redchair123
commented
11 years ago @nathanathan I know this is a long response, but it's important to understand the legal context here:
XLSX Licensing
The js-xlsx project is a cleanroom implementation of the ISO/IEC 29500:2012(E) "Information technology — Document description and processing languages — Office Open XML File Formats" specification.
The XLSX format is ISO certified and Microsoft has relinquished IP rights over the specification, which is why I am able to release this under MIT license.
A real-life example of problematic licenses
First take a gander at https://github.com/stephen-hardy/xlsx.js/issues/8 which discusses the licensing terms of @stephen-hardy xlsx.js implementation. My understanding is that he is a Microsoft employee and was able to release code under a particularly unpleasant license https://github.com/stephen-hardy/xlsx.js/blob/master/LICENSE.txt which had the clause
" (F) Platform Limitation- The licenses granted in sections 2(A) & 2(B) extend only to the software or derivative works that (1) are run on a Microsoft Windows operating system product, and (2) are not Excluded Products."
which, strictly speaking, is problematic for those who may use it browsing from a mac or iPad.
XLS Licensing
The js-xls project is a cleanroom implementation of the MS-XLS specification. This is NOT ISO certified, so I had to go by the Microsoft-supplied MS-XLS spec (google "[MS-XLS]: Excel Binary File Format (.xls) Structure" and go to the first link from msdn.microsoft.com).
Microsoft "Open Specification Promise"
There is some controversy over the licensing there, as all of the specifications used (Look at readme.md for a list) are covered by something called "Microsoft Open Specification Promise", which isn't a particularly permissive license (see http://www.microsoft.com/openspecifications/en/us/programs/osp/default.aspx for details) As others have discussed (https://www.softwarefreedom.org/resources/2008/osp-gpl.html), there are lots of nuanced language which makes it difficult to release under a proper open source license. The reason why I can release js-xls is because it is a pure implementation (and you probably noticed that it takes great measures to avoid doing anything beyond what is written in the spec).
Apache POI Exemption
Based on Microsoft's commentary in Apache POI, the pure implementation above satisfies their requirements and therefore can be released under the Apache License.
Caveat (why I made the comment about consulting a lawyer)
I ran the entire corpus by a personal friend who is a lawyer dealing with intellectual property cases (last thing I want to do is find myself in hot water over code I release on Github), and he pointed out that while the promise does cover my implementation, it may not apply to other code that uses the implementation (also mentioned that I may be a bit paranoid, so take my concern with a grain of salt). And MS actually explicitly says it in their FAQ:
"The OSP does not apply to any work that you do beyond the scope of the covered specification(s)." (quoted from https://www.microsoft.com/openspecifications/en/us/programs/osp/faq/osp-general/default.aspx).
Why other implementations don't have such caveats
I personally suspect that authors of other implementations have not been through the OSP and associated legal documents.
tl;dr
I am confident in the compliance of both js-xlsx and js-xls, and will not commit any code unless I've convinced myself that it conforms to the terms. On the other hand, the legal grey area does concern me and I would be remiss if I didn't mention my concerns (I prefer to err on the side of caution).
Based on my understanding of the relevant legal issues, I concluded that while I could release js-xlsx under MIT license I could only release js-xls under Apache, which is why they are separate repos.
Hi, I have a couple questions about why you're maintaining separate libraries for xls and xlsx files, and the legal warning in the license section of the readme. As a point of reference, the python xlrd library reads xls and xlsx files, and does not as far as I can tell, warn users to consult a lawyer for commercial use. In your opinion, would the legal risks of using this library be any different from those of using xlrd?