
Some software cannot be used at Google - kevincox
https://opensource.google.com/docs/thirdparty/licenses/#banned
======
bad_user
It isn't a surprise that AGPL is on that list, as it redefines simple usage to
be redistribution.

I'm sympathetic for its goals of closing the "_application service provider
loophole_", but you know what, Open Source, nay Free Software means freedom,
so when you grant your users freedoms, your users might end up using your
software in ways that you don't support. Freedom is never a _loophole_,
freedom is just freedom.

In this regard I think FSF has derailed from its own spirit. E.g. GPLv2 just
demands for the source code to be available for any distributed binaries,
being a simple copyright license. GPLv3 on the other hand extends that with
extra clauses to prevent Tivoization, another supposed _loophole_. In the
words of Linus Tolvards:

> _If you 're a mad scientist, you can use GPLv2'd software for your evil
> plans to take over the world ("Sharks with lasers on their heads!!"), and
> the GPLv2 just says that you have to give source code back. And that's OK by
> me. I like sharks with lasers. I just want the mad scientists of the world
> to pay me back in kind_

When you start noticing _loopholes_ everywhere and closing them, pretty soon
you're left with something that is no better than a proprietary, freeware
license.

GPLv3 may be acceptable, but AGPL should have never been accepted as an Open
Source license by OSI.

~~~
kuschku
The FSF simply has one goal: that all users can access and modify the code of
all software they use.

If I access photos.google.com, I am a user of photos.google.com – yet I can
not access the code. This is a problem.

You are misdefining "user" here.

~~~
bad_user
No, you and the FSF have the wrong definition.

If I install Wordpress on my own server and do modifications to it for my own
purposes, I am nothing more than a user of Wordpress.

> _If I access photos.google.com, I am a user of photos.google.com – yet I can
> not access the code. This is a problem._

If you borrow my own laptop and use one of my applications installed on it,
would you also like access to its source code?

And here we have the crux of the matter ... GPL was about _distribution_ as
defined by copyright law. AGPL is no longer about distribution, AGPL is an
EULA, restricting what users (yes) can do.

~~~
johannes1234321
> If you borrow my own laptop and use one of my applications installed on it,
> would you also like access to its source code?

In the FSF spirit: yes.

~~~
mikegerwitz
No. You aren't being denied your freedoms on someone else's computer because
you have no right to exercise them to begin with---it's not yours.

It's the same concept with the AGPL---I have no right to modify the source
code on someone else's server; I'd need to install it on my own.

If you had to have access to the source code for everything you used, it'd be
an almost impossible burden. rms takes public transportation in Boston, for
example. Those terminals are interactive touchscreens, required for payment
and printing tickets. He'd be unable to use the transit system.

From stallman.org:

> However, if I am visiting somewhere and the machines available nearby happen
> to contain non-free software, through no doing of mine, I don't refuse to
> touch them. I will use them briefly for tasks such as browsing. This limited
> usage doesn't give my assent to the software's license, or make me
> responsible its being present in the computer, or make me the possessor of a
> copy of it, so I don't see an ethical obligation to refrain from this. Of
> course, I explain to the local people why they should migrate the machines
> to free software, but I don't push them hard, because annoying them is not
> the way to convince them.

> Likewise, I don't need to worry about what software is in a kiosk, pay
> phone, or ATM that I am using. I hope their owners migrate them to free
> software, for their sake, but there's no need for me to refuse to touch them
> until then. (I do consider what those machines and their owners might do
> with my personal data, but that's a different issue, which would arise just
> the same even if they did use free software. My response to that issue is to
> minimize those activities which give them any data about me.)

> That's my policy about using a machine once in a while. If I were to use it
> for an hour every day, that would no longer be "once in a while" — it would
> be regular use. At that point, I would start to feel the heavy hand of any
> nonfree software in that computer, and feel the duty to arrange to use a
> liberated computer instead.

> Likewise, if I were to ask or lead someone to set up a computer for me to
> use, that would make me ethically responsible for its software load. In such
> a case I insist on free software, just as if the machine were my own
> property.

[https://stallman.org/stallman-computing.html](https://stallman.org/stallman-
computing.html)

So using someone else's computer is a similar problem to SaaSS---you're
relying on someone else for your computing:

[https://www.gnu.org/philosophy/who-does-that-server-
really-s...](https://www.gnu.org/philosophy/who-does-that-server-really-
serve.html)

~~~
OrganicMSG
> You aren't being denied your freedoms on someone else's computer because you
> have no right to exercise them to begin with---it's not yours.

How about the freedom to refuse to use someone else's computer unless I can
also see the source code?

~~~
mikegerwitz
That's orthogonal to the issue. Of course you have the freedom to refrain from
use of any technology, unless you're somehow being mandated by law to use it.

~~~
OrganicMSG
Well, since we are already orthogonal, lets turn this the other way round.
Would you support the idea that any software that you are mandated by law to
use, should be required to be open source?

------
franciscop
I made a small tool to check the licenses of your installed npm dependencies,
which you can execute it by running this on the root of your project:

    
    
        npx legally
    

It will search for licenses in the LICENSE file, Readme.md and package.json
(and alt spellings) and make a small report of: what licenses are in use, and
some anomalies. The repo:

[https://github.com/franciscop/legally](https://github.com/franciscop/legally)

~~~
deadbunny
Am I being blind or have you released a tool that checks licenses with no
license? I mean, I enjoy a good joke but seriously.

~~~
franciscop
It is right here under "license":
[https://github.com/franciscop/legally/blob/master/package.js...](https://github.com/franciscop/legally/blob/master/package.json)

Just added it as a separated file as well.

------
norrius
> WTFPL not allowed. We also do not allow contribution to projects under the
> WTFPL.

I am assuming this does not apply to personal projects, but then why would you
contribute Google code to something that you cannot use anyway due to
licensing issues?

~~~
jrockway
Google's contention has always been that there is no such thing as a personal
project. You can fill out a form to officially get permission to have a
"personal project", however, but I doubt many people want to deal with the
bureaucracy.

You will notice 6 missing years in commits to my personal github. That is why.
Every "personal project" I did ended up in the Google repository instead.

~~~
MereInterest
How do they justify that belief? If something is done outside of work hours,
not using a work computer, then how would they have any claim over it
whatsoever?

~~~
lloeki
It is a widely held belief that writing computer code is an intellectual and
creative endeavour (IIRC codified so in European law or something†), therefore
it is not tied to a specific timeframe within which you work: you are very
much able to think about and solve a work problem under your shower, that's
why the corresponding intellectual property of that solution is owned by the
company you work for, independent of the time of day you thought about it.

So to cover that, typically law basically defaults on granting your company IP
rights on _anything_ you create _anytime_ while you're an employee, and should
there be need to challenge that, it's up to you to uphold in court that
project X has nothing to do with your company business or tech, or to ensure
beforehand that your contract has special provisions granting you IP rights in
known situations.

† At the very least this is also the basis as to why software is not
patentable in EU, unless they are an integral part of a very concrete process
that itself solves an issue (e.g say you invent an industrial process that
allows you to synthesize molecule X more efficiently, and that process
involves a bit of code as an integral and required part of said process
because it is deeply tied to it in a fundamental way, then that precise bit of
software can be covered by the patent of the process)

~~~
johannes1234321
To extend let's change the field a bit: Imagine you are a scientist working in
a lab, employed to develop new technologies. One day you're falling in the
shower and scribble an idea for a flux capacitor. Could you patent it? Or the
company? What if it happens in the office? If that makes a difference: How to
prove? Most employment contracts (at least the ones I have seen) make the
assumption clear, that all results of "software development" are treated as
work for the company. Many companies than have ways to allow hobby projects
info uelds different from the actual work (while that definition is quite
unspecific and has to be decided case by case)

------
simula67
Nice to see the new web projects like Mastodon, Owncloud etc being released
under AGPL. I hope projects like OnlyOffice, IPFS etc to move to this model

~~~
diggan
> I hope projects like [...] IPFS etc to move to this model

I work on the IPFS project so might be biased, but why do you prefer AGPL over
MIT (which IPFS is currently licensed under)?

Personally I prefer short and sweet licences, MIT is so short and simple that
even I can understand it. But then again, I don't know enough about AGPL to
know why I would prefer it over MIT.

Edit: I also came across this wording: "Using AGPL software requires that
anything it links to must also be licensed under the AGPL", that sounds like
the opposite of freedom. I don't know much so probably getting something wrong
here...

~~~
dpark
AGPL is a very different spirit than MIT. MIT is pretty much “do what you
want, but no warranty applies, and you have to give credit”. AGPL is a strong
copyleft license that requires redistribution and even extends redistribution
requirements to indirect users, specifically users of the services you run
using AGPL code.

~~~
diggan
So I don't know much about licensing (and don't do any active decisions about
it, I pretty much default to using MIT on a personal level) but doesn't
"requires redistribution" restrict freedom here? Freedom for me would be "do
what you want, but I don't give you any warranty" while AGPL would mean less
freedom directly. Forcing people to redistribute the source, doesn't mean
freedom to me.

~~~
falcolas
The freedom is for the user of the software, _all_ users of the software, to
be able to see and modify and use the code not just the developers.

~~~
diggan
The freedom to see and modify code if you're not a developer? Bypassing how
that would work, it's 99% freedom, as there is still restrictions on what you
can do with it. You cannot, for example, package it, call it something else
and distribute it without the source. I don't see how that can be called
freedom. Either you have the freedom to do whatever you want with the code, or
you don't have the freedom. 99% freedom is (for me at least) not good enough.

It's like the license (that I can't remember the name of right now) where you
can do whatever you want with the software EXCEPT use it for evil. That's not
freedom, freedom is: do whatever you want, literally. At least for me.

~~~
cyphar
The GPL is used for a very large amount of free software, so I'm a little
confused by your rejection of the very concept.

But the general idea is that the GPL guarantees the same freedoms to
_everyone_ (the right to use the software, modify it, and distribute it). But
the only way of _guaranteeing_ the same set of freedoms is to restrict people
from taking away others' freedoms. Personally, I think that's more than fair,
because the net effect is that everyone has software freedom (which is what
the whole free software movement is about).

 _> That's not freedom, freedom is: do whatever you want, literally. At least
for me._

To give an extreme analogy, the "freedom to murder" or the "freedom to
incarcerate other people against their will" is not permitted in free
countries. Is this an attack on people's freedoms? No, it's required in order
for everyone to be able to exercise their freedom to live and free movement.

------
lvh
I'm not sure why Google is being singled out here. It would be much more
unusual for a company even 100x smaller than Google to _not_ have license
requirements for projects they use.

~~~
MattConfluence
It's probably just that Google has published their internal document on the
topic, which I don't think many other companies have done.

------
weinzierl
> notably the Mule ESB and most of the code that backs Reddit, cannot be used
> at Google

Interesting that they mention reddit specifically. On the other hand, it‘s the
first time I hear about the CPAL, so maybe reddit is just the most prominent
user of this obscure license.

Mule ESB is apparently a Java-based enterprise service bus from MuleSoft
(which is in talks with Salesforce about an acquisition).

------
speps
> GNU Affero General Public License (AGPL) cannot be used in google3

What's "google3"?

~~~
sprremix
"google3: The internal name for our main _Piper_ source repository, and
identifies the third incarnation of the source layout for Google production
code."

" _Piper_ : Google’s internal source control system:
[https://research.google.com/pubs/pub45424.html"](https://research.google.com/pubs/pub45424.html")
Which is a pretty interesting read

[https://opensource.google.com/docs/glossary/](https://opensource.google.com/docs/glossary/)

------
jacques_chester
These kinds of lists are fairly common; we have a similar list at Pivotal.
There's nothing sinister about it and the lawyers are not ignorant of
opensource or how it works. Big companies simply have a very different legal
threat profile from individual contributors.

If you want your code to be used by a major company, my impression is that the
Apache 2 license is the winner.

~~~
moron4hire
To my fellow programmers, consider for yourself why should gigantic, massively
wealthy corporations get to use our code for free. Use the most restrictive
version of the GPL to keep your code free for other individuals like us, and
provide a paid license option for gigantocorps.

~~~
virgilp
There's a very legitimate answer to your question: some people believe that
having your code be actually used, at scale/ in the real world, is a benefit
in and unto itself; you get a "portfolio", a "brand" \- things that are
intangible but still valuable. If your code makes it into some mission-
critical system, you have a fair shot at consulting for that "massively
wealthy corporation".

I guess it all boils down to: "do you get more value out of people using your
code, or out of keeping the code to a restricted set of people?". Similar to
how there are two ways to approach your billion-dollar-startup-idea: either
guard it with NDA & limit sharing; or talk to everyone about it. Both are
legitimate approaches, but really, in a lot of cases the "billion-dollar-idea"
is not really worth that billion dollars. Same with code - in a lot of cases,
the code is not as valuable as we'd like to think, until it's actually used (&
gets a chance to be refined by many users, and to evolve in the right
direction(s)).

------
Promarged
For comparison, Apache's "Category X":
[https://www.apache.org/legal/resolved#category-x](https://www.apache.org/legal/resolved#category-x)

~~~
ecopoesis
I really like Apache’s explanation linked from that page of the Apache license
as a “universal donor” and GPL as a “universal recipient”. It’s the cleanest
analogy about open-source licenses I’ve seen.

------
tabeth
Question: suppose Google had code running on their servers that was licensed
under AGPL. AFAIK that means they have to release the code running on their
server(s) , but because Google's code is proprietary and closed what would
happen? A whistle blower notices and exposes them?

Seems that unless someone is dumb enough to use AGPL, commercialize it _and_
open source their code they would never be caught. Same with most licenses,
really.

~~~
coldtea
> _Question: suppose Google had code running on their servers that was
> licensed under AGPL. AFAIK that means they have to release the code, but
> because Google 's code is proprietary and closed what would happen? A
> whistle blower notices and exposes them?_

I don't think they have to do anything, even if they did had AGPL.

The license is only relevant if they distribute the source (or a product
written in it), not as to what they privately do with it on their servers.

Now, if they had used that code on, say, Android, that's a different thing.

~~~
dalbasal
The lines between " _distribute the source (or a product written in it)_ " and
" _what you privately do on your servers_ " is (I think) hard to discern for a
lot of Google's code.

If I have open source code that estimates your shoes size based on your IP
address, and I make a website that will output your result... which category
of code is this? What if I use this code to customize the UI for a shoe store?

Honest question, is there an established way of deciding whether something
counts as "distributed"? Is it simply a question of what machine it runs on?

~~~
Dayshine
AGPL literally exists for that distinction.

AGPL roughly says that a website a user interacts with counts as distribution
(in addition to what GPL would count as distribution)

~~~
dalbasal
So in plain GPL, it isn't or it's ambiguous?

~~~
lvh
Hasn't been tested in court to my knowledge, but my understanding is that
leading IP lawyers who otherwise disagree on a bunch of things about the GPL
(Eben Moglen, Lawrence Rosen) agree that e.g a modified GPLd publicly
accessible web server doesn't count as distribution.

------
macmac
Surprising that they do not address the issue of derivative works for instance
in relation to the EPL. The documentation correctly states that modifications
to EPLed code must be made available. But it is also the case that any work
that in itself is a derivative work of EPLed code must also be licensed under
the EPL.

------
HugoDaniel
Nice to know about the EUPL. I will be using it in my next projects :D

------
foo101
Why is WTFPL a problem when WTFPL allows Google or anyone to take WTFPL-ed
software and relicense it under MIT or another acceptable license?

~~~
gargravarr
I also find that supremely ironic. Google's reasoning is probably sound from a
legal perspective, because 'do what you want' with it can be argued that the
responsibility of the original code lies with the original author, and it's
not clear. But yeah, it's humorous that a license deliberately designed for
this reason isn't accepted.

------
p0nce
The restrictive licenses bring nothing to the table. It is an outdated dogma.
We ought to choose licences that actually enable software to be written,
without needless hurdles.

Apple, MS and Google understood this, and they release swathes of stuff under
_useful_ licences. If you make something open-source, you probably want it to
be legally usable.

~~~
falcolas
Personal opinion - If I'm writing software and releasing it as open source,
and you want to use it to lessen your own workload, then I expect you to do
something in return - make your changes to it available to others.

You're getting the results of my labor, and my "payment" for that labor is
"paying it forward" as it were. Old fashioned values perhaps, but paying it
forward not a huge ask in my book.

~~~
p0nce
You'll mechanically get rewards in terms of bugs reported, paid bug fixes,
paid enhancements etc. Useful software brings value to it by the virtue of
being useful.

There is also a mechanical incentive to contribute back, which is "not having
to maintain a fork".

~~~
falcolas
Nothing prevents the bug reports, fixes, or enhancements in a GPL/AGPL world.

> Useful software brings value to it by the virtue of being useful.

To be blunt, tell that to OpenSSL and ntpd. Both are broadly used and freely
licensed, yet they're chronically short contributers, bug fixes, funding, etc.

Being useful to others is somewhat psychologically rewarding, as are the
occasional patches and bug reports. But it's not why I (and many others) open
source their software.

------
Applejinx
I've chosen a license (MIT) accepted by Google (and many others) specifically
because it enables abuse and exploitation, as a sort of defensive tactic. It's
a kind of game theory approach, though it doesn't speak well for the future of
open source…

I'm from the music and the music-instrument industries, so it's natural for me
to recognize consolidated power when I see it. From where I stand, the only
people who've ever achieved a platform from which they could express anything
(up to and including the Eagles) got there through a stage where they could be
ruthlessly exploited and sucked dry of all they had, with no recompense.

Open source can be like that, which is why the GPL exists: it's a
counterbalance. That alone is extremely valuable. In my music example the GPL
can be the Irving Azoff, going to war against software unfreeness and making
its clients wealthy and successful and granting power in a practical sense.

However, in my opinion you can't get there from zero: trying to wield that
power from a starting-up position will only get you shunned, and so we see
here in the Google banned license list. The only licenses allowed are those
where the original creator can be completely exploited.

You have to both be good, and prepared to be horribly exploited, to get access
to power and attention on a viral scale. If you try to strike a fair deal from
the start, it's a recipe for being shunned or blackballed.

By definition the power differential between a lone creator and idea-haver,
and a vast company, is huge. No license phraseology can take that away.

So, since I do things with software that I want to proliferate and become
popular, I have to select a license that allows for companies and individuals
to abuse me. In so doing, their self-interest is evident. In return, the
license asks for 'exposure' on my behalf: credit, and even that's not a given.

So my tactic in handling this stuff is to try and set up a scenario where I'm
also praising to the skies anyone who uses my source, in hopes that they in
turn see PR benefit in praising me. It's power again: from my position of
minimal power and ownership of useful code, I have to signal to the more
powerful entity that I'll let them completely take advantage of me if only
they throw me some crumbs.

Then, if one day I do end up powerful, I hopefully come up with something
really indispensable, and THEN I GPL it and chuckle merrily when they come to
me for alternate terms.

Until then, open source licensing has absolutely no power to better my
situation, and its ability to aid the freedom of the code under its umbrella
applies only to that code and not to any of the people responsible for
thinking up the code. They've got to be either completely self-sacrificing, or
making a machiavellian calculation about relative power much as I am.

Sharing can only be done from a position of power and abundance. Once that's
granted, you learn how badly the sharer needs to maintain their position of
power…

~~~
moron4hire
Though you've taken a different path with licensing than I have (I release
under GPLv3, even though I don't actually consider myself a Free Software
fundamentalist), I very much respect your decision and your post here. You're
probably the only person I've seen advocate for MIT et. al. who acknowledges
the major power disparity between individual maintainers and gigantocorps.
It's given me something to think about with regards to my own projects. I
still may not release under MIT, but it may lead me to working in very
different ways.

------
amelius
Is Nodejs allowed at Google?

------
tscs37
I guess that means I'll switch to the EUPL now...

------
fs111
so Beerware is okay then?
[https://en.wikipedia.org/wiki/Beerware](https://en.wikipedia.org/wiki/Beerware)

~~~
bitofhope
>The Beerware license has similar issues.

Under WTFPL section which says it's a no-no. Technically it doesn't say
Beerware can't be used but I'd take it to mean it can't.

