious terms, UI from the underworld. It is the home of the drive-by translator. Doing something right there is 10x the work. I'd worry more about facilitating good translations than putting measures in place to ensure bad ones.
Your problem is that adding a clause (big problem) to further translations, doesn't cover existing ones. Least it doesn't for translators that don't sign.
However, GPLv3+ to AGPLv3+ is fine https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility without getting the consent of each and every contributor (unless I am mistaken). Further work would then effectively change license.
What was the situation before the change? If OpenSSL was used and there was no exception in place, that seems like an oversight on part of the licensing department rather than something that actually changed. I get trying to make extra sure here, but what happens to be the actual problem to solve?
Whether the language parts are in conflict with an OpenSSL exception, I don't know.
https://www.openssl.org/source/license.html 3.0.0 is just Apache 2.0. OpenSSL is a mess, and a CLA-ridden one. Personally I would hope something else was used, but I am not sure whether the current problem is with the new or old OpenSSL licensing https://www.openlogic.com/blog/openssl-license-change-cautionary-tale ?
Edit: This is the provision for licensing stuff as per the license in the repo https://docs.github.com/en/github/site-policy/github-corporate-terms-of-service#5-contributions-under-repository-license
My take is to not double up on something that is already there. It being acceptable because it is already there is a very thin definition of acceptable, that also encompasses unacceptable. I remember seeing something similar about the implicit nature of doing so for contributors, but can't find it right now.
The question is not with the current version of OpenSSL because BoringSSL was forked from an old version of OpenSSL that was still under the OpenSSL license. As I've described earlier, SPAKE2 is only available in BoringSSL, and NOT in any place else. So, there's no alternative that we can look for.
I've attempted to port it to Java but the dependencies with the old version of OpenSSL seems too high, and I don't have time and energy to reimplement the entire OpenSSL (I already have to maintain far too many libraries as part of this project). You'd find OpenSSL exception in all projects that uses network connection and/or interact with low level system. It's one of the most used exceptions with GPL licenses (due to incompatibilities).
The alternative solution would be to use something called wrapping i.e. supply BoringSSL in a separate APK file and then use a permissive-licensed API to interact with it. While it's not difficult to do that, it would be annoying for the ADB users as they have to install the extension in order to interact with App Manager (see #281).
CLAs are essential for a safe future of an open source app. Consider we have to add an exception in future but some of the contributors (since we allow anonymous contributions) aren't responding. In such situation, there's no choice but to remove all contributions made by the user which could be very bad. At the same time, we have to careful not to follow the footsteps of ElasticSearch.
This is the LICENSE file of BoringSSL, known to be one of the most complicated license statements.
SPAKE2 and related code from Google are actually licensed under MIT instead of OpenSSL. For our purpose, we only need contents from the curve25519 (the tests can be skipped as we don't require any test) folder which has dependencies with a few OpenSSL library files, which shouldn't be too hard to extract if you're an experienced c programmer. The trouble is to replace them with alternatives that do not use OpenSSL license.
My contributions are under GPL-2.0-or-later, and so do not require my consent to be used in a GPL-3.0-or-later project.
It looks like Weblate added an option to block users.
If I can get Signal's curve25519 library to work, we may not need to add an exception at all.
It appears that we no longer need to add an exception!
I was finally able to implement the Spake25519 protocol in pure Java which will be available shortly at https://github.com/MuntashirAkon/spake2-java. I will also add native c library without OpenSSL's proprietary code.
We want people to use code from App Manager (it's increasing becoming the biggest source of technologies hardly found any other OSS) and I've received emails from various authors for permission to use the GPL3+ licensed code. The greatest loophole of GPL3+ is that the developers who modifies our code are not required to contribute to the original software — which is bad for the future of App Manager as a free (as in libre) software. So, I like to nip these loopholes in the bud by relicensing the project under AGPL3+ license.
But before doing so, I would like to take comments from the contributors and the community.