facebook / react

The library for web and native user interfaces.
https://react.dev
MIT License
229.83k stars 47.06k forks source link

Consider re-licensing to AL v2.0, as RocksDB has just done #10191

Closed wohali closed 7 years ago

wohali commented 7 years ago

Hi there,

The Apache Software Foundation Legal Affairs Committee has announced that the so-called 'Facebook BSD+Patents License' is no longer allowed to be used as a direct dependency in Apache projects.

This has lead to a lot of upset and frustration in the Apache community, especially from projects requiring similarly-licensed code as direct dependencies - the chief of these being RocksDB.

However, we (the Apache Software Foundation) have just received word that RocksDB will be re-licensing their code under the dual Apache License v2.0 and GPL 2 licenses.

As a user of React.JS in an ASF top-level project (Apache CouchDB), please consider re-licensing React.JS under similar terms. Otherwise, many ASF projects such as our own will have to stop relying on and building with React.

A previous bug (#9760) suggested I mention @lacker in this issue when asking licensing questions, so I'm doing so.

Thank you kindly for your consideration.

tdunning commented 7 years ago

From what I have heard, FB is not interested in pursuing the more draconian possibilities of the BSD+patents license. If that is true, there is actually very little difference between BSD+patents and the Apache license. As such, relicensing should make little if any pragmatic difference to Facebook.

Such a change, however, would make it much easier for license-cautious downstreamers. Please do consider making the change.

gaearon commented 7 years ago

@lacker no longer works at Facebook. I'm having a little trouble figuring out who would be best to route this to, but I'll look again on Monday. Thanks for raising this!

rmccue commented 7 years ago

RocksDB is now dual Apache 2.0 and GPL v2 licensed as of https://github.com/facebook/rocksdb/pull/2589

rakibtg commented 7 years ago

https://news.ycombinator.com/item?id=14779881

dchest commented 7 years ago

Instead of switching license to Apache License 2.0 (ALv2), which is not liked by many people, is incompatible with GPLv2) and/or dual-licensing ALv2 + GPL mess, would Facebook consider changing a PATENT license once again to make termination clause look more like the patent license grant in ALv2:

If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.

Would this satisfy ASF people?

Just to voice an opinion, in my and my company's software projects, I avoid dependencies that use ALv2, and I'm against relicensing away from the BSD-like license. I'd prefer that ASF would rewrite their software to not use dependencies that their lawyers say the can't use instead of persuading every project that they can't use to change license.

rnewson commented 7 years ago

We're only asking if the project would consider changing license. Apache CouchDB and others will switch away from react if we have to. We'd rather not, it's a lot of work for no real gain, but we don't have a choice. Changing license can be simple (RocksDB completed that change in a day).

dchest commented 7 years ago

We're only asking if the project would consider changing license.

I understood that. My point is that instead of changing the license, would ASF and Facebook work to arrive at the acceptable PATENTS file?

(BTW, I'm not in any way related to the React project or Facebook Inc. apart from being the user.)

rnewson commented 7 years ago

great question, will need a bod from ASF Legal to answer it. I'll point them here if I can.

nevetS commented 7 years ago

@dchest What is it specifically that your company finds necessary to avoid in ALv2 that is not already present in the react license?

The existing PATENTS file is a point of consternation for many, not just ASF. I think the point of this request is to alleviate licensing concerns that cause unnecessary roadblocks to adoption.

dchest commented 7 years ago

@nevetS due to Oracle America, Inc. v. Google, Inc. I avoid discussing any specifics about any licensing decisions in public or by email, so I'll leave it to other brave souls and/or lawyers. I only decided to voice my opinion here because I saw no opposing opinions posted, while in fact there are such.

The issue concerns changing the status quo to satisfy one organization's needs (but I'm sure there are others too) by re-licensing with the license written by this organization (sure, it's OSI-approved and widely used), with a history of alienating other open source (and "free software") projects. I don't want this to happen to React, so I'm trying to see if there's a middle ground by changing the PATENTS file is such a way that will satisfy both Facebook and ASF.

j127 commented 7 years ago

Many people don't use React (and Immutable, etc.) because of the PATENTS file. The simplest solution would be to delete it from all of the Facebook repos.

erkinalp commented 7 years ago

Modified GPL-like with share-alike patents clause?

clarkevans commented 7 years ago

There has been recent, renewed awareness in medical research institutes about open source license compliance. Legal review of open source software compliance often expressly asks for Apache 2.0 license precisely because it is a competently constructed and includes equitable patent grants. Since U.S. based universities rely upon patent licensing as part of their legislatively mandated technology transfer initiatives, they are growing far more cautious in their due diligence. For this reason, at some universities, software written with React may be shunned. Existing projects using React software may be asked to remove the React software software dependency. Please strongly consider this proposal, since our RexDB work is used at major universities, we do not wish to rework to use a React alternative.

dchest commented 7 years ago

@clarkevans thanks for your contribution to the discussion! As you said, the purpose of the review was ensuring compliance, that is protecting themselves from lawsuits. It's a worthy goal for any organization, but I doubt the effect of licenses on open source ecosystem was considered, and I think this effect is very important. Simple BSD-like licenses are known to cause less friction for open source projects. If the fact that Facebook granting additional patent rights (separately from copyright license) causes problems for some organizations, I think it's worth considering fixing the problem with patent grant instead of switching to the license that incorporates it.

Here's an example of a patent license which I think might work for everyone: https://github.com/golang/go/blob/master/PATENTS

clarkevans commented 7 years ago

@dchest I'm not a lawyer, but I'm not sure you can consider the BSD license independent of the additional patent grant, it's about intent, and patents file changes the intent. Even Facebook's blog [1] refers to their license as BSD+Patents, "We use a standard BSD license paired with an additional patent grant for most of our open source projects. For brevity, we call this combination the Facebook BSD+Patents license." This is further complicated by the recent revelation that the GPL is enforceable as a contract [2]. Please note that there is sufficient dissent at the Open Source Initiative that CC0 is not approved as an open source license [3]. Hence, I don't think that you can view BSD independently once the additional patent license is added since you can no longer assume there is implicit patent grant.

While the Apache 2.0 license may not be perfect, in the interest of unifying licenses, it's far better than adding yet another license. Surely the OSI would reject Facebook's BSD+patent license if it were proposed. So, in reality, you might want to instead consider React as "non-free" expressly because of this addition. Lots of people add additional non-free clauses to the BSD license and propose it to the OSI each year, and in almost every case the license is rejected as not complying with open source standards.

[1] https://code.facebook.com/pages/850928938376556 [2] https://perens.com/blog/2017/05/28/understanding-the-gpl-is-a-contract-court-case/ [3] https://opensource.org/faq#cc-zero

clarkevans commented 7 years ago

As a further note, Google's gRPC was relicensed to Apache-2.0 as part of joining CNCF. They explained their reasoning here: https://www.cncf.io/blog/2017/02/01/cncf-recommends-aslv2/

webmink commented 7 years ago

OSI-approved alternatives to Facebook's license+grant combo also include UPL[1] and BSD+Patent[2], both of which are likely to be compatible with Apache's license. Where possible I suggest avoiding inventing yet more legal language.

[1] https://opensource.org/licenses/UPL [2] https://opensource.org/licenses/BSDplusPatent

tdunning commented 7 years ago

Regarding the vague fear by unnamed people that @dchest was talking about, establishing clear compatibility with the current Apache license is precisely one of the main reasons for GPL v3.

More concretely, writing yet another license for people to have to keep track of and analyze is simply silly. This is especially so if you write one that incorporates patent language "just like" the Apache language on top of the BSD model that is also "just like" the Apache language, except that the Apache license was updated based on feedback from competent legal counsel.

tdunning commented 7 years ago

@nevetS

I don't think that @dchest ever said that his company found anything problematic with the Apache license. He just said that he tries to avoid it in his work. That is completely different.

My (uninformed) guess is that his company has no problem with Apache apart from that sourced from Dmitriy himself.

harshavardhana commented 7 years ago

From Minio team here we would like to see this change happen. Our object storage browser UI is based on react and we are Apache 2.0 licensed.

It would be unfortunate and time consuming to migrate but we will have to do that in lieu of new information regarding Apache incompatibility. Please consider re-licensing React.

Thank you for your consideration.

dchest commented 7 years ago

@harshavardhana I think you misunderstood the situation. The current license is not incompatible with ALv2. The situation is that Apache Software Foundation's lawyers (correction: policy makers) declared that their projects will not use any dependencies licensed with BSD+Facebook's patent license, so their people filed this issue to convince Facebook to relicense it under ALv2. Many other people consider the current license and patent grant problematic, some companies also ban React for this reason. However, React is used by many more companies that don't have problems with it. See also https://github.com/omcljs/om/issues/882#issuecomment-315664114

gstein commented 7 years ago

Close, @dchest. It was not our lawyers that made this choice, but our policy decision to disallow the FB/BSD+Patent license to be mixed into the software the Foundation releases to users. And I don't think anybody expected a relicensing; this change was promulgated as an "internal" change in policy around this particular license.

nevetS commented 7 years ago

The current license is not incompatible with ALv2.

From the apache discussion:

Roy T. Fielding added a comment - 12/Jun/17 13:50 I have discussed that license with Facebook's legal counsel. It is not BSD (which relies on implied patent grants) and is intentionally incompatible with the Apache License.

wohali commented 7 years ago

The request to re-license was made politely, and was met with similar politeness by @gaearon (Thank you Dan for your understanding!)

There is no expectation of change on Apache CouchDB's part, but there is certainly a lot of hope for re-licensing to be achieved. And I'm hoping Dan can connect with people like @daveman692 to understand Facebook's internal reasoning and process for the expeditious change-of-heart around RocksDB's licensing.

dchest commented 7 years ago

@wohali sure, and I hope my comments are not considered impolite, if so — sorry, that wasn't my intention. It's important to note that ASF opinion is highly valued in the open source community, so while you opening the issue is a simple and polite request for the license change, the fact that the request is caused by ASF policy position — relicense or we'll stop using it — has an side effect of making other people fear the current license.

I hope that Facebook and ASF arrive at the mutually acceptable terms, however I would like to see the compromise in the form of the current BSD license plus a changed PATENTS file, rather than ALv2. I also hope that ASF itself proposes this as an option.

(That's pretty much all I had to say, so I'm unsubscribing from this thread.)

gaearon commented 7 years ago

To give you a small update, there are going to be more internal discussions about this for about a week. This is about as much as I can say. I wouldn't be too optimistic about this changing for React but we'll see. @daveman692 has kindly agreed to provide an update when these discussions are over.

samuelhorwitz commented 7 years ago

So just to clarify here, there's a lot of conflicting information going around. Can software not be licensed under Apache-2.0 if it includes BSD+Patents dependencies? Or is this an internal policy for ASF that is making people nervous because it's a public statement of criticism from a well-respected foundation with lawyers knowledgable about open source licenses?

copiesofcopies commented 7 years ago

This is the issue as I understand it: The React license's patent grant is narrower than Apache-2.0's, because it prohibits patent suits against Facebook that Apache-2.0 would not. The licenses are still compatible, in the sense that they can be used together within the same work. However, the overall license for that work (call it Apache+React), is less permissive than Apache-2.0 because of React's patent restrictions. It is Apache Software Foundation policy not to distribute software that cannot be licensed, as a whole, under the terms of Apache-2.0. Therefore, it will not accept the React license into its own project because it would make the project's license more restrictive than Apache-2.0.

nevetS commented 7 years ago

@samuelhorwitz I think the following links might be helpful:

ASF Legal Notice Regarding Facebook Patents+BSD/ROCKSDB License

Clarification of what this policy means for a particular project

I don't believe there was judgement or criticism other than "we cannot host any dependency with this license" and "we cannot allow software that we develop to be exclusively dependent on software that uses this license."

Nesting dependencies with varying licenses is a difficult task because of potential confusion. At this point projects within the Apache Software Foundation can leverage react, but only if the end user downloads react separately, and only if there is an alternative. This is not ideal. Given that RocksDB's license was changed, and given that there is at least the impression that the intent behind the BSD+Patents license is very similar to the apache license, it seems a discussion is in order to determine if this situation can be resolved (potentially by adopting a different license in the way that RocksDB recently did).

@copiesofcopies laid it all out pretty clearly... but I had already put this together so...

j127 commented 7 years ago

the request is caused by ASF policy position — relicense or we'll stop using it — has an side effect of making other people fear the current license.

People should fear it. If you build software that depends on React, Immutable, etc., many people can't use that software. The PATENTS file is poisoning the open source ecosystem by making its way into dependencies of dependencies.

pdfernhout commented 7 years ago

React was originally published under the Apache 2.0 license. Some people may have depended on that license when they started using React (perhaps Automattic for Calypso).

So, what people are generally asking is essentially just for React (and related projects) to be under the original license when it was first released: https://github.com/facebook/react/blob/75897c2dcd1dd3a6ca46284dd37e13d22b4b16b4/LICENSE

I do not know what the patent implications are given the original Apache License grant by Facebook for React, but they may be worth thinking about.

joonhocho commented 7 years ago

While we are at it, can we also throw GraphQL, Relay, React Native, Flow into the discussion as they also have the same license+patent format. While they are not as popular as React, they are just as important to open source community and people using them and are often used together with React.

EDIT: Added Flow to the list.

CoreyDotCom commented 7 years ago

Other large companies such as mine (Adobe) can't use React, Pop, etc. for the very same reason. We'd love to participate in the project, contribute to each etc. but Facebook's heavy-handed PATENTS clause is a showstopper.

ntwb commented 7 years ago

When in Rome... https://github.com/facebook/jest also please :)

airandfingers commented 7 years ago

Even mid-size companies like mine (ViaSat) are starting to disallow the use of Facebook's "open-source" projects for this reason. We'd like to build React web and native apps, but it seems that any sensible legal department will recommend against agreeing to Facebook's asymmetric patent grant.

particlePaul commented 7 years ago

If we're compiling a list, Google also banned the use of React internally (despite many teams that wanted to adopt it) because of this PATENTS nonsense. (This may have changed since I left.) It's a ridiculous obstacle for a project that otherwise does so much to encourage community adoption.

gaearon commented 7 years ago

The new patent grant (it changed once) was created specifically with feedback from Google, and last I heard their lawyers were happy with it.

CoreyDotCom commented 7 years ago

So no consideration for the rest of us whose lawyers weren't happy with it? Poor form.

jwyuen commented 7 years ago

I'm not sure how possible this is, but what about the nuclear option of forking React from before the PATENTS file addition:

https://github.com/facebook/react/commits/master/PATENTS

Seems like a huge waste but what else can people do if Facebook doesn't want to play ball?

ellisonbg commented 7 years ago

I am a Steering Council member of Project Jupyter, an open-source project that builds the Jupyter Notebook among other things (http://jupyter.org/). We are wanting to use react/immutable in a number of Jupyter repos, and the patents clause of FB licenses continue to cause problems for corporate/organizational users of Jupyter. For a lot of such users it isn't a problem (they are already using react) but for many they are frustrated that they have to get their lawyers involved to assess the risk of using Jupyter (if we use react). In a world where open-source has become the de-facto choice in many spheres it is really painful to be back in the land of "we have to talk to our lawyers before..."

The Jupyter leadership is not convinced there is an actual problem with the FB patent clause, but the mere fact that this generates friction for institutional users of Jupyter is a huge problem. It is also artificially limiting the adoption and usage of react and other libraries under that license.

joonhocho commented 7 years ago

I just want to drop my personal opinion on this issue. I personally think of open source world as a public library in real life. It's where anybody from anywhere can freely access, gain knowledge and maybe, without any obligations, give back their knowledge in return. It's where people help each other by sharing knowledge and make the world a better place. I know it's very optimistic, but that's just how I feel about it. I love using open source projects, and in return, I have created dozens of open source projects myself and licensed all of them with MIT license, which seems the simplest and most common option for people like me without any legal backgrounds. Of course, it would be great if I can get something out of them, but in fact, I did already. I've been using many other open source projects, and that's already my gain. I am merely trying to give back to the community. I feel like it's the right thing to do. I really hope this React license issue doesn't become how Facebook can realign its license with certain large organizations like ASF or Google, but more about what's the right thing to do. I like React and other projects from Facebook, but I can't help but feel like Facebook is trying to get something out of them by adding PATENTS clauses, even if they are only defensive as suggested. It's like finding a small note in the most popular book in a public library saying "If you ever read this book, in the future...". Maybe more than 90% of people shouldn't need to worry about it, but it's still something unpleasant thing to consider. I love React and wish everybody can freely use it without worries.

gaearon commented 7 years ago

So no consideration for the rest of us whose lawyers weren't happy with it? Poor form.

Excuse me, but I was replying to the comment just above that was specifically about Google.

I understand that everyone is frustrated about this issue. Personally I am just as frustrated to spend time, energy, and emotional wellbeing on legal mumbo jumbo that is preventing people from using React. I would much prefer to spend this time on working together to make it better.

But the reality of this situation is that the maintainers of React (people like me that you’re interacting on the issue tracker) are not the ones making these decisions. Each of us is doing what we can to show different perspectives on this issue to the people who can make those decisions, and we appreciate your feedback too. But we can only keep discussion open if everyone stays civil and respectful. Thanks.

CoreyDotCom commented 7 years ago

@gaearon - Understood I misinterpreted the intent of your comment. Appreciate the clarification (and your efforts).

coderanger commented 7 years ago

Just to make sure this stays a bit grounded, the patent grant clause of the Apache 2.0 license is not substantively different from the existing Facebook patent grant policy. Certainly using something more standardized would be good, but anyone that is concerned about using React today should probably have equal concern about all FOSS software. The main difference is the revocation clause from Facebook is a lot more broad on which kinds of IP lawsuits will activate it, but the functional distinction is pretty small.

That said, srsly use something standardized, makes life easier on both sides.

kevinflo commented 7 years ago

I've never written a comment like this on any project in my life. I'm unsure if hitting the "comment" button is a good idea or not. Please take everything I say below as meant respectfully. React is a wonderful ecosystem, we all want what is best for it, and I sincerely believe that everyone (including Facebook) is doing the best they can.

Personally I am just as frustrated that to spend time, energy, and emotional wellbeing on legal mumbo jumbo that is preventing people from using React.

But we can only keep discussion open if everyone stays civil and respectful.

It goes without saying that the discussion remaining civil and respectful is paramount. It is clear that this situation isn't fun for anyone (including the devs & lawyers at facebook, all contributors to React and its ecosystem, and of course devs like myself who are blocked on using React/React Native based on the PATENTS situation).

That said, the sentiments expressed in the sentences I quoted above go to the very core of what is so lopsided and problematic about this situation.

That this is dismissed as legal mumbo jumbo is frankly frightening. React's ecosystem has snowballed to the point where it is incredibly important to the future of literally all of software development. Software development has never been so important, and it affects real people in real ways. Facebook is a terrifyingly powerful force in technology, and by extension the world. As Facebook expands to more platforms as a dominant player and keeps React central to those expansions the true problems with the patent situation emerge.

For example, if Facebook dominates VR with a closed walled garden (as they are positioning to), and they happen to decide one must use React to develop for Facebook's VR platform, one must forfeit (company wide!) any legal standing with regards to patents vs. Facebook (one of the most powerful companies in the world!) in order to develop for the dominant platform of the day. It's as if during Microsoft's era of dominance one had to forfeit all legal patent standing against Microsoft in order to create a windows application. I feel like a silly worry wart even typing this out but if you think through this all logically that is literally the situation we are in today.

Finally, the suggestion that if the tone of discussion around this issue gets heated that all discussion will be silenced is chilling. We're all passionate about software, we all obviously love react or we wouldn't be here, and many of us have poured countless hours into work that will have to be thrown out if this doesn't change. This is an extremely complicated situation with tons of different parties with tons of different concerns. Things getting heated is absolutely expected because we all care. I beg of everyone to keep discussion civil and mature, but the suggestion that if they don't this discussion will be silenced and this project will continue on the absolutely unacceptable status quo is a troubling thing to read.

thomasgwatson commented 7 years ago

That this is dismissed as legal mumbo jumbo is frankly frightening.

I think you missed Gaeron's point. He is not dismissing the legal problems, just expressing that it is super frustrating for him to have to deal with the same arguments about this time and time and time again. He doesn't have magic power to change anything, as magical as he is. Instead he has to weather the storm of frustration about something he has no control over.

Personally, I would suggest that we leave this thread for substantial updates about the thread topic: whether React will be relicensed or not. There are so many platforms (twitter, medium, emailing Facebook legal counsel, hacker news, reddit etc etc) to express our passion on; I have put many hours into this issue at my company. The issues tracker is a poor tool for tracking the wide ranging discussion that this topic can produce, as has happened in the past

gaearon commented 7 years ago

I did not mean to dismiss the issue. I apologize if that’s how my previous comment reads. What I’m trying to say is that this is a bug tracker and not the best venue for legal discussion. Especially since most of us, as I presume, are not lawyers. You may see this thread as a way to say something to Facebook, but you’re talking to a team of a few people who are software developers like you.

We are currently keeping this issue open because there is an in-progress discussion. And we will notify you if there are any updates. However, we have always closed such issues in the past after initial discussion. This is not because we want to silence you, but because keeping it open forever does not achieve any purpose. We have heard you very well, and we have passed on your concerns. But repeating the same points over and over in different threads does not help move this forward, and creates a lot of noise and stress for the maintainers who are already empathetic to your cause.

The updates that happened in the past (such as updating grant in response to initial concerns from Google and other companies, or publishing FAQ to dispel common myths) happened outside of GitHub issues after much internal discussion. The legal team is re-evaluating these decisions every once in a while, and we’ll make sure they hear your voices. All I’m asking is that we treat each other with respect and keep this discussion level-headed while we wait for their decision. Thanks.

csepulv commented 7 years ago

@gaearon, Is there an available venue for such a licensing discussion?

I understand this may not be the best place for such a discussion, but it's open and folks like you are responsive. I don't know if there is any other option for such a conversation.

While I appreciate there are internal discussions for Facebook to have on the matter, I would love an open forum for Facebook's legal group to engage with the React community on licensing.

SEAPUNK commented 7 years ago

@csepulv the Legal Team (legalus humanus) is an elusive kind, typically found in their natural private office habitat, often leaving only to hunt for food or provide for their shelter...

samuelhorwitz commented 7 years ago

@coderanger

Just to make sure this stays a bit grounded, the patent grant clause of the Apache 2.0 license is not substantively different from the existing Facebook patent grant policy. Certainly using something more standardized would be good, but anyone that is concerned about using React today should probably have equal concern about all FOSS software. The main difference is the revocation clause from Facebook is a lot more broad on which kinds of IP lawsuits will activate it, but the functional distinction is pretty small.

My (non-lawyer) understanding of the distinction is that Apache 2.0 says "this license grants you the right to use anything patented within this software under the terms of this license" coupled with "if you attempt to bring about patent lawsuits regarding anything in this software, then you lose all patents rights granted to you by this license".

Whereas the argument is that the BSD+Patents clause says more along the lines "if you attempt to bring patent litigation against Facebook at all, then all the rights to use the potential patents held on this software are lost". This asymmetry is what people are concerned about because concerned parties argue this is the same as saying "all your patents in exchange for using React" since even though "patents are evil etc etc" there may be legitimate patent claims a company wishes to make at some point against Facebook or some affiliate.

To be fair to Facebook, I really doubt this stems from some sort of malice and more as a defensive measure against the ridiculous state of patent litigation these days, but that also doesn't change the legitimate concerns people have either.

Anyway once again, not a lawyer, but I thought I'd clear that up as outside of the GPL camps and other anti-commercial-open-source camps, the Apache license is regarded as a really good commercial open source license for it's explicit (symmetric) patent grant/litigation protection clause as well as it's explicit trademark protection clause, both of which are generally lacking in other good licenses such as MIT (and license modification is either expensive or done by someone who's not a lawyer as well as contributing to license eco-system complexity).