Since Apache License v2.0 and GPLv2 are incompatible, I'd be curious to understand the implications of this license selection for a few scenarios in both directions. Say osquery wanted to include a GPLv2 library. Could it? How about an Apache License v2.0 library? ASF and FSF differ on the interpretation of the details, which would come into play here. Does the GPLv2's requirement that it apply to the whole work[0] matter?
A more interesting thought: say I wanted to fork osquery. Do I select one of the licenses as part of my forking operation, since I, the user, am exercising my rights under one of the licenses (at my option) to derive the work? Would that mean I could fork osquery to Apache License v2.0, GPLv2, or both at my discretion? Given the requirements of GPLv2, am I even permitted to do that?
An even more interesting thought: osquery seems to derive GPLv2 code from the Netfilter project by patching it:
Can the resulting product then be distributed Apache License v2.0, given the viral nature of GPLv2? I'm not clear how that dependency is used, but is Facebook even able to license this work as Apache License v2.0 at all?
This is a very confusing dual-license scenario, and something I'd never thought about with choices like Apache/MIT. I feel it important to point out that I'm not attempting to introduce FUD or criticize Facebook; I'm genuinely curious.
Note that RocksDB is also dual licensed under Apache 2.0 and GPLv2 [1]. I believe they added GPLv2 to make it compatible with MySQL for MyRocks, because the original Facebook+Patents license might not have been GPL compatible. Then when the Apache Foundation decided that Facebook+Patents wasn't compatible they switched it out for Apache 2.0 [2].
But that doesn't clarify much. Specifically your question about dependency licensing. RocksDB only depends on gflags (BSD licensed) and various compression library choices (allowing a choice of licenses). osquery seems to depend on a lot more libraries [3], so the likelihood of running into a licensing conflict seems a lot higher.
> Say osquery wanted to include a GPLv2 library. Could it?
The resulting combined work would have to be effectively GPLv2 licensed; as one would be forced to take the GPLv2 option on the AL2/GPL2 decision.
However, it would leave open the option of reusing osquery code under the AL2 license; if you had an AL2 project, and wanted to steal some code from osquery, you could use it under the AL2.
If a project like osquery chooses to use netfilter as a dependency, it may choose to use the GPLv3 license which is compatible with ASL 2.0 from what I can gather.
The current license is this text, which is something of a higher-order license:
This source code is licensed under both the Apache 2.0 license (found in the
LICENSE file in the root directory of this source tree) and the GPLv2 (found
in the COPYING file in the root directory of this source tree).
You may select, at your option, one of the above-listed licenses.
I think the answers to your question are non-osquery-specific:
- Technically, the copyright holder is legally permitted to construct impossible licenses just fine. That's just the problem of the recipient; the copyright holder is breaking no law. But in practice, the fact that no recipient can legally use the software is probably something the authors wish to avoid. I'll say "can't" for convenience, but they legally can make their product impossible to redistribute, or more realistically, stop offering one of the two licenses some day.
- If you want to distribute your work under ALv2, you can't include a GPLv2 library.
- I don't know if you can include an ALv2 library in work distributed under the GPLv2 - I think it's the case that the permission to sublicense copyright in the Apache license imposes no restrictions on how you sublicense it (i.e,. it's not viral), and it's the same as including an ALv2 codebase in a proprietary product. You don't get a patent sublicense, so it's basically MIT with more words, which you can definitely include in a GPLv2 codebase. And you need to keep a copy of the AL around to comply with its clause 4(a). (But this doesn't seem to be the normal interpretation of ALv2 + GPLv2, so I'm curious how I'm wrong and how this interacts with the normal interpretation that ALv2 + proprietary is totally fine just like MIT + proprietary is.)
- You can certainly fork osquery under either license at your choice. GPLv2 certainly doesn't prevent you from licensing it under AL-only. I don't whether lawyers/courts would read "select one of the listed licenses" to mean "and not both"; assuming they don't, GPLv2 doesn't prevent you from also having another valid license to the same code (e.g., dual GPLv2/commercial is a totally valid scheme) and exercising your rights under the terms of that license, including sublicensing under that non-GPLv2 license.
- The build scripts you linked are patching a file that's part of Linux, whose COPYING file begins:
NOTE! This copyright does *not* cover user programs that use kernel
services by normal system calls - this is merely considered normal use
of the kernel, and does *not* fall under the heading of "derived work".
Assuming that to use iptables is to "use kernel services by normal system calls," there is (I think) no copyright asserted in the headers - including headers from the OS has been "normal use of the kernel" since before that copyright statement was written. (If it's not, linking that file was already a problem, under the previous BSD+Patents license.) Also, this is assuming that the only thing it's using from the iptables package is headers copied from the Linux kernel, not code from iptables itself, which I agree would not be usable under ALv2. (And perhaps not licenseable if it's a derivative work, yes.)
One way they could solve this is to say that osquery in general is GPLv2/AL (or BSD+Patents, or some other option that permits a one-way use as GPLv2), but the following source files are GPLv2-only, and if you choose to compile with them the resulting binary is GPLv2-only. But it looks like they don't do this, and they in fact use libiptc, which is GPLv2 with no exceptions/qualifications: https://github.com/facebook/osquery/blob/f6d077cbf7e1f60eef0... So I am as confused as you are!
A more interesting thought: say I wanted to fork osquery. Do I select one of the licenses as part of my forking operation, since I, the user, am exercising my rights under one of the licenses (at my option) to derive the work? Would that mean I could fork osquery to Apache License v2.0, GPLv2, or both at my discretion? Given the requirements of GPLv2, am I even permitted to do that?
An even more interesting thought: osquery seems to derive GPLv2 code from the Netfilter project by patching it:
https://github.com/facebook/osquery/blob/master/tools/provis...
https://github.com/facebook/osquery/blob/master/tools/provis...
Can the resulting product then be distributed Apache License v2.0, given the viral nature of GPLv2? I'm not clear how that dependency is used, but is Facebook even able to license this work as Apache License v2.0 at all?
This is a very confusing dual-license scenario, and something I'd never thought about with choices like Apache/MIT. I feel it important to point out that I'm not attempting to introduce FUD or criticize Facebook; I'm genuinely curious.
[0]: https://opensource.stackexchange.com/a/1364