Hacker News new | comments | ask | show | jobs | submit login
Why I replaced MIT with copyleft license for Nodemailer (nodemailer.com)
103 points by andris9 on Feb 2, 2017 | hide | past | web | favorite | 58 comments

Donations for open source projects have notoriously low participation rates - to the point where popular and critical infrastructure projects can't afford to maintain a fulltime employee or two - so don't take it personally.

If you want companies to pay you, then ask them to pay you. Keep it as a simple license (not one that has devs asking wtf it is), but offer a commercial bundle with email and dev support, LTS, backwards compat and perhaps authentication modules (for LDAP/AD, OAuth) and I think you'd be surprised by just how many companies make these purchases (I make them all the time).

Also, on price - $100-300 is "no-brainer i'll put it on my credit card and expense it at the end of the month" while €800 is approaching purchasing decision territory for a lot of companies.

Was just wrestling with mailing from node this week, and have seen reference to nodemailer. Reading his notice, it seemed like a nicer version of the itext pdf library license change. I completely understand the motivation behind both, but $800 is just out of my budget (and the budget of many of the projects I work on).

Slight rant - the itext license change was frustrating because we were using it on a project, and then the license change happened. The minimum price seems to be $2500, and I couldn't tell if it was per year or what. But to have it on a dev machine, and a test server too, drove the price up more - something close to $6000 IIRC (but it's been a while since I looked in to it).

I completely understand the motivation behind the pricing changes, and if it turns out that fewer people use it, but they pay... that still works out for most parties.

I'd encourage the nodemailer author to consider a couple other options - something under $500 for commercial usage, and a higher price point for some extra degree of support (1 business day turnaround time, etc?). As others have noted, a smaller amount is something I can float or simply absorb - larger amounts introduce hesitation, or pushback from clients on pricing (especially if it's a term/time license).

Speaking from my corner of a large organisation, this is pretty spot on. $100-300 is "no brainer". LDAP/AD, OAuth is major plus. Support SLAs tiers are also something we would look for, even in Open Source.

We don't use Nodemailer, but we might now that I know about it. I'll see if we have a use case.

The high pricing is intentional. If no-one is buying then I can just bring the price down, while it is really difficult to move on the other direction if I start with a low value.

A good choice, imo. You can now offer "sales" and special discounts for people who ask for them.

Might want to also offer a premium release for 10x or even 20x, since that falls into the "No Brainer" category for larger corporations who would look at 800 as a sign of low quality.

Smart guy. Copyleft for the open source crowd to use freely, commercial license for businesses who want to keep their own source closed.

I wonder where you get a good commercial license to use like this. Is it always a custom thing requiring expensive lawyers or is there some repo of commercial licenses one can use?

Open source software developers probably won't want to touch this with a bargepole. Oddball copyleft licenses are a pain in the ass to deal with an invariably incompatible with every other copyleft license including the GPL.

Came here to say much the same. GPL / non-MIT generally = avoid, because IANAL and don't want to figure out if I'm in the right or wrong.

Note that EUPL is explicitly compatible with GPL and a few other licenses in that it allows you to license a derivative work under GPL (or the other license) instead of EUPL.

The downside to this approach is that you need to get copyright attributions for anyone who submits code to the project. This is often a fairly large barrier to entry for contributors and I suspect that the author will continue to have poor engagement for outside contributions.

Now, from a practical point of view, that may be perfectly fine for him. If he's not getting many contributions anyway and doesn't really care about it, funding the project through license sales can make sense. Sometimes I think people don't think about the trade off that's required, though. I've seen people get frustrated with the lack of outside participation.

However, I agree with you. In this case, it seems like a smart move.

Yeah, you're right, I don't care about external contributions. I never wanted this to be a "community" thing. It started as I got interested in the quirks of email and wanted to mess around with the topic. Trying to find consensus etc. just makes it harder, not easier.

You can use Supported Source:


It's not copyleft, but if you ask you might be able to use it that way.

Not only is it not copyleft, it's not free software nor open source software. It's proprietary software by another name.

Supported Source is more or less shareware with visible source code. It's not free software or open source.

Selling copyleft exceptions works fine with existing free and open source licenses.

It's a great piece of software. I use it in two projects both commercial platforms though not particularly big money makers.

The problem for me is I remain somewhat uncertain about the implications. If I use this within a service that requires payment from customers, it seems to me there is no change. And most software using this is likely to be delivered as a service right? Maybe I misunderstand the license.

In a way if the approach was more aggressive it would be easier for me. I could just go to the people that write the cheques and say: we use this software. New version requires payment. Write a cheque.

As it is I'm not sure whether we have to pay or not. As for donations - well I could make one personally (in fact I will) but it is unlikely to be 780 euros...

It looks very LGPL-like in spirit. It's hard to know if you can use it in something commercial or not, though. The pessimistic interpretation is that if you use it your software becomes a "derived work" of the library, in the same way your Harry Potter fan fiction is a derived work of Harry Potter. You probably don't want your commercial software under this license because it commits you to (among other things) granting royalty-free licenses to all patents, and settling all court cases in the jurisdiction of the European Court of Justice.

The optimistic assumption is that no, that would never happen, your product will not be a derived work because using the library with it is "mere aggregation." But the license doens't clearly spell out what is a dervied work and what is not-- there is not even the discussion of mere aggregation that the GPL has.

The license also has the "death penalty" clause that the GPL does, which means that your license to use it can be permanently terminated if you are found to have violated any part of it.

So basically, I would say, stay away. And people in open source projects should stay away too, for the same reasons... you don't want this fighting it out with the existing open source license of your project.

At work, if I see a product that offers a commercial licence and an copyleft licence, I immediately buy it.

The licence costs are always trivial compared to the department's revenue and budget, and it completely avoids any hashing over "will we violate copyleft if we do X". Now the answer is always "we bought it, its ours".

At home, I just use the copyleft version. My personal blog engine is open source, and on github Anything else I make, I don't mind open sourcing if it comes to it.

700 Euro a year is trivial. We've spent more money on drinks while talking about licensing our own product.

  Now the answer is always "we bought it, its ours".
I didn't realise commercial licenses are always so generous and easy to use.

I'll clarify. I mean that software that's dual-licenced, usually grants unlimited usage within the organization. Essentially you bought it, so it's yours to do with as you wish---though you can't duplicate it and give it to others on its own, you have to bundle it with your product.

If the licence is more restrictive than that, then it is likely the business will fail because if we have to jump through hoops, we might as well (a) use another product, cost isn't a factor or (b) use the copyleft licence and hire lawyers.

> It looks very LGPL-like in spirit. It's hard to know if you can use it in something commercial or not, though.

You can, as much as you can use any copyleft license - ie. you have to make the source code of the files available. One thing to keep in mind though is that in EU the distinction between strong and weak copyleft (ie. GPL vs LGPL) probably doesn't exist - it hasn't been explicitly proven in court, but there is a past case which shows that the most likely interpretation is that there isn't such a distinction and in EU merely linking does not create a derivative work (you can read about this in this page from the official EC EUPL site https://joinup.ec.europa.eu/community/eupl/news/why-viral-li... which also explains some issues the current wordings have and why the case is not 100% clear).

You can read more about EUPL and how it can be used here: http://www.ifosslr.org/ifosslr/article/view/91/164

It seems like they should publish a directive clarifying this, if they really want to make it clear. In any case, viral licensing exists in the US, which is enough to make the EUPL toxic to nearly all companies.

As I've mentioned elsewhere - I don't fully follow the reasoning either - the post is unclear.

Maybe people are selling spam/crm software that uses nodemailer for sending emails?

If it's sold as a saas - this change makes no difference (hence see the Gnu Apl) - if it's sold as traditional software - perhaps it will make difference in some rare cases (applications with unreasonably tight coupling).

I understand the switch to copyleft, but the EU's own website explicitly lists GPL licenses as incompatible, in the matrix on this page:


Dual-licensing under the EUPL and GPL, with the option to choose either, would be helpful. Otherwise Nodemailer is incompatible with the majority of other copyleft code.

Looking closer, you can't incorporate GPL code in a EUPL project, but you can incorporate EUPL code in a GPL project. The EUPL explicitly is allowed to be used as part of GPLv2 project, and indirectly as part of a GPLv2 project via the CeCILL v2 licenses which has a similar provision.

Hmm. A wee bit off-topic, but is there a license of these sorts that do the "free until you make X revenue", similar to those used by Unreal and Unity?

andris9, you mentioned that the EUPL was more European Union friendly, similar to how GPL is more USA friendly.

Do you mind elaborating what you mean by this?

IANAL but as EU citizen doing stuff in EU I don't really care about the implications of US patent system. What I do care about is a license that is in a local language, designed specifically for the EU jurisdiction so every court would understand what its exactly about. In general though I don't think there's a huge difference as it's hard to believe that I would actually ever go to court based on some license terms.

Spoiler: Money.

And the reason he hasn't made money off it in the last 5-6 years has nothing to do with the license -- it is because sending emails from an API is a very saturated market. From custom remailer apis to built-in provide-your-own-SMTP-server options there are plenty of ways to send email from code and most of them are cheap to free.

I am not sure how this is supposed to start making him money. Doesn't the sticky nature of GPL-like licenses only apply if you redistribute the GPL licensed software alongside your own package or make a derivative?

From the text I'm not sure the idea really is to make the author money. If anything, presumably any code others contribute now will be copyleft, meaning if the patches are integrated and re-distributed by the author he can charge for distribution - but have to distribute under copyleft.

I also wonder how many corporations integrate and redistribute nodemailer; I'm sure there's a few - but I'm guessing most just use nodemailer. Apart from paranoid legal teams, the licence change shouldn't make any difference.

Now, someone distributing a firewall appliance using nodemailer for sending email alerts would have to provide customers with a copy of nodemailer source under copyleft - along with any changes. I still don't see why that would translate to payments to the author.

It does. For example MongoDB is AGPL. BUT if you add nodemailer to your project as a dependency and you link to it GPL will stick. This is why MongoDB's drivers are Apache license but the database itself is AGPL.

So, someone told me that your code need not be GPL but that the combination of your code + a gpled program must be.

IANAL, but this sounded reasonable to me.

The trick is in what constitutes "combination", particularly re. static vs. dynamic linking.

My understanding is that, at least with LGPL, you can have a closed source program distributed with a LGPL shared object/dll (plus license text) that gets loaded dynamically, but I don't think you can do that with GPL proper.

Static linking (IIUC) is right out (for closed source projects).

Not sure if it makes a difference in this case either, however the method is being used successfully by projects like x264, x265, which distribute under GPL, but also offer commercial licenses allowing them to be incorporated into proprietary solutions.

What if you do an on-prem SAS deployment? Think that counts.

So why not just close it and sell it then?

Using a license to extort money from commercial entities who he seems to say use it without paying a dime for it and operating under the guise of open source is... warped in my pov.

I don't begrudge him making phat loot. But if that's the goal open source is not the right avenue imo.

Let the flame war begin but I don't see the point in open sourcing code if you don't want people to use it however they want.

YMMV and probably does.

All copyleft licenses have the same principle; to promote openness. This is explicitly not the same as "use it however they want".

I think the motivation to not have your open source code used in a closed source product that is sold for profit should be obvious.

Also, the motivation seems to be a desire for building a bigger community which gives back its improvements. ZeroMQ for example sticks to LGPL for the very reason - they believe that it is easier to build a community and discourage "dark forks" when software is licensed under GPL-like license. (See http://zeromq.org/area:faq#toc4).

They have tried hard for the last year it relicense zeromq under a much more liberals license, but have had trouble getting all permissions.

Additionally, the requirement for being able to sell a business friendly license, seems to imply that any community code contributions must now assign copyright of the contribution to the project owner (CLA?). Otherwise, wouldn't you then have features locked to the EUPL version? (presumably...I am not familiar with the EUPL at all though)

I want you to benefit from my work only if I also benefit from your work. If you seek an unfair advantage over me, I will not cooperate.

Under a copyleft license you CAN use it however you want. You just are obliged to open source any modification you make to it.

I'm not sure how the "derived works" clause applies to node.js projects using this project.

You're obligated to also distribute sources to changes if you distribute.

You can implement single-image clustering on top of the Linux kernel all you want, and keep your changes - so long as you don't distribute the software. If you do, you must distribute under the gpl.

GPL and LGPL require that users of your software have to be able to relink with their own version of the copyleft code. It's not enough just to provide the source (for compiled languages).

The open source version acts as advertising for the paid version. It also allows programmers to imagine that they will get paid (without even having to do "business stuff" like marketing) and get open source cred at the same time. This rarely works but the other open source business models never work, so it's the leader.

Others have pointed some reasons, but there's also another important one.

Copyleft is a promise to he end-users that - no matter the circumstances - they won't be stuck with whatever they were served, but would be able to maintain or hire someone to maintain. It's not only freedom to adapt and modify the code, but also - when a project is a library - a freedom to not be stuck with ancient bug-ridden insecure builds if there are newer versions.

So if you ask "why copyleft?" think how much abandonware with statically linked libraries (e.g. ancient OpenSSL) you've seen.

That's a pretty uncharitable reading of his reasoning. A better description would be "companies are profiting off my unpaid work without upholding their end of the social bargain, whether that's money or maintainer hours or whatever". A better reading would be that he feels the current situation is unfair, rather than suddenly wanting to monetise.

There's nothing unfair about that situation though. People using open source without giving back, and possibly even making money on it without giving back, is perfectly fine. There's no contract, social or otherwise (aside from the license terms), and the perception that there is a unofficial social contract obligating users to contribute back or even do stuff like just file bugs or interact with the community is actually an impediment to getting people to use open source.

This concept of a social contract misrepresents both the letter and the spirit of open source, including copyleft, and gives people who don't know any better the impression that using open source would obligate to do something beyond just complying with the license (even if it's presented as a matter of etiquette rather than an actual legal obligation).

If anyone's out there writing open source code because they anticipate getting anything in return from anybody, ever, for their efforts, they have misunderstood the spirit of the thing and will most likely be disappointed.

> This concept of a social contract misrepresents both the letter and the spirit of open source, including copyleft

Eh? The GPL is a copyleft license that was made to do just this, both in letter and in spirit. "Getting code back" is its explicit purpose.

> If anyone's out there writing open source code because they anticipate getting anything in return from anybody, ever, for their efforts, they have misunderstood the spirit of the thing and will most likely be disappointed.

Open Source and Free Software are similar but different, and you're conflating the two. Redhat is the canonical example of someone who writes FOSS because they anticipate getting stuff for it. Atlassian also writes specifically open-source stuff; you can inspect it, but you can't use it without paying a license.

And I think you're semantically wrong anyway - if you're writing free software because you're community-minded, then it's not unreasonable to expect some engagement from the community, especially for a popular project. No-one is legally obligated to help you, but at the same time, for so many to use your stuff and so few to kick a little back over so many years is something that a reasonable person could be a bit sour on.

> if you're writing free software because you're community-minded, then it's not unreasonable to expect some engagement from the community

Yes it is. Just because you are 'community-minded' doesn't mean you get that - there is no expectation there unless explicitly warranted.

I guess we have different ideas on what makes a community. When I go to a local community barbeque, I hang out and chat as I graze on the food. Apparently you just silently shovel half the sausages into a knapsack, grab a pitcher of drink, and just fuck off without acknowledging anyone. Hey, the food was free, so why should they expect some social interaction, right? I mean, there wasn't a sign up saying "For every sausage, you must spend 5 minutes chatting", so it's not it's expected (or explicitly warranted), right?

I don't think your analogy works, quite.

Principally, the food is a scarce resource whereas the equivalent to software would be where the community were competing amongst themselves to make a single great sausage; that sausage would be placed on a table by the kerb and people outside would be able to take away as many molecularly identical copies of the sausage as they provided energy to create. The community can socialise amongst themselves and you are free to join in but there is no requirement to do so.

However, maintaining a project over the course of years is not effortless on the part of the provider, as explicitly stated in the article. The problem isn't in the software itself being duplicated, it's in the labour around providing the service.

To continue with the (now tortured) bbq analogy: as the sausages go cold (=software ages), someone has to cook up more fresh ones.

> the community were competing amongst themselves to make a single great sausage

I think a great idea was just born! #sausagecoldwar

> Apparently you just silently shovel...

This poor characterisation of me has nothing to do with the topic, and is just abuse.

There is an expectation at a BBQ, though this differs culturally. There is not such an expectation for FOSS projects, unless explicitlty stated somewhere.

If you want to compare the two; tell me why BBQs are generally not open to anyone, whereas there are few restrictions on FOSS contributors? What are the consumables in a BBQ (food) versus a FOSS project (developer time), and who contributes these in each case?

So, to repeat, "I guess we have different ideas on what makes a community."

> tell me why BBQs are generally not open to anyone

Hence why I specified "local community", not "someone's friend's backyard".

In any case, you're missing the point of the analogy, and extend any analogy and it will fall apart. You're missing the human aspect of FOSS, instead interpreting it as a literal legal case.

And yes, there is expectation in FOSS that others will pitch in and help when your project is extremely popular. ESR, coiner of the 'open source' term we're talking about, explicitly promoted it with the term 'enough eyeballs make all bugs shallow'. How is that not seen as an expectation of kicking back at least some effort?

The issue is the expectation that you will receive contributions, versus obligation on all users to contribute, and I don't think there is any obligation.

ESRs quote praises the OS virtue of allowing source code to be read, it doesn't imply an obligation on all users of FOSS, legal, moral, or otherwise.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact