>AGPL does not mean you must provide up-to-date source code in an automated matter; you have to be able to provide the source code upon request, and there's nothing in the license preventing any forms of delays (much less so for ensuring security of users)
I think it does, if you modify the code. From section 13 of the AGPL:
"Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software."
I am not a lawyer, but i don't think anything would prevent you from waiting to update that source code. You could for example say "The source code provided here dates from XX/XX/XXXX and may be slightly out-of-date in regards to the latest security patches. Updates to this repository are pushed no later than 2 months after being applied on the server, and such delay is only incurred when dealing with security patches as part of a coordinated disclosure strategy with upstream project Y".
I think it is the same as the GPL v3, at least these sections do not differ. See section 6.
If you do not want to provide the user directly a current copy of your source code to downloaded, you can "accompanied [it] by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software".
Then you should be able to fulfill a request for the source code used at an exact date and time 2 years ago even when you already discontinued the product and let go of all people involved. If such a request comes from controlled country like Iran or a recently banned company like Huawei or ZTE it could also get funny for your legal department.
I am not a lawyer, please consult one if you want to find loopholes in contracts.
I believe there is no such provision in the APGL for a reasonable period of time/delay. Unless there is an exception in the license, one would need to give remote users the source code for the exact version of a program they are interacting with. It is no different from the traditional GPL in this regard.
Imagine getting a (binary) copy of GCC and the README said —
this is version X.Y.Z. Please wait up to two months to download the source code. Until then, you can download the source code for X.Y.Z-2.
IANAL either, but my interpretation was always that you had to treat AGPL code in the same way as GPL, except for the fact that access by remote/internet users was considered a distribution.
> Imagine getting a (binary) copy of GCC and the README said (...)
Just like sibling commenter haukem pointed out, GPL does not mandate that you distribute the source code alongside the binary, as long as there is an official channel to request the source code.
GPL license predates version control, and code often had to be snail-mailed at the time. This can lead to funny situations like famous hacker Naomi Wu dropping by hardware manufacturer offices to get the GPL source code. [0]
So yes, you could distribute a binary version of FunnySoft v1.3, and it could take a few days/weeks/months to get a copy of the actual source code.
I think it does, if you modify the code. From section 13 of the AGPL:
"Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software."