
A EULA in FOSS clothing? - bcantrill
http://dtrace.org/blogs/bmc/2018/12/16/a-eula-in-foss-clothing/
======
jamesblonde
It's interesting to see the change in tone from Bryan's previous blog, which
was one of 'you can challenge opensource, but it will win out': "open source
will survive its midlife questioning just as people in midlife get through
theirs"

to the more recent entry, which is that open-source is facing an existential
crisis: "we need your legal voices before these creatures destroy the
village!"

I don't see how Confluent can respond directly to Bryan's 3 questions, though.
They have the bigger social network, so i expect them to ignore him and just
talk to their cool-aiders. It is a risk to ignore Bryan, though, as he's
massively influential.

~~~
hiro_protag
I truly don't understand the panicked tone. There are always going to be lots
of projects licensed under all the existing licenses. If you don't like the
new license, don't use it. Or start your own competing project.

Greybeard says, people using $LICENSE are filthy heathens. You should use
$OTHER_LICENSE instead. Film at 11.

~~~
robert_foss
These a company backed projects that portray themselves as open source while
actually being nothing of the sort due to licensing.

It's a ruse. If MongoDB or CockroachDB for example want to describe their
project as open source they should also act accordingly.

~~~
chrisseaton
> portray themselves as open source

They don't!

"The Confluent Community License is not approved by the OSI and likely would
not be as it excludes the use case of creating a SaaS offering of the code.
Because of this, we will not refer to the Confluent Community License or any
code released under it as open source."

~~~
anilgulecha
Isn't this a "wink, wink"?

They could have instead said : Confluent Community license is not a FOSS
licence, but tries to provide many of the rights afforded in FOSS licenses.

That would have cleared up the status in a jiffy, and people would have made
their decision to use or not use. But the intention seems to be to have their
cake, and eat it too.

~~~
eesmith
.. no? I mean, is the Microsoft Visual Studio Community license a "wink, wink"
license? Or the Sun Community Source License? Or the Atlassian Community
License?

FWIW, "Community" in the license name seems to indicate "not free software"
and "not open source software". There's only one OSI or FSF approved license
with that word in the name.

They write 'Strictly speaking it is “source-available.”' That description has
its own Wikipedia page. [https://en.wikipedia.org/wiki/Source-
available_software](https://en.wikipedia.org/wiki/Source-available_software)
points out that it doesn't always meet "the criteria to be called open-
source".

~~~
anilgulecha
No one I know of treats MSVS or Atlassian or whatever is under SCSL as open
source.

Confluent was treated and used as open source and that changed.

~~~
eesmith
I understand that it changed. But if there is a "wink, wink", who is it
supposed to be for? For those who knew it was F/OSS? If so, it's not very
effective, since they know the difference, and the text is clear that about
why it's not likely to be considered F/OSS by the OSF, FSF, or Debian.

Or is it a "wink, wink" to those who didn't know? In which case, don't the
many other community-but-not-F/OSS licenses mean that Confluent is being
consistent with what others do?

AS someone who hasn't used Confluent but knows about issues related to F/OSS
licensing and the difficulties of getting sufficient funding for developing
F/OSS software, the explanation was pretty much what I expected for a company
switching to an open core model from one which was all open source.

So, why might it be a "wink, wink"? That's likely my stumbling block in
understanding your g'parent comment.

------
jordigh
Did Confluent use Node? Python? Ruby? Django? Flask? Linux? Did they manage to
avoid using any free and open source software?

Would they have liked it any of the things that they used said "you're not
allowed to put this on a server and make money off it"? I wager they wouldn't.

People are saying that Confluent have every right to be doing this. They
certainly do, but it's not very reciprocal of them to do so. If we're going to
be so worried about Confluent's income, we should also be worried about the
income of all the forgotten software developers that Confluent has likely
based their business on, and I don't think the answer is for everyone to start
forbidding making money on servers unless they wrote all of their money-making
server software themselves.

These new breeds of licenses with anti-AWS clauses trying to make sure that
Amazon doesn't make too much money are also harming in their wake many other
developers. Software development as a whole is going to be getting poorer if
enough people want to forbid making money on a server.

~~~
dhimes
My understanding is that you can use Confluent's software to run your own
stack and offer a service, and you can do that for free. You just can't offer
a service that competes directly with theirs. It's like if Google said,
"Here's our search algorithm. You are free to use it on your website behind
your paywall to give your users a better experience, but you are NOT allowed
to use it to establish a competing search service on the broader internet.

I don't really have a problem with it- I think it's fair. I think the question
of whether it should be allowed on Github is fair- can someone accidentally
find themselves legally bound? But it's probably an edge case.

~~~
a3n
In the 90s microsoft prohibited you from selling a compiler built with their
compiler.

Edit: microsoft

------
hlieberman
I think it goes without saying that the Confluent Community License is in
violation of the Debian Free Software Guidelines for a whole multitude of
reasons. I don't think it deserves the title "open source", but I can't
imagine anyone considering to call it free software.

~~~
chrisseaton
They don’t claim to meet those guidelines though do they? Not sure it’s
reasonable to say they ‘violate’ something nobody claims applies to them.

~~~
hannob
> They don’t claim to meet those guidelines though do they?

The problem of this whole discussion is that they try to confuse as much as
they can by using terminology that surely sounds like they're doing "Open
Source".

Read this: [https://www.confluent.io/blog/license-changes-confluent-
plat...](https://www.confluent.io/blog/license-changes-confluent-platform)
Yeah, they don't write "The Confluent Community License is an Open Source
License", but they use the term a whole lot and they also don't clearly write
the accurate thing: "We're no longer using an Open Source license."

I think this whole thing would be much less of a controversy if some companies
just said clearly: "We tried the Open Source way, it didn't work for us, now
we do something different." But they don't want to be that company, instead
they use all kinds of confusing terminology to obscure that fact and try to be
the "We no longer use open source, but we surely want you to believe that we
still do"-company.

~~~
gunnarmorling
> The problem of this whole discussion is that they try to confuse as much as
> they can by using terminology that surely sounds like they're doing "Open
> Source".

Dunno, they are very clear about this in the FAQ
([https://www.confluent.io/confluent-community-license-
faq](https://www.confluent.io/confluent-community-license-faq)):

"Is Confluent Community License open source? -- Strictly speaking it is
“source-available.” Many people use the phrase “open source” in a loose sense
to mean that you can freely download, modify, and redistribute the code, and
those things are all true of the code under the Confluent Community License.
However, in the strictest sense “open source” means a license approved by the
Open Source Initiative (“OSI”) which meets a particular set of criteria. The
Confluent Community License is not approved by the OSI and likely would not be
as it excludes the use case of creating a SaaS offering of the code. Because
of this, we will not refer to the Confluent Community License or any code
released under it as open source."

I totally see how people have different opions on whether that move is good or
bad for the community and/or Confluent themselves, but I don't see where they
are being confusing intentionally; IMO it's the opposite, the announcement is
very clear and open what it is and what it isn't. Compare that to "Commons
Clause", which indeed is a super-confusing term.

~~~
hannob
Scroll a bit down in the comments here and you'll see the CEO of Confluence
talk about "our Open Source" referring to the new license.

~~~
toomanybits
Are you sure? he seems to be using the past tense: "written so that software
products like Landoop _were_ free to embed our open source"

------
skrebbel
I'm new to this particular controversy, but as a startup founder considering
to open up their stack, I think what Confluent is doing here is very
reasonable.

From their own FAQ:

    
    
        > Is Confluent Community License open source? 
        Strictly speaking it is “source-available.”  ..
    

So if Bryan's analysis holds up and indeed, you don't own your copy and
instead you merely were given the right to use and modify it, as long as you
abide by rules X, Y and Z, then.. well, isn't that okay too? Isn't that better
than nothing?

Is there some sort of hidden rule somewhere that if you sell (or give away)
the right to read and modify your proprietary software, that then you're
suddenly evil?

I think I must be missing something, but what's the core argument here? This
sort of thing makes the rounds on HN frequently, but I get the feeling that
all but the most avid FSF-supporters are okay with 100% closed, proprietary,
SaaS, etc software existing, and also okay with 100% OSI-approved open source.
But somehow people get super angry about anything that falls in the middle.
Why is that? Why is proprietary software nothing to worry about, but
proprietary software with a "here's the source, have fun" notice tacked onto
it totally evil?

To be honest, I don't always buy the argument about muddying the definition of
"open source". Yes, there have been companies that called their thing open
source even though it wasn't, by the OSI definition, and that's a shitty move.
But my impression is that Confluent is not one of those companies.

~~~
jsnell
> Yes, there have been companies that called their thing open source even
> though it wasn't, by the OSI definition, and that's a shitty move. But my
> impression is that Confluent is not one of those companies.

When you take an open source project and re-license it under a proprietary
license (without changing the name, the repository, etc), a lot of scrubbing
will be required to erase all representations of the project as being open
source.

For example here it took one page view and about 5 seconds to find an example:
the ksql repo [0] still has the open-source tag.

[0]
[https://github.com/confluentinc/ksql](https://github.com/confluentinc/ksql)

~~~
skrebbel
Isn't it just a matter of time before that gets fixed? I imagine they can
scrub the majority of those cases in a few weeks if not faster. I mean I see
your point, and I appreciate you taking the time to answer. But it's a fixable
problem, right?

~~~
jsnell
Yes, clearly once it was pointed out it was going to just be a matter of time
:) But I just think that even with the best of intentions, it'll take a long
long time for every such reference to be found, reported and fixed.

~~~
skrebbel
Hah actually you made me curious now :-)

Knowing the FOSS community a bit, I'd personally imagine every GitHub repo
flooding with subtly pedantic but well-meaning issues and pull requests titled
"fix licensing".

Thanks again for your thoughts by the way.

------
kemitchell
This is fundamentally a legal topic. And not a particularly new one for
lawyers in the industry. For those interested, I'd recommend two cases.

 _Vernor v. Autodesk_

Why didn't 17 USC 117 save the defendant?

What are "notable use restrictions"?

 _Artifex v. Hancom_

Did terms end up a license or a contract?

Why?

------
jamesblonde
Spare a thought for poor Landoop
([https://www.landoop.com/](https://www.landoop.com/)), not AWS. They built up
their business around Confluent's open-source tools - like the schema
registry, ksql, kafka streams. I guess they will have to fork from the latest
version and try and develop competing versions of Confluent's tools now. Maybe
they could bootstrap a community effort around this?

~~~
boredandroid
This is Jay, the CEO of Confluent. No, actually quite the opposite. We took
pains to ensure that the license was written so that software products like
Landoop were free to embed our open source and compete with us in that way.
This FAQ covers the competition in more detail:
[https://www.confluent.io/confluent-community-license-
faq](https://www.confluent.io/confluent-community-license-faq)

~~~
shabbyrobe
> Embed our open source

I thought the FAQ said you wouldn't refer to it as such:

> Because of this, we will not refer to the Confluent Community License or any
> code released under it as open source.

~~~
nl
I believe the trademarked term is “Open Source” (with capitals) and they are
avoiding that.

IMO it’s a deliberately deceptive technique to try to confuse the market and
dilute open source.

~~~
slavik81
The quoted passage from the FAQ says "open source" in lowercase.

------
dahart
> I’m not asking who owns the copyright (that part is clear, as it is for open
> source) — I’m asking who owns the copy of the work that I have modified?

Not a copyright lawyer, but honest question: what would it mean to “own” a
digital copy? How would you define that ownership? Is it attached to specific
devices? Should it make exception for multiple temporary copies? What tangible
rights or advantages would that give the owner above and beyond the rights
that copyrights currently provide to someone who acquires a legal copy?

I’m asking because it makes some sense to me that digital assets are handled
differently than physical copies, because digital copies don’t transfer the
same way. With digital assets, you don’t automatically relinquish a copy when
you give yours to someone else. It can be incredibly hard to know exactly
where your digital copies are physically located. It can be easy to have two
or three or four copies sitting around and not know it. Perhaps one consumer
advantage that licensing has over some notion of ownership is that you can
legally have multiple copies, even make multiple copies, without violating
copyright law.

------
runn1ng
I don't get why are these weirdo licenses needed

If you want to prevent Amazon to use your software for SaaS, just license it
with Affero GPL, it was invented for this usecase (as far as I know)

edit: okay I was wrong, see replies.

~~~
abrookewood
I assume you are talking about this section? "13\. Remote Network Interaction;
Use with the GNU General Public License. Notwithstanding any other provision
of this License, if you modify the Program, your modified version must
prominently offer all users interacting with it remotely through a computer
network (if your version supports such interaction) an opportunity to receive
the Corresponding Source of your version by providing access to the
Corresponding Source from a network server at no charge, through some standard
or customary means of facilitating copying of software." I'm not sure that it
prevents anyone from offering a SaaS version of your product - just that they
have to make the code available if they modify it.

~~~
runn1ng
indeed! I was wrong then, I thought the entire backend had to be open sourced,
not just the modified version.

I stand corrected then

~~~
webmaven
That depends on how (and how much) the backend is tied to the modified version
(IANAL, don't ask me for specifics, it's REALLY gnarly, and there are various
contradicting legal opinions).

------
kevin_b_er
This a commonplace tactic. The goal is to deny you common rights and
privileges under the law by overriding it with a contract. The use of a
contract to deny ownership is becoming increasingly common.

------
techdragon
I’m not a lawyer but the amount of law (and legal history) I do know makes me
deeply concerned by this.

------
boredandroid
This is Jay Kreps, I'm the CEO of Confluent. The license is actually not a
EULA, that is a misunderstanding. We have added this item to our FAQ:
[https://www.confluent.io/confluent-community-license-
faq](https://www.confluent.io/confluent-community-license-faq)

~~~
cbkeller
Do you care to support that assertion? It reads very much like one.

> BY INSTALLING, DOWNLOADING, ACCESSING, USING OR DISTRIBUTING ANY OF THE
> SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO
> NOT AGREE TO SUCH TERMS AND CONDITIONS, YOU MUST NOT USE THE SOFTWARE. IF
> YOU ARE RECEIVING THE SOFTWARE ON BEHALF OF A LEGAL ENTITY, YOU REPRESENT
> AND WARRANT THAT YOU HAVE THE ACTUAL AUTHORITY TO AGREE TO THE TERMS AND
> CONDITIONS OF THIS AGREEMENT ON BEHALF OF SUCH ENTITY. “Licensee” means you,
> an individual, or the entity on whose behalf you are receiving the Software.

"... you agree to the terms and conditions of this agreement" seems like a
dead giveaway for an EULA -- specifically, an attempt to bind the licensee by
contract law in addition to copyright law.

~~~
kemitchell
There's confusion of terms here. You seem to be using "EULA" to mean
"contract". If you look at the FAQ Confluent added, they read "EULA" to mean
something more specific.

"End User License Agreement" has no reliable, specific meaning in the
industry. "EULA" for short gets thrown away even more willy-nilly, in all
kinds of circumstances. I've seen it used for SaaS terms.

~~~
cbkeller
You're certainly right that "EULA" is ambiguous -- but Bryan provided a more
specific definition which was pretty clearly concerned with the "contract law
in addition to copyright law" part:

> EULAs are an attempt to get out of copyright law — where the copyright owner
> is quite limited in the rights afforded to them as to how the content is
> consumed — and into contract law, where there are many fewer such limits.
> And EULAs have accordingly historically restricted (or tried to restrict)
> all sorts of uses like benchmarking, reverse engineering, running with
> competitive products (or, say, being used by a competitor to make
> competitive products), and so on.

------
newaccoutnas
For a moment I thought the article was going to be about actual clothing
(smart? clothing). Perhaps a copy of the GPL will need to be shipped with all
future clothing articles that have a GPL licensed parts of it's embedded
system?

------
oliwarner
This is way too hung-up on the idea of ownership.

Software licensing seems like a beast unto its own but what do you suppose
would happen if you bought a car, a camera, a kettle, a pair of glasses,
duplicated it 1:1 and tried to sell those copies? You'd fall foul of a
thousand protected designs and trademarks. IP is everywhere.

It's not about what you own. It's about what rights are granted to you.
Software is only strange in this regard because as developers we're [often
painfully] explicit about what you can do. It isn't yet obfuscated behind
decades of evolving law.

Please stop throwing "ownership" around as something you expect when you
download something. It's silly to expect it.

The same works in reverse. You own your modifications. Nobody else _owns_ (or
has right to) them without your grant. But could well be compounded into a
license, or more commonly a contributor agreement... But _it has to be
explicit_.

Edit: After getting a couple of downs, I assumed my pre-coffee acidity may
have burned through, so edited it to be softer... but I've had another since.
If you've got a point to make, please leave a comment.

~~~
IAmEveryone
I believe this comment neatly goes at the heart of this discussion. I have
absolutely no horse in this particular fight, having never even used any
software by confluence, as far as I know. Coming into this discussion as
somewhat of a blank slate, I stumbled over this somewhat nebulous concept of
“ownership” just like the parent, plus some mild dismay at seeing the only two
threats meaningfully engaging with what IMHO is the core of this dispute being
flagged into oblivion.

To reiterate: I have no earthly idea nor opinion if Confluence is the
confluence of everything that’s wrong with earth and beyond. I just think the
argument would benefit from a sharp pencil more than a pitchfork, for now.

~~~
wtallis
> I stumbled over this somewhat nebulous concept of “ownership” just like the
> parent,

A lack of clarity about what sort of transaction or license terms give rise to
ownership of a copy of software is not justification for entirely rejecting
the notion of ownership of a copy. The existence of that ownership status is
rigidly established by statute, as are some of the consequences. It's only the
prerequisites that are nebulous or at least very complicated, but that doesn't
make ownership status any less important of a question. In legal disputes, the
tricky questions are usually more important than the ones with obvious
answers.

------
hiro_protag
_If I git clone software covered under the Confluent Community License, who
owns that copy of the software?_

The copyright to the software resides with Confluent, because of the copyright
assignment clause that all contributors must sign. This is no different than
Apache projects, which also require copyright assignment. For example, if you
git clone Apache Hadoop, you do not acquire the copyright to Hadoop. Does
Bryan really not understand how copyright assignment works?

 _To foundations concerned with software liberties, including the Apache
Foundation, the Linux Foundation, the Free Software Foundation, the Electronic
Frontier Foundation, the Open Source Initiative, and the Software Freedom
Conservancy: the open source community needs your legal review on this!_

Why do any of those foundations need to review the license or EULA that
Confluent chooses? Confuent isn't claiming that their license is OSI
compatible (in fact they explicitly state that it is not.)

If you don't like the license, don't use the software. Or use Amazon's
software, which does require a EULA (see
[https://aws.amazon.com/agreement/](https://aws.amazon.com/agreement/) ).

~~~
bcantrill
I was asking who owns the _copy_ , not who owns the _copyright_. And yes, it's
relevant: if I own the copy (even though you own the copyright), then you are
afforded the rights as the copyright holder -- which don't include telling me
how I consume it, or revoking my right to my copy at a later date because I
have become your competitor.

~~~
IAmEveryone
What does “afford the rights as the copyright owner” mean? It cannot mean
“have the same rights”, because I believe we’d all agree that forking on
github does not, as but one example, confer the right to re-license the code.

~~~
wtallis
If your customers/users _own_ their copies of your software, then your rights
to control what they do with that are enumerated in 17USC§106, and limited by
eg. 17USC§117 or §109. Section 109 for example says that your customers can
sell off their copy, but can't rent it out (unless they're a library). If you
want to prevent your users from re-selling their copy when they're done with
it, you have to assert that you have retained ownership of their copy of the
software. (And, in cases like Confluence, they have to assert ownership of all
copies that their users are authorized to make and redistribute.)

~~~
webmaven
_> If your customers/users own their copies of your software, then your rights
to control what they do with that are enumerated in 17USC§106, and limited by
eg. 17USC§117 or §109. Section 109 for example says that your customers can
sell off their copy, but can't rent it out (unless they're a library)._

That's an interesting analogy...

Is creating KSQL-as-a-service the equivalent of renting copies of the
software? What would the "library exception" look like (which AIUI includes
both private and public libraries)?

 _> If you want to prevent your users from re-selling their copy when they're
done with it, you have to assert that you have retained ownership of their
copy of the software._

Attempts to do that contradict the "first-sale" doctrine, but that doesn't
stop folks from trying.

