The fact that they didn't, and in fact, actually talked with folks and addressed this head on, speaks volumes about them as a company.
They actually kept a large part of the previous license. The new license will terminate if you initiate: "any Patent Assertion [...] (iii) against any party relating to the Software".
So if you sue any React user for infringing any patent, even unrelated to React usage, your license for React will terminate. On the other hand, if Facebook uses your Apache 2.0 software, their license to your patents terminates only if they sue people for using your software. Isn't that asymmetric?
Isn't there a loop-hole though? With the new license, if a FB affiliate sues you, you can only countersue the affiliate. So if FB asks an affiliate to sue you (maybe they sell the affiliate a couple of patents for instance), you can't counterclaim against FB, you can only counterclaim against the affiliate, which may not have a product.
Is that correct?
Thanks for raising awareness about the previous license. The new one definitely seems better.
Past that, to be honest, there are always "loopholes" in all of these licenses related to transferring patents to entities/etc. Given any open source license, i can come up with a valid legal way for an entity to sue you over patents in it. But at some point, you have to trust that isn't the spirit/goal of the license, because if it is, you are kind f*cked anyway. That point, has, IMHO, been reached here now.
Otherwise, it's generally not a sane problem to solve in licenses. It's an insanely complex area due to the ways it can happen. You generally don't want to try to shove all that in one document, it'll be a mess, and you'll never be able to update it for ambiguities discovered or change it with the times as law changes (OSS already has a large enough problem rev'ing licenses)
Things like transfer problems are better solved by things like http://www.lotnet.com/, et al, which have specific, well thought out and targeted agreements.
Yes, it makes it harder to tell your likelihood to get screwed, in the sense that you have to know not only the actual license, but whether they are a member of LOT or whatever, but i honestly can't see a good way around this.
If you use React, doesn't it basically mean that you de facto license all your patents to Facebook whereas Facebook licenses those required strictly for React? With Apache 2.0 or GPLv3, you would only de facto license patent covering the software and the author would de jure license theirs. With BSD, there is no de facto licensing from you, as termination doesn't relate to patent suits. If so, the new grant is okay for people who don't have patents but it seems unsuitable for those who do. Less patent suits overall would certainly be a good thing but this condition seems very one-sided.
The only patent grants you give are through CLA's.
Otherwise, i'm not sure i follow the concern?
While rereading the grant, I even wonder: (1) does the termination in the grant mean termination of the copyright license as well? (2) asserting any patent against "any party relating to the Software" could include end users since they receive the same license and grant.