Re: Hackage suggestion: Gather the list of the licenses of all dependencies of a package
Malcolm Wallace <malcolm.wallace <at> me.com>
2012-12-15 23:10:33 GMT
On 15 Dec 2012, at 16:54, Michael Snoyman wrote:
> I would strongly recommend reconsidering the licensing decision of cpphs. Even if the
LICENSE-commercial is sufficient for non-source releases of software to be protected, it
introduces a very high overhead for companies to need to analyze a brand new license. Many companies have
already decided BSD3, MIT, and a number of other licenses are acceptable.
Well, if a company is concerned enough to make an internal policy on open source licences at all, one might
hope that they would perform due diligence on them too. For instance, the FSF have lawyers, and have done
enough legal work to be able to classify 48 licences as both "free" and GPL-compatible, a further 39
licences as "free" but non-GPL-compatible, and 27 open source licences that are neither "free" nor
GPL-compatible. This kind of understanding is what lawyers are supposed to be for. Making them look at
another (short) licence is not really a big deal, especially when it closely resembles BSD, which they
have already supposedly decided is good.
My suspicion, though, is that most of the companies who even think about this question are small, do not have
their own lawyers, and are making policy on the hoof, motivated purely by fear. I also suspect that they do
not even have the resources to read the licence for each library in its entirety, to determine whether it is
in fact BSD3 or MIT, as claimed, or whether someone has subtly altered it. Also, I think I could be pretty
confident that there are many shipping products that contain genuine BSD-licensed code, but which do not
comply with its terms.
> It could be very difficult to explain to a company, "Yes, we use this software which says it's LGPL, but it
has this special extra license which, if I'm reading it correctly, means you can't be sued, but since the
author of the package wrote it himself, I can't really guarantee what its meaning would be in a court of law."
Like I say, if someone claims the software to be BSD-licensed, someone has to read the licence text itself
anyway, to determine whether the claim is true. Pretty much every copy of the BSD licence text differs
anyway, at least by the insertion of the authors' names in various places, and sometimes there are varying
numbers of clauses.
> Looking at the list of reverse dependencies, I see some pretty heavy hitters. Via
haskell-src-exts we end up with 75 more reverse dependencies. I'd also like to point out that cpphs is
the only non-permissively-licensed dependency for a large number of packages.
I'm glad that cpphs is widely used. I'm also glad that it remains free, and I disagree with you that its
dual-licence model is non-permissive.
I would like to encourage more Haskell developers to adopt free licensing. Don't be bullied by BSD
evangelists! BSD is not the only way to a good citizen of the community! Your libraries can be delivered to
clients as products, without you having to give up all rights in them!
It's not like I'm saying to companies "if you make money out of my code, you have to pay me a fee". All I'm
saying, to everyone, is "if you notice a bug in my code and fix it, tell me". This is fully compatible with
allowing people to release my code to their clients inside products.
> I can give you more detailed information about my commercial experience privately. But I can tell you
that, in the currently situation, I have created projects for clients for which Fay would not be an
option due to the cpphs licensing issue.
If you are complaining about the crazy policies that many companies adopt about the use of free software
within their business, then I have plenty of sympathy for that too. I know of one which has a policy of "no use
of open source code whatsoever", but runs thousands of linux servers. Also, many companies with large
numbers of software engineers on staff apparently prefer to buy crappy commercial products and pay
handsomely for non-existent support, instead of running high-quality open-source software with
neither initial nor ongoing costs, and where bugfixes are often available the same day as you report the
bug. But hey ho. Corporate policy is usually made by people with neither technical nor legal expertise.
As regards cpphs, if you don't want to use it because of its licences, that is your choice. You can always use
some other implementation of the C pre-processor if you wish. GHC has always refused to distribute cpphs,
on the basis of its GPL licence, and instead chose to distribute GNU's gcc on Windows. (I hope you see the irony!)