Hacker News new | past | comments | ask | show | jobs | submit login
Vulcain: A REST-Based Alternative to GraphQL (github.com)
61 points by pimterry 5 months ago | hide | past | web | favorite | 21 comments



This makes me so incredibly sad.

The project is so exciting and so right. Fully REST compliant backend, designed to support access by either REST or GraphQL queries, and pairable with Mercure to have fully REST async push subscriptions. Full backwards compatibility with REST and full solving of modern API design problems. That's incredibly cool. And then you discover that it's AGPL licensed. Time to move on. So incredibly sad.

All that brilliant design work, all that fantastic problem solving. Shipped with a license that in the commercial world really is the kiss of death and that simply isn't possible to get past the legal department of any company large enough to have a legal department. My sadness isn't just that those of us with legal departments can't use this, it's that adoption will be so slow that all that incredible work you put into this isn't going to receive the uptake and adoption it deserves.


Thanks for the feedback! I just added a section in the README to clarify things about the license: https://github.com/dunglas/vulcain#license-and-copyright

* proprietary software can implement the Vulcain specification * proprietary software can be used behind the Vulcain Gateway Server without having to share their sources * modifications made to the Vulcain Gateway Server must be shared * alternatively, a commercial license is available for the Vulcain Gateway Server


I get that you're trying, but legal is still going to look at the AGPL license and say nope, because that's the license and that what governs what is and isn't allowed. I respect what I think you're trying to do there, but it isn't actually going to work. AGPL is a total deal breaker.

That's the first part. The second part is where you say "oh and there is a commercial license if you don't want to use AGPL" which leaves an incredibly bad taste in my mouth. Any time I see that on a project I think "got it. They are using AGPL as a fake open license, knowing no one will actually use it, so this is really just a paid commercial venture trying to make itself look open sourcey".

You're killing your project with AGPL and not actually going to achieve your intents with it. There is a reason why MIT and Apache are the dominant open source licenses today. Projects need adoption to be successful. It they get adoption, they get PR's. No adoption = no PR's, AGPL or not. The work you're doing is too important to needlessly kill it like this.


> They are using AGPL as a fake open license

Actually, AGPL is the only license respecting copyleft's spirit for network applications such as the Vulcain Gateway Server (https://www.gnu.org/licenses/why-affero-gpl.en.html).

If big companies don't want to play the game for whatever legal reasons, that's on them. And... so there is the commercial license (even if I'm pretty sure I'll never sell a single one for Vulcain). If they really want to use it, they can pay (they pay for AWS, Windows, Sales Force... and a lot of other proprietary software after all).

> knowing no one will actually use it

MongoDB (among other big projects) is very popular, and has been licensed for a while with AGPL (and it wasn't even restrictive enough to prevent Amazon to predate them, but that's another topic). Also Ghostscript, ownCloud, nextCloud, SugarCRM...

In the case of Vulcain, the protocol is what has most value (IMHO), and it is not licensed under AGPL.

It's pretty easy to implement directly the protocol in an app server (if it is written in a programming language able to deal with HTTP/2 directly such as Go, Rust, C or Node).

> so this is really just a paid commercial venture trying to make itself look open sourcey

My goal when publishing free software isn't to help big companies making proprietary services to make even more money without giving anything back (MongoDB, Redis, ... stories).

Thanks to AGPL, users not able to modify the software (lack of financial resources, time or skills) can still benefit from changes made by big companies. That's the goal of copyleft.

If they don't want to play according to the copyleft rules, then ok, they can pay as for any other proprietary software. It looks like a fair deal to me.

> The work you're doing is too important to needlessly kill it like this.

I really appreciate, and I'll maybe consider switching to another license at some points if it's a real blocker. Mercure.rocks (another of my projects) use the same strategy (permissive spec, that anybody can implement, and AGPL implem) and so far it got both adoption (and PRs, even if, as for Vulcain, the main value is in the spec, the server is a tiny piece of software that doesn't require too much maintenance).

For lower level stuffs (such as my PHP libraries), I use MIT because they are designed to build something bigger, not to be used as-is such as the Vulcain Gateway Server or Mercure.


> If big companies don't want to play the game for whatever legal reasons, that's on them. And... so there is the commercial license (even if I'm pretty sure I'll never sell a single one for Vulcain). If they really want to use it, they can pay (they pay for AWS, Windows, Sales Force... and a lot of other proprietary software after all).

If I were looking at using this, it's somewhat of a show-stopper for me not because I think that my company wouldn't want to pay for it; it's that the procurement process is so painful that it becomes almost not worth it for the limited scope of use.

I think a lot of people miss one of AWS' greatest selling points: I go through procurement once to get authorized to use AWS, and it then opens up a whole cache of services I can utilize. Things with a wide range of functionality are worth fighting with procurement over; things that implement a single function start to kick in cost-benefit questions over whether I can get by with the functionality provided by MIT or Apache licensed projects, or if I can re-implement the portions I'm interested in.

> In the case of Vulcain, the protocol is what has most value (IMHO), and it is not licensed under AGPL.

I shudder at the thought of trying to convince legal of this. That may be your interpretation or goal, but Legal is likely going to take the broadest possible interpretation of the licensing. I'm not a lawyer, I have no context to discuss who's right here, but my experiences with legal have been to always assume that they will take an extremely conservative approach (as is their job). That being said, Mongo does do the same thing, and the surrounding discussions seem to agree that using Mongo's API does not make your software a derived work.

The AGPL introduces a risk that someone, maybe an intern or someone 3 years later who doesn't know the licensing context around the AGPL software, will do something that makes internal applications a derived work. Even denoting what makes something a "derived work" gets into murky territory that, afaik, has not entirely been legally tested in court.

It has far less to do with being unwilling to contribute the changes back to upstream, and more to do with a fear of the risk that someone will accidentally violate the segregation between our applications and the AGPL'ed one, and suddenly all of our proprietary code is under the AGPL because one application violated that boundary. Which is legitimate fear if your codebases are tightly coupled (i.e. this app used Vulcan as a library, and that app links to this library that almost all of our applications use, so now it's all under the AGPL). The problem is not contributing changes to Vulcan upstream, it's the risk of the license infecting proprietary software.

This is super cool, and I am definitely going to dig into this for personal projects. I really appreciate the work you put in, and you open sourcing this. The licensing is entirely up to you, and I'm going to poke around in it either way; but it is a killer for trying to use it in enterprise-y environments.


As much as I understand your point and share the loathe of AGPL. The spec it itself is under the the IETF copyright policy, and there is no reason why you or anyone else cant write a spec compliant server that is MIT / BSD or Apache.

Your comment come off a way too hash for somebody who is contributing to Open Source in Good faith. And despite of this I am very much surprised by the extremely well manner response from the author who is French, Which has a culture ( and is languages ) tends to be a little bit straight to the point and giving no as standard answer.

I think we should take some time to appreciate what is being put up, and marvel at the possibility of going back to REST again.

Edit. I am sadden this didn't get the attention it deserved. Next time please submit this at US WeekDays Working hours time :P


> I get that you're trying, but legal is still going to look at the AGPL license and say nope, because that's the license and that what governs what is and isn't allowed.

AGPL is no problem whatsoever server side excepted if you want to embed this software in a proprietary tool.

In all other cases, just change your legal department, they are incompetent and spread FUD.


>AGPL is no problem whatsoever server side excepted

Not following what you are trying to say here, Server Side GPL requirement is the reason why AGPL was invented in the first place.


> Not following what you are trying to say here, Server Side GPL requirement is the reason why AGPL was invented in the first place.

- yes, it's server side.

- Still it is not a problem because it forces to release the modification you do to the service itself ( the database in case of old mongoDB, the REST gate here )

- Most FUD about the AGPL is about the urban legend that suddenly you will have to publish the source code of all your other services: it's dawn wrong.

- 99% of users ( troll: all excepted Amazon ) should not have any issue with this kind of license.


Why not stick the spec in a different repo? Give an explicitly permissive license on the spec, so that it's obvious that proprietary software can implement it.


It's not actually my project, I saw in on Twitter: https://twitter.com/dunglas/status/1182685694306721798

That said, while I see how this is a PR challenge, I'm not sure it needs to be a practical problem. I believe AGPL here would only be relevant to the gateway server itself. The formal spec is intended to be permissively licensed, and you can easily implement the design in any language you choose. If this gets popular, liberally licensed clients & servers will appear pretty quickly. Some discussion from the author here: https://twitter.com/PierreJoye/status/1182885929414848513


While I understand and hear his stated intent in the twitter post, corporate legal departments are going to look at the actual written license and say no.

I also hear your point that other more permissive code bases can be written to reimplement the spec but what a terrible waste of resources that would be. By going AGPL he's basically making all the work he did to implement it a throw-away effort that will need to be superseded by an MIT or BSD or Apache-licensed implementation. I get the intent of AGPL, he wants updates committed back to the codebase. The problem is that corporate legal departments that are fine with PR's to MIT projects won't let you even touch an AGPL project to begin with. As with so many things involving social contracts, force is not always the best way to achieve the ends one desires. If I'm using a project and I make a fix or improvement, I want it committed into the main release branch because that makes my life easier the next time I need to pull updates from master. A quick tally of license popularity trends over the past decade demonstrates enlightened self interest like this is far more effective at motivating developer behavior around PR's than the AGPL ever was, without adding any terms that cause legal departments to block adoption.


You can just implement the specification yourself, and license it however you want. What's the problem exactly?


I really like that syntax. It seems to have been well considered. I don't have a good understanding of how widely supported http/2 is, but I'm happy to see it implemented productively here.


Can't speak for client libraries, but for browsers 95% of real users in the wild support it: https://caniuse.com/#feat=http2


I don't know much (no longer employed in software development) about the use cases.

But I just skimmed some of these HN comments and I'm impressed by @kdunglas engaging in conversations here.

Thanks.


I hope it's better done than his other projects that, while impressive at first, are full of corner cases and incomplete documentation ... which is brilliantly convenient when you sell consultancy for them.

(just speaking from experience, not a personal attack)


All my projects are free software (including their docs). You are free to improve them, or to not use them, or as you stated to hire me or anyone else to do it for you.

Anyway, I'm interested in hearing more about the corner cases and incomplete docs you stumbled upon, to fix/improve what can be done.


We did all these things :) And I can attest you and your coworker were professionals.

Sorry if my previous post was too negative. I can't be too specific though as I was more affected by this than directly involved.


Thanks then :)


That sounds an awful lot like a personal attack.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: