Licensing discussion thread

[mwarning]

Hi,

ZT is packaged for OpenWrt and I just noticed the license change.

Does that mean that ZT cannot be packaged anymore? I wonder if a commercial license can be part of the openwrt packages repo (https://github.com/openwrt/packages). Or if it has to moved out.

The license also does not seem to have a spdx identifier that the package uses: https://spdx.org/licenses/

I read in the license that there may be an open source release. Do I have to wait for that and keep at the previous version until then? - thanks

[fastcat]

Also www.zerotier.com can no longer claim that the software is Open Source, and the statement "A commercial license is only needed if you want to rebrand our stuff or create a closed-source derivative work" now needs considerable updates as many things commonly assumed to be permissible under Open Source no longer are.

[laduke]

Hi @mwarning thanks for maintaining the openwrt package!

https://www.zerotier.com/pricing/ has been updated

FREE: Package ZeroTier (labeled as such) and distribute it for free in an app store or other software repository

[adamierymenko]

This page provides more information.

We are adopting this license because (1) many customers' legal departments fear the GPL and won't touch anything GPLed (Linux and the GNU tools tend to get grandfathered in), and (2) a more permissive license would allow larger better funded companies to just take our work and monetize it without us. This has already happened to many projects.

Basically we don't want to end up like RethinkDB, a company that built a great NoSQL clustered database only to have most revenue earned by database-as-a-service providers that re-sold pre-configured instances of their database in the cloud and paid them nothing for it.

[adamierymenko]

1023 is a duplicate

[adamierymenko]

@mwarning ZeroTier can still be packaged for free. No license is required to (1) incorporate it into something open source or (2) redistribute it in source or binary form assuming you're not stripping away or changing its name (rebranding or "white labeling").

Basically the only things our license restricts is: (1) incorporation into a commercial closed-source product, and (2) operating a for-profit SaaS service for ZeroTier network management that competes with our own service and not paying us anything ("SaaSification").

[mwarning]

Thanks for the clarification and context. So dual-licensing won't solve the issue. ok

[fastcat]

The license literally says:

The Business Source License (this document, or the "License") is not an Open Source license

[adamierymenko]

That's saying it does not meet the OSI's definition of an open source license, which includes unrestricted SaaS monetization use.

[adamierymenko]

Reopening for now since others may be interested.

BTW @mwarning does that clarify things or is there still an issue with the DD-WRT port?

[mwarning]

@adamierymenko I need to speak to the OpenWrt folks about what restrictions they have for their own package repository.

[adamierymenko]

K, please let me know. We are open to clarifications or minor modifications to accommodate as much of the good non-exploitative open source ecosystem as possible. We're trying to strike a balance between being free for the FOSS world but not allowing exploitation and getting paid enough for our work to stick around and grow.

[adamierymenko]

IMHO taking FOSS and putting it behind a SaaS paywall and not giving anything back (as some companies do) is sort of un-cool.

[fastcat]

IMHO taking FOSS and putting it behind a SaaS paywall and not giving anything back (as some companies do) is sort of un-cool.

FWIW, I totally agree with you here. My "issue" such as it is is only with clarity.

To that end, if lawyers are involved, I expect what's going to matter is the text of the license. Guidance provided around it is probably non-binding.

If the goal of the re-license was to calm some companies' concerns about the GPL, and also to prevent the SaaS abuse you mention, was something like dual licensing under BSL plus Affero-GPL v3 considered?

[adamierymenko]

We will work to clarify the best we can, which will be an iterative process I'm sure.

[adamierymenko]

Hmm... and BSL + AGPL3 is perhaps possible. Will have to look into it.

[adamierymenko]

Yeah, I think if we get a lot of pushback from OSS distributions/platforms about including ZeroTier we might indeed do something like ZT-BSL + AGPL3. The former is what's there now, and the latter pretty much prohibits SaaSification and building this into commercial products.

[adamierymenko]

I'm also researching whether the government restriction is needed or not. If it's not we'll remove it.

[dch]

On Thu, 5 Sep 2019, at 18:56, Adam Ierymenko wrote:

Yeah, I think if we get a lot of pushback from OSS distributions/platforms about including ZeroTier we might indeed do something like ZT-BSL + AGPL3. The former is what's there now, and the latter pretty much prohibits SaaSification and building this into commercial products.

FWIW the FreeBSD port is still on the previous version as I can’t figure out the practical intent of this change. There’s no existing BSL in the ports tree to refer to, and I’m at a loss on how to implement this - how to communicate to users that this distinction needs to be respected.

As an actual customer I obviously support your move, but if you’re hoping this avoids being Sherlock’d, or Apple or AWS simply writing a compatible implementation I think the license is a weak defence. AGPL doesn’t prevent this either.

Finally, I think replacing the licence is worthy of a 2.0 major version bump, and I really hope you can find a suitable existing licence to reuse.

[pedro-nonfree]

Please, rethink about relicensing it with AGPLv3 as a good solution against SaaSification (great word! heh).

There are companies that rebrand openwrt for their own product (not my case) and the same for some linux distributions: play station - FreeBSD, etc. That cases right now are what you don't want (hide zerotierone in their product in for profit situations without returning probably almost anything)

for this situation

Package ZeroTier (labeled as such) and distribute it for free in an app store or other software repository

generic BSL probably solves better that cases (quitting that exception) and AGPLv3 enforces better your product through author attribution, source code request, etc.

In fact, if you relicense with AGPLv3, the other license could be extremely propietary with the strong conditions you need. "If you don't want GPL enforcement, pay"

[mwarning]

@adamierymenko the commit was accepted: https://github.com/openwrt/packages/pull/9937

fwiw, I would feel more secure with the AGPL, it is a well known license.

[comex]

The updated version of the pricing page still describes ZeroTier as open source. Please fix this: the BSL is not an open source license, something which is stated by the license text itself.

For what it's worth, for admittedly ideological reasons, I uninstalled ZeroTier when I learned about the license change, even though I've found it very useful over the years and was looking forward to using 2.0. I'm glad to learn that dual licensing under AGPLv3 is being considered, and I hope it becomes a reality so that I can reinstall. :)

[dch]

I confirmed with FreeBSD portmgr group that we can continue to distribute this "as usual" with suitable caveats, notes, and foot-gun indicators.

However, the new licencing is a major turn-off to general users who can't align this with their existing understanding of OSI type licenses. Whether this matters to ZT the company I can't say but I've had plenty of negative feedback on the change from users. Is there a venn diagram linking FLOSS & paying users?

[PrivatePuffin]

Can you guarantee you have permission from ALL(1) individuals listed here to change the licence: https://github.com/zerotier/ZeroTierOne/graphs/contributors

I doubt it. Just so you know: GPL doesn't allow you to relicence. Not even future additions, because you are not allowed to place additional restrictions on works derived from GPL code.

If not, you guys are just violating the GPL.

(1) Not truely all-all, but most of them. Only additions that are copyrightable count in this case. But thats at least a very big portion of these people.

[adamierymenko]

I want to respond to some of the above:

(1) I am not a huge fan of the BSL, but it's the best solution available to us at this time. See this blog post for an explanation: https://www.zerotier.com/on-the-gpl-to-bsl-transition/ -- many other projects such as CockroachDB and others have adopted the BSL for the same reasons.

(2) The copyright holder of a work is indeed permitted to change the license, and I'm not aware of any objection from others. If anyone does object we can remove their work from the source tree. There aren't really any non-trivial contributions by outside individuals anyway (which is the case with 90%+ of open source projects).

(3) This of course does not apply to third party libraries used by ZeroTier, which remain under their own licenses. AFAIK there are no licenses there that conflict with our own.

The licensing topic is an open question for us. We are contemplating actually creating our own community license that attempts to address these issues while attempting to be as compatible as possible with other OSI licenses.

P.S. I regret using the GPL a bit because it's divisive. On one hand you have a large number of GPL zealots who react intensely to any deviation from the GPL, but on the other hand you have in my experience an equal or greater number of people who will not touch the GPL and don't like to use anything connected with it. When we used GPL we got nothing but negative comments about it, and how that we've dropped it we get nothing but negative comments about dropping it.

[PrivatePuffin]

I can agree on (1) and (3). To be clear I'm personally not against or pro any licence, every licence has its place.

However when it comes to (2):

The copyright holder of a work is indeed permitted to change the license

Unless it includes GPL work from others, in which case its a derived work

and I'm not aware of any objection from others

You don't need objection, you need formal permission from the other authors. If you don;t you are in violation of the GPL. The violation comes into play the moment you relicence, not the moment they object. Even when it comes to liability: If they object in 10 years and you remove it, you might (depending on jurisduction) still be liable for damages for the 10 years of unauthorised use.

If anyone does object we can remove their work from the source tree

That could work in some cases, yes. However, depending how much your (new, replacement) work looks like the old work it might be fruit of the (gpl) poisoned tree and such still be legally considered a derived work. The GPL is broad enough (and on purpuse in this case) to consider a total refactor still a derived work. But lets not go this deep into it at this time... It depends, it might work, it might not.

There aren't really any non-trivial contributions by outside individuals anyway

I agree, about 95% of code is zero-tier (employee, depending on contracts) owned and some of the others might not be viable for copyright. That being said: From a company I expect someone actually looked at it BEFORE changing licences. Every half decent copyright lawyer would've adviced to look at the triviality beforehand. Because if something is not trivial, the burden is (in the very least) on Zerotier to PROVE they acted in good faith before changing licences. Without analysing if they have the required right to do so, A judge would rule it was a change in bad faith.

The licensing topic is an open question for us.

I do appreciate the honesty and open discussion.

We are contemplating actually creating our own community license that attempts to address these issues while attempting to be as compatible as possible with other OSI licenses.

I think the BSL can be used for said purpose as well. Creating a custom licence is expensive and (in this case) quite needless.

On one hand you have a large number of GPL zealots who react intensely to any deviation from the GPL, but on the other hand you have in my experience an equal or greater number of people who will not touch the GPL and don't like to use anything connected with it.

If you would live any closer i'would get you a beer. This is so underestimated. GPL has a fundementalist group that wants it and a bunch (also sometimes fundementalist to be fair) corporations that don't want it. I myself prefer BSD when I can reasonably get away with it (low risk of code-"theft"), it seems to silence both groups quite well.

When we used GPL we got nothing but negative comments about it, and how that we've dropped it we get nothing but negative comments about dropping it.

To be honest, I think the anti-GPL complaints where from people interested in paying your company and the pro-gpl complaints barely ever payed up. Thats an easy choice. If the Software Freedom Conservacy for example is willing the give you a nice 7 figure a year to keep it GPL, That would also solve any issue. But they don't and you have mouths to feed.

That being said, something constructive:

• Try figuring out which authors have made trivial (typo's for example) and non-trivial changes. Create a nice spreadsheet for future reference
• Throw out a mass email to the people working with the project (if you can find out their email adress) and ask their permission to change the licence. (Having it is never a bad thing)
• If anyone has non-trivial code and doesn't agree with the licence change (or doesn't respond on the request) start working on removing it. Make sure it is done in 1(!) commit and isn't just a code reshuffle, to make sure it is least likely to legally be considered a derived work
• Create a CLA, yes people might hate CLA's. I think your current behavior is more like a company with a CLA, so get one.

TL:DR Licences are hard. I don't blame you. But mistakes are easier to make than anyone should be comfortable with.

[adamierymenko]

Those are great points, and we do need a formal CLA. I'm going to re-check past contributors (even of small things) to make sure there are no issues as well, at least before we release 2.0.

I agree that a new license is a major undertaking, but I really would like to solve this problem in a. more satisfactory way than the BSL. The BSL feels like a half-way-there hack.

Here's my personal opinion:

The real issue is that OSS licenses pre-date the present SaaS / surveillance capitalism era. Unpaid "SaaSification" of open source works -- putting them behind a paywall without contributing anything back -- is definitely against the spirit of open source if not against the letter of specific licenses. If it were a practice back in the 90s and early 2000s when the vast majority of today's licenses were created, I'm pretty convinced they'd have provisions to restrict it. There's an intimate connection between SaaSification and surveillance capitalism as well in that they both represent ways that open source is exploited in ways that are definitely against the spirit and intent of its creators.

In a perfect world I would like a license that made ZeroTier free for individual and personal use, free for use in or alongside free open source software, free for academic and charity use, but would require payment when used in a for-profit venture. Of course that's very hard to spell out in a license. It's hard to restrict for-profit business use without restricting personal use or introducing incompatibilities with other licenses. I'm open to suggestions.

The AGPL is almost there, but there are two problems: (1) it doesn't adequately address SaaSificiation, and (2) it has the letters G-P-L in it. As addressed in our blog post, there is this silly but unfortunately pervasive bias against GPL licenses especially among those who pay us and support our work. It's hard enough to educate customers about your product without also having to debunk decades of GPL FUD (most of which was bankrolled by Ballmer-era Microsoft).

[PrivatePuffin]

Love the direct and open discussion.

And yes: The AGPL solves 50% of the SaaSificiation problem: Companies profiting from custom improvements. The other 50%: Profiting from the direct work of others isn't adressed.

It would be nice if there was a licence that would:

• Clearly allow self hosting
• Clearly deny Hosting as a paid service
• preferably allowing small scale hosting as a service (Cost sharing for example)

[adamierymenko]

The BSL does that but is too incompatible with other OSI licenses and is not itself an OSI license, hence our desire to eventually find something better or upgrade it in some way. We'd ideally like to play nice with open source but deal with SaaSification.

The SaaSification thing is a particularly strong concern for us because we get a ton of inquiries from people who want to basically do what you say under 'the other 50%': white-label ZeroTier and create their own service. These are often IT firms, ISPs, regional telecoms, etc. Without the BSL we couldn't charge them for this. The GPL also provided a barrier but it wasn't as clear (and of course there was the perpetual GPL FUD problem).

It's no coincidence that database companies have been major adopters of the BSL, with CockroachDB being the most notable but many others too. Databases have been major targets for SaaSification too with many companies doing nothing more than putting OSS databases behind paywalls and making a fortune off them. Any improvements are kept proprietary and nothing is returned to the community. This killed RethinkDB, a very promising hybrid relational-document database that we used in an early version of our backend. (We actually sponsored improvements and had them open sourced, but it was not enough.)

[adamierymenko]

The top targets for SaaS monetization (without compensation to either the original authors or the community) are databases and networking platforms.

[tommythorn]

I appreciate the complexity of this topic, but the blatant change of license of other people code is as bad as the behaviors you are trying to defend yourself against. The code is currently in violation of the license.

Secondly, I found this starting with the disappointment that FreeNAS no longer can consider Zerotier because of the license change. As a prospective customer, that severely hampers the usefulness of Zerotier and as far as I understand, this is an unintended side effect. I hope you'll work with ixsystems on a solution.

[PrivatePuffin]

The code is currently in violation of the license.

This doesn't have to be true, I checked the contributor list. All big contributions where from ZeroTier employees. So no issue there. There might however be issues with the smaller contributions. However: You need to take into account that not every commit is copyrightable. Small code and typo fixes (like fixing a type somewhere or splitting a function) are not copyrightable at all. Which means the licence change doesn't violate their rights.

Simply put: Before you can say the currently licence violates the rights of codeowners, you need to be certain if there actually ARE external codeowners with copyright on portions of the code.

[adamierymenko]

@Ornias1993 Yes, that was our finding too. Again if someone complains we will remove their contribution. Any third party code in this tree is explicitly listed and has comments to the effect that it is not subject to our license.

We are in the process of researching an alternative approach to the BSL. We're thinking something like the AGPL but stronger on anti-SaaSification and yet without the "virality" aspect.

The big problem with AGPL is that it actually might do what suits and lawyers always (mistakenly) feared that the GPL would do: virally "infect" other code. The AGPL specifies that SaaS backend code must inherit the license. Since SaaS is hard to precisely define, this means that if you use AGPL (and don't have a separate commercial license) you are potentially creating licensing ambiguity on your own code. Lawyers hate that and I understand why.

We're considering something we are tentatively calling the OSRL: the Open Source and Runtime License. The idea is to make the source open and also guarantee user access to the runtime and user ownership of their own data. If you want to run some kind of SaaS and be exempt from that, you have to buy a commercial license (dual licensing, which is not new).

The OSRL would be something like:

• GPL-like in that code under OSRL can be incorporated into other OSRL products and also maybe other licenses, though we have to split hairs here... this part gets annoying.

• If you distribute binaries of OSRL code you must also distribute the source, including any of your own modifications. Any modifications you make are automatically OSRL licensed.

• If you run OSRL in a SaaS setting, you must provide users of your SaaS with all the data and code they would need to migrate to a self-hosted instance or another SaaS. Instead of AGPL's virality we instead have a data and runtime portability requirement. This is what we mean by runtime freedom.

• An optional (to adopters of the OSRL) advertising clause that would apply to SaaS requiring that the thing powering the SaaS must be advertised.

This means that users of the code would not have any reason to fear virality, but if they launched a SaaS based on it they would have to allow all users to:

• Download all their data.

• Download any code in source form required to run their own instance of the SaaS.

In the latter case there would again be no restriction on the license for that source. It could be proprietary "source-available" licensing. But it would have to be available.

The difficulty again here is defining just what constitutes SaaS use as opposed to behind the scenes use.

If a company wants to be exempt they have to buy a commercial license as per standard issue dual-licensing.

Thoughts?

[adamierymenko]

@tommythorn See replies, and also I must point out that the present BSL is a bit of a stop-gap solution and we hope to find something better.

Also read this if you have not:

https://www.zerotier.com/on-the-gpl-to-bsl-transition/

The core issue here is that the landscape has radically changed since open source in its present form solidified in the 1990s. The nature of open source needs to change if it's to continue to guarantee user freedom. In addition open source efforts must have a means of support.

Open source projects that have significant depth, good user experience, are actively maintained, and target deep and difficult issues must have financial support either by a host company or by users (usually corporate users). The other alternative is to have a world where significant open source efforts only come from FAANG companies, meaning that open source becomes a way for these companies to define and shape the landscape and that's it.

It's become very clear to us that if we adopted a liberal license many companies and MSPs and the like would just take our work, strip off our name, monetize it, and return nothing to us. So we have to go through this process of discovering a new way to do open source licensing or we have to just go closed and walk away.

[alpharde]

We are a small IT firm and I've been looking to adopt zerotier for our internal network and clients for a long time, I've used it personally since it's first releases.

I still haven't quite understood the new license and my partners got a bit worried on the commercial license's price, we're using open source software for routers and don't plan on rolling our own, so I'd like to know if running our own nodes or using the My Zerotier service counts as "SaaSfication" since the we do charge our clients for maintenance.

[jfrederickson]

If you do want the BSL there, my strong preference is for BSL + AGPL dual-licensing as mentioned as a possibility in a previous comment. More broadly, though: I've been starting to contribute packages to the distro I use, and they're unlikely to accept anything that's not on the FSF's list of free software licenses. That includes the BSL.

If you do switch to a new custom license rather than an existing FOSS license, I would strongly recommend submitting it to the FSF and OSI for review - it'd make it much easier to get ZeroTier into distros.

[Kaned1as]

Hi there! I suddenly found out that this project is not free & open source software anymore. Apart from this strange decision this is still a great project. Sad to see it go. Is anybody aware are there any still free and open source forks of ZeroTier?

[Kaned1as]

Also, in case someone else stumbles upon it, what is the last commit of ZeroTier that's GPLv3?

[glimberg]

It's still free and open source. Just not under an OSI license

[jfrederickson]

I'll grant that there is colloquial usage of both "free software" and "open source software," but the term "free and open source software" is pretty strongly tied to the FSF and OSI definitions. And anyway, the license itself states that it's not an open source license:

https://github.com/zerotier/ZeroTierOne/blob/6897f602bf68ec0bde65539fd54534fd1faae1dc/LICENSE.txt#L66-L68

@Adonai The last commit prior to the license change appears to be https://github.com/zerotier/ZeroTierOne/commit/509da3ac348781aee75e050c08d955ad6db0e5f2 which is the parent of the license change commit https://github.com/zerotier/ZeroTierOne/commit/52a166a71f4e0124c7b22123884911338aa0d698

[PrivatePuffin]

It's still free

Not free in all circumstances. The whole deal behind the BSL is the fact it is NOT free for everyone. ;)

[adamierymenko]

@jfrederickson We're definitely struggling with this question. The problem as stated is that if we adopt an OSI license we either end up with a license businesses hate and in some cases outright ban (GPL or worse AGPL), or a license that results in businesses taking our work and monetizing it and not giving anything back ("SaaSification").

The OSI's understanding of the market is outdated. They have not caught up to the radical shift in users' and developers' relationship to software resulting from the cloud and SaaS. It's now possible to have open source closed software by distributing the source but then using SaaS to achieve closed-ness in practice. It's a loophole that allows SaaS companies to get all the benefits of open source while simultaneously restricting user freedom and refusing to contribute. There is currently no open source license that does a good job at dealing with these issues. The BSL is a stopgap measure until we can find a better solution.

I have been working on some thoughts around the phrase "runtime freedom" to describe the freedom to run the software when and where one wishes and to control one's own data. A runtime freedom license would guarantee that the user has the freedom to move execution of the software to any device or environment they choose and would assign copyright of all user data to the user.

[adamierymenko]

@jfrederickson To some extent its an artifact of our market. In networking there seems to be a vast gallery of people just waiting to wrap some bit of open innovation in marketing and flip it into a huge business (without giving anything back, of course). Enterprise networking is an incredibly dysfunctional and down-right bizarre market. I don't think other open source efforts face the same dynamic

[Samon33]

Very similar to @alpharde's comment on 13 April, I'm hoping to get some clarity around the exact restrictions in place with the new license. Reading the pricing page on the ZeroTier website and the LICENSE.txt file in this repo, I'm unsure exactly what constitutes "commercial purposes". The pricing page states:

You can self-host ZeroTier controllers and nodes for free if you use it for non-commercial purposes

The LICENSE.txt file includes the statement that:

Note that this does not apply to the use of ZeroTier behind the scenes to operate a service not related to ZeroTier network administration.

Based on the above, it would appear that I could legitimately use the my.zerotier.com free tier (assuming I have less than 50 nodes) as a corporate VPN alternative, but not self-host the controller to perform the exact same function... is that correct?

As a small business IT provider, can I configure my.zerotier.com networks for clients, since I would be billing for the management (but not the ZT service itself)? Assuming that self-hosted use is permissible for commercial use (as opposed to SaaSification of the product itself), can I manage a self-hosted ZeroTier controller for a client?

[throwaway1037]

I've skimmed the license and it is quite clearly proprietary. Please may it be relicensed under a free software license?

[Kaned1as]

It has "change license" clause:

Effective on the Change Date, or the fourth anniversary of the first publicly available distribution of a specific version of the Licensed Work under this License, whichever comes first, the Licensor hereby grants you rights under the terms of the Change License, and the rights granted in the paragraph above terminate.

So after 4 years code becomes licensed as Apache 2.0. If you are searching for the last free software release under GPLv3 it's 1.4.2

[throwaway1037]

@Kaned1as thank you, but computer users need freedom from day 0, not at some point 4 years from now.

[Kaned1as]

@Kaned1as thank you, but computer users need freedom from day 0, not at some point 4 years from now.

Yes, that's why we use 1.4.2

[throwaway1037]

@Kaned1as, awesome, although I think we should make the case for liberating current versions instead of relying on older versions. :)