
Square’s terms of service forbid use of AGPL-licensed software in online stores - TheSpleen
https://squareup.com/us/en/legal/general/pos
======
nabla9
This makes absolutely no sense. I'm almost certain that Square lawyers fucked
up big time.

They looked at the AGPL and completely misunderstood the context. There is no
way in hell anyone can interpret AGPL in a way that makes Square responsible
for any license violations their customers make selling software.

~~~
bubblethink
And even if there were liability concerns due to copyleft or other clauses in
AGPL, singling out AGPL makes no sense. If they want to avoid copyleft, it
should be better phrased like so.

~~~
nabla9
It's almost like they used some kind of AI software to scan legal documents,
then it found sentence fragments like " .. opportunity for all users
interacting with your Program through a computer network ..".

You need artificial stupidity to misunderstand the "Interacting with Program
through a computer network" in the way Square seems to understand it.
Distributing software via online store is not interacting with the program.

~~~
Beltiras
Some would maintain that being a legal analyst requires you to be artificially
stupid because you are looking for loopholes and trying to avoid being trapped
by ridiculous edge cases, whereas AI is trying to find a general solution that
will work in 6-9s cases.

------
bibinou
This concerns the Online Store, which is their Squarespace clone:

[https://squareup.com/us/en/online-store](https://squareup.com/us/en/online-
store)

not Square Payments.

~~~
danShumway
> _By using Square Point of Sale, Customer Engagement, Appointments or
> Employee Management, Square Online Store, and any associated products and
> services (the “Services”)_

It looks like it's a lot broader than just the Online Store, although it
doesn't mention Payments specifically.

Still, "any associated products and services" sure seems like it would cover
Payments as well? What's the dividing line for a product that's associated
with the Online Store?

 _EDIT: This specific clause is listed under section 3 "Online Store", so it
does seem likely to me that it's not meant to apply across the entire TOS._

 _Still a weird restriction for the online store, but given that there 's also
a non-disparagement clause right under it, it's certainly not the most
egregious thing in this license._

~~~
chrismeller
FWIW they also clearly ban a lot of other things in that section that are
obviously only targeting the hosted online store. For instance:

> engage in excessive advertising on your website, which includes adding more
> than three ad units per page, or any advertising that greatly reduces the
> usability of your website;

Still no idea why they single out AGPL the way they do.

------
AlphaWeaver
Relevant quoted text from the article:

> B. Content Restrictions. In addition to the restrictions set forth in these
> Additional Product Terms, the General Terms and Payment Terms, you will not:
> [...]

> 15\. use, under any circumstance, any open source software subject to the
> GNU Affero General Public License v.3, or greater;

~~~
d33
How's that even legal or verifiable?

~~~
the_mitsuhiko
Why would it not be legal? Verifiable does not play a role. You sign a
contract that you won’t do it.

~~~
inflatableDodo
Not all contracts are valid.

~~~
michaelhoffman
This is not an answer. Invalid contracts are usually invalid for a specific
reason.

~~~
inflatableDodo
I really was only answering the bit stating;

> _" You sign a contract that you won’t do it."_

As that is not the be all and end all of contracts.

------
pbhjpbhj
I don't know if the response here is good, but
[https://softwareengineering.stackexchange.com/questions/1078...](https://softwareengineering.stackexchange.com/questions/107883/agpl-
what-you-can-do-and-what-you-cant), gives a rationale for not including any
AGPL "in" another work and might thus be the reason for the exclusion.

See also,
[https://softwareengineering.stackexchange.com/questions/2630...](https://softwareengineering.stackexchange.com/questions/263063/how-
viral-is-the-affero-gpl?noredirect=1&lq=1).

~~~
raverbashing
Yeah so if your service completely unrelated to the Stripe service uses AGPL
you have to remove it?

Doesn't sound good at all

~~~
floatingatoll
Yes. AGPL attempts to infect with copyleft all services it is integrated with,
so contractually prohibiting AGPL integrations is the only defense against
AGPL infections.

~~~
singron
This is a common misunderstanding of the AGPL. It has the same combined work
rules as the GPL. It just has the additional condition that a modified work
offered as a network service must make the corresponding source available.

If the AGPL program is unmodified, you don't have to share its corresponding
source no matter what it is integrated with.

If the AGPL program is modified, you only have to offer the corresponding
source of that program, not all programs that connect to it over the network.

~~~
floatingatoll
So, then, since Square’s application is a work, if an AGPL service interacts
with it to modify Square’s work, your assertion is that this does _not_ count
as a modification introducing AGPL responsibilities.

That’s useful to consider, but it doesn’t reassure me enough to remove the
risk altogether. I would, if I were a coder in Square’s position, acknowledge
this explanation and then very likely still move to deny AGPL interactions as
a whole rather than try to finesse the exact legality as described. I care a
lot about licensing but I also want to get work done without fear of AGPL
lawsuits.

------
ralph84
Square is taking a conservative approach on what a “modified version” as used
in the AGPL is. It hasn’t really been litigated so different lawyers have
different opinions. Square’s position appears to be combining Square’s
products with AGPL code creates a “modified version” of the AGPL code and
would require providing the code for Square’s products.

~~~
nabla9
Conservative approach would be taking approach that is possible interpretation
of the license. Their lawyers made just a mistake.

The restriction applies to software sold in their online store. It is not
possible to interpret "Interacting with Program through a computer network" as
distributing software via online store. The program must be running and
executing it's code.

~~~
ralph84
The restriction applies to anyone “using Square Point of Sale, Customer
Engagement, Appointments or Employee Management, Square Online Store, and any
associated products and services”. I’m not sure why you think it only applies
to people selling software. Nothing in the terms says that.

~~~
nabla9
Because it's under

> Additional Point of Sale Terms of Service >3\. Online Store > I. Your
> Content and Content Restrictions

~~~
floatingatoll
To clarify the question without trying to answer it myself, restated in terms
of Amazon rather than the less-understood Square Store, here are two similar
questions that may have _different_ answers under the Square terms update:

Does the AGPL specify its terms of infection such that “a third-party seller
listing a physical CD full of AGPL software sold on Amazon” would bind Amazon
by the terms of AGPL source code release for Amazon.com?

Does the AGPL specify its terms of infection such that “a third-party seller
publishing CD listings to Amazon using an AGPL script” would bind Amazon by
the terms of AGPL source code release for Amazon.com?

And so in those terms, the core question of this thread is, “may I sell items
and services on Square that are composed of AGPL code as long as I do not use
AGPL-containing or AGPL-integrated code or content when interacting with or
publishing listings on the Square Store or when interacting in any way with
Square services or APIs?”.

------
brobdingnagians
AGPL is really weird. There are widely differing opinions on what it means.
There is this extreme where it is horrific, then you have this guy on
stackoverflow who makes it shound like a kitten with claws removed [1] The
ambiguity itself in interpretation (or at least how the "general public"
interprets it) is a danger signal to avoid it.

[1][[https://opensource.stackexchange.com/questions/4691/java-
and...](https://opensource.stackexchange.com/questions/4691/java-and-
agpl-3-how-far-does-license-extend-into-web-app)]

------
dylan604
From the comment thread, there seems to be a bit of confusion on what the AGPL
actually can do, so people are just avoiding things under AGPL as an abundance
of caution. It seems that the license has never been tested in legal
challenges. Seems like this would be something right up the EFF's alley. Is it
really in the open source community's advantage to have something this
confusing lingering for so long, or would it be better to get this kind of
confusion cleared up altogether?

~~~
resoluteteeth
I don't think it's just the wording of the license, though. It's really hard
to envision every possibility and decide how the AGPL should handle it. E.g.,
are they really going to add something as specific as "If a cloud service
provider hosts its own code along with user code that includes AGPL code, the
cloud service provider is not bound by the AGPL and the user does not need to
include the provider's bundled code when they release the source code in
compliance with the AGPL."?

Plus, if you treat the cloud service provider's code separately from the
user's code, there is a pretty strong danger of opening loopholes that defeat
the entire purpose of the AGPL. It's not clear that people releasing code
under the AGPL would even want the AGPL to be interpreted that way.

------
bitL
Scratching Square off my list of service providers. I bet half of their
datacenter software is in some way or the other using AGPL-licensed stuff;
hypocrisy is just insane.

~~~
mfer
It might be GPL but I would guess it's not AGPL. AGPL requires you to open
source the code to run the service. They've not done that. Their legal people
are likely on top of this. It's not hard to run a SaaS and avoid all AGPL

~~~
pas
How does "linking" works in this regard? If I have an internal AGPL service do
I have to open source that too?

I mean my end users never interact with that service. They interact with a -
let's say - proprietary one. And that service is the client to the AGPL
service.

Or anything AGPL touches turns into AGPL? What is considered touching? If I
use an AGPL firewall do the packets turn into AGPL? If I use an AGPL log
aggregator? Or an AGPL centralized identity management thing every other
service that auths turns into AGPL?

~~~
jsty
This is half the reason why many large companies have prohibitions on using
AGPL code - no one is quite sure exactly what counts as 'interacting
remotely', and thus what would be in scope for the source release
requirements. In the absence of any case law to clarify the situation, many
orgs just prefer not to bring in that uncertainty in the first place.

~~~
AnthonyMouse
This is the section about "interacting remotely":

> Notwithstanding any other provision of this License, if you modify the
> Program, your modified version must prominently offer all users interacting
> with it remotely through a computer network (if your version supports such
> interaction) an opportunity to receive the Corresponding Source of your
> version by providing access to the Corresponding Source from a network
> server at no charge, through some standard or customary means of
> facilitating copying of software. This Corresponding Source shall include
> the Corresponding Source for any work covered by version 3 of the GNU
> General Public License that is incorporated pursuant to the following
> paragraph.

So that's about who you have to give the source code to if you modify the
program, right? But isn't the salient point there that it only matters if you
make modifications? Why should anybody who is using the software unmodified
care about that at all?

And all the stuff about "what is linking" would be the same as it is for the
ordinary GPL, would it not? The "Source Code" section of both licenses are
word for word identical, anyway.

It all seems like a lot of FUD from people who don't like the AGPL because it
requires them to follow the spirit of the ordinary GPL when they actually do
make modifications but then use them in a public-facing service instead of
distributing them as a software product, i.e. when it does exactly what it's
intended to do.

~~~
jillesvangurp
That's your interpretation and that's the problem because you might be wrong
in some subtle way that a lawyer could exploit. Also, you are looking at a
single paragraph, there's a lot more to this and it includes notions of
linking, derivative works, distribution, etc. Lawyers really don't like having
a lot of open questions around this stuff and some of the more extreme
interpretations would be very disruptive for any business that wants to keep
parts of their software proprietary.

The other point is that the intention of this license is explicitly to prevent
people commercializing software licensed this way through proprietary
extensions, additions, etc. The whole point of the license is to make that
difficult/impossible. If you use AGPL software, you have to respect this
intention.

Gplv3 is also not that popular with legal departments for the same reason.
Even Gplv2 is generally frowned upon but better understood since there is a
fair bit of case law around it and known ways of dealing with it when e.g.
shipping binary kernel modules with an OS, which is one of those legally grey
areas where you have to depend on legal interpretations of the license. Gplv3
was explicitly written to close some of those loopholes in Gplv2: they were
unintentional.

So, this is not FUD but basically lawyers doing their jobs and they are fairly
consistent in their reservations with respect to this license across the
industry. You talk to lawyers in any fortune 500 company and they'll probably
will be very reluctant to sign off on any AGPL dependencies.

~~~
AnthonyMouse
You're arguing that companies should fear the license because there is
uncertainty and you doubt that an unproblematic interpretation is accurate,
but that that isn't FUD. It's fear, uncertainty and doubt.

> The other point is that the intention of this license is explicitly to
> prevent people commercializing software licensed this way through
> proprietary extensions, additions, etc. The whole point of the license is to
> make that difficult/impossible. If you use AGPL software, you have to
> respect this intention.

That may be true, but why should you care if you are not actually doing that
and are only using the software without modification?

> Even Gplv2 is generally frowned upon but better understood since there is a
> fair bit of case law around it

It is pretty uncommon for there to be existing caselaw interpreting a given
software license. Proprietary software licenses are commonly unique to the
software, sometimes even unique to the customer. If this is a concern then
shouldn't a widely used form license like the AGPL be an advantage, because
then it's more likely the first time a court has to interpret the text will be
in somebody else's case and not yours?

> So, this is not FUD but basically lawyers doing their jobs and they are
> fairly consistent in their reservations with respect to this license across
> the industry. You talk to lawyers in any fortune 500 company and they'll
> probably will be very reluctant to sign off on any AGPL dependencies.

Have you experienced asking lawyers for their opinions on contract text?
You'll generally get back a document identifying various concerns with just
about every provision in the text, because that's their job.

For example, here's a fun provision from the Windows 10 license:

> [you may not] use the software as server software, for commercial hosting,
> make the software available for simultaneous use by multiple users over a
> network, install the software on a server and allow users to access it
> remotely, or install the software on a device for use only by remote users;

What does that mean? How will a court interpret it? Should corporations avoid
Microsoft Windows as a result, because they might violate some interpretation
of the license and then be liable for copyright infringement?

Lawyers having concerns about license terms is par for the course. What you
haven't established is what makes the AGPL unusual in that regard, as compared
with the above or a hundred other provisions in various other licenses.

~~~
jillesvangurp
It's reasonable fear, not unreasonable fear if countless lawyers in countless
companies seem to be coming to the same conclusions and enforcing very strict
policies regarding this (fact, not imaging this). When in doubt, listen to
lawyers, not engineers.

FUD would be spreading unreasonable fear and uncertainty to create doubt.

The thing you don't seem to get about these licenses is the generally fuzzy
language about derivative works, distribution, and modifications. The legal
interpretations vs. the intent of the authors vs. the technical interpration
of these licenses are three things. An engineer saying, "it's fine" means
absolutely nothing. These licenses are versioned for a reason: the intent and
legal reality apparently don't always line up and people try to fix these
things.

The key point of the AGPL license is that it deliberately intends to prevent
proprietary bundling/extensions of software licensed that way by demanding it
is open sourced under a similar license (aka. the viral nature of the
license). Gplv2 had similar intentions but contained enough ambiguity and
weaker requirements that gave clever lawyers enough wiggle room to get away
with e.g. creating things like Android which definitely has a lot of
proprietary stuff covered in patents and other things. Hence, GPLv3 which
aimed to rectify some of these ambiguities.

And yes, I have experience being lectured on this by actual lawyers (with a
clue no less) in the context of Nokia's OSS efforts a few years back around
their linux based mobile os. They had thousands of engineers collaborating
with the OSS community on hundreds of projects with all sorts of licenses.
Their job: protect Nokia's IP and prevent inadvertent legal fall out with
patents, copyrights, etc. due to improperly licensed software. I learned a lot
talking to and listening to these people.

In short their attitude was, MIT/Apache is generally fine. Gplv2, you need to
know what you are doing but we know how to deal with this and mitigate
potential risks. Gplv3: please avoid adding anything with this license to any
Nokia product (patents were a big concern here). AGPL, no way in hell that we
would approve this, ever; the risks are substantial and generally not worth
it, even for server side only stuff.

Regarding the MS license; lets stay on topic and not digress about the legal
saviness of their lawyers. Generally my advice would be to assume they can
make life hard for you and thought long and hard about how they would do that.
Any court case would likely set you back more than you or your company can
afford.

------
jacquesm
It's not rare to see even very high profile legal firms totally mess up when
it comes to software licensing in general and open source licensing in
particular. Chalking this one up to incompetence rather than malice until
there is proof it is the latter.

~~~
Ericson2314
That's fine but there needs to be more demand to force competance.

We all grew lax with copyleft cause all this corporate pro open source stuff,
and now there isn't a critical mass of AGPL projects compelling Square's
lawyers to read harder. I have no idea how to build that critical mass.

------
orwin
II.B.15: use, under any circumstance, any open source software subject to the
GNU Affero General Public License v.3, or greater;

That's spooky. Any idea why?

~~~
joelhaasnoot
I don't fully understand the context, but I'm guessing that if you provide a
service using software that's AGPL licensed and use Square to sell it, they
have no way of complying to the AGPL terms of providing end users (your
customers) with the source code and/or a link to it.

~~~
Illniyar
The service provider might be breaking the AGPL, but square isn't liable. It
isn' using the AGPL it self and isn't a party to the copyright contract.

~~~
the_mitsuhiko
If they need to redistribute some AGPL content they are liable.

~~~
Illniyar
I don' see square having any service that offers fulfillment (for example
where you can download your order).

Even if they do though it would be a stretch to hold them liable, it's like
requiring github to be agpled if you upload your agpl code there.

~~~
the_mitsuhiko
This is for their store system: [https://squareup.com/us/en/online-
store](https://squareup.com/us/en/online-store)

------
Illniyar
This seems either a prank or ideologically motivated. Beyond the fact that
there is no legal reason to prevent your users from using copyrighted code
since you are not breaking copyright if you are not a party to the contract,
the wording is bad - there could be similar licenses that are problematic but
aren't named AGPL v2 (or greater)

------
unilynx
Might Square be doing this just to prevent their customers from mistakingly
including AGPL in their frontend?

"we know we're not liable, but the customer might get into trouble, let's make
it easy to understand what can and can't be done and just forbid it"

------
hmmmmmmmmmmmm
*AGPL ?

------
wyldfire
> 15\. use, under any circumstance, any open source software subject to the
> GNU Affero General Public License v.3, or greater;

Note to self: create a license whose concepts/terms are similar to the AGPL
but don't call it that.

~~~
anticensor
MongoGPL?

------
empyrical
The same restriction is also in Weebly's (owned by Square) terms

[https://www.weebly.com/ca/terms-of-service](https://www.weebly.com/ca/terms-
of-service)

------
pmontra
APGL as in the title or AGPL as in B.15?

------
atomlib
What's APGL? Anti Personnel Grenade Launchers?

~~~
laputan_machine
Network GPL, like GPL but if any system in your network (think of a chain of
micro services) uses an AGPL/AGPL-like dependency, then _all_ of your services
have to be open sourced too.

~~~
nroah
He's mocking the fact that the title says APGL instead of AGPL

~~~
Operyl
Some days I wonder if my brain is just wired significantly differently than
most people. These single letter shift typos rarely even register in my mind.
Hell, my mind registers words with 2-3 letters off perfectly fine. What
usually gets me is when sentence structure is significantly off, not this kind
of stuff.

~~~
geggam
Same

------
nroah
I don't understand why are there so many proponents of the AGPL when it's one
of the most restrictive and therefore against freedom licences there are.

~~~
saurik
It removes developer freedoms in order to ensure user freedoms; claiming it is
"against freedoms" is like saying the Bill of Rights--which restricts the acts
of government--is "against freedom".

~~~
nroah
It's the opposite thing because there usually are a thousand users for every
developer, so you're restricting the freedoms of 1000 people to defend the
freedom of 1 person. While there's 1 government official whose freedoms are
restricted for every 1000 people (made up numbers but you get the point)

~~~
pmontra
In this metaphor developer == government official and users == citizens, so
you should agree with GP.

Again, AGPL restricts what developers can do with software to let users enjoy
more freedom.

Actually I don't care much about that, I just don't want to see companies come
and exploit developers work without having to give back anything. So I really
favor GPL and AGPL. Then, if somebody prefers BSD and MIT, no hard feelings.

------
floatingatoll
If your operating system is AGPL3+, are you prohibited from using tools upon
it to access any/all Square services for any reason? Are you in violation of
every copyright agreement on your hard drive due to your failure to reconcile
the AGPL3+ terms with the software licenses you are integrating with the
operating system through installation and use?

I can see why they would want to explicitly decline to participate in AGPL
infections.

~~~
yarrel
Those questions can as easily be asked of proprietary software with EULAs.

And "infection" is a creepy way to write "compliance".

~~~
floatingatoll
Most proprietary software with EULAs does not contain a copyleft provision
that forces itself upon other software. I find copyleft creepy and power-
hungry, so my choice of word reflects how I perceive it.

~~~
michael-ax
an agpl lisc only requires that you provide the code you altered in order to
integrate. prohibiting it from running on their servers simply closes the door
on people coming to them for code they don't even own!

