re2c
re2c copied to clipboard
skvadrik
Switch to a widely-recognized OSI and FSF approved license.
This is a proposal to change re2c license to one of the widely recognized, OSI and FSF approved licenses (most likely MIT). I'm creating the bug as a way to attract attention and possibly gather comments. I realize this won't cover all re2c users, but it's better than nothing (and I will also send an email to the mailing lists).
To clarify, re2c will remain free and open source software, and this change should not affect the users.
What is the current license?
Historically re2c uses a custom "public domain" license, worded as follows:
Re2c is in the public domain. The data structures and algorithms used in re2c are all either taken from documents available to the general public or are inventions of the author. Programs generated by re2c may be distributed freely. Re2c itself may be distributed freely, in source or binary, unchanged or modified. Distributors may charge whatever fees they can obtain for re2c. If you do make use of re2c, or incorporate it into a larger project an acknowledgement somewhere (documentation, research report, etc.) would be appreciated. Re2c is distributed with no warranty whatsoever. The code is certain to contain errors. Neither the author nor any contributor takes responsibility for any consequences of its use.
Why change?
It is getting increasingly difficult to use current license as a proof that re2c is free software. There is no SPDX. Github and journals like Software Impacts do recognize it. Personally I see nothing wrong with public domain, but at the same time I feel that not changing the license to an FSF and OSI approved one is the equivalent of Asimov's "...through inaction, allow a human being to come to harm".
Do I have the right?
I don't know. This is not my own project --- many people have contributed to re2c over the years, and some have spent considerable time on the project. I am the only active author: none of the other authors get in touch (sadly, not all of them are alive by now). I have made by far the most contributions to the project in the number of commits, and I am the only remaining developer with commit access to the source code repositories. I am not worried that someone will sue me (it seems extremely unlikely), but rather that it may alert or create problems for some re2c users.
Change to what?
There are two aspects: 1) what the license says and 2) how it is interpreted. Personally I prefer "public domain" licenses that don't have any requirements, like Unlicense and 0-BSD. However, they are not as widely accepted as MIT, and not always approved by various projects and organizations. Since the only reason to change license is to make re2c easier to use, it makes sense to choose a less appealing, but more default option.
-
MIT. Pros: it is the most widely recognized OSI and FSF approved license, its text is short and readable, it is technically very close to the current license (unlikely to cause license troubles for any re2c users). Cons: it adds one requirement not present in the current license (copy-pasting the license), it doesn't have the words "public domain" in it, and it requires the year and name.
-
Unlicense. Pros: it is FSF approved, it is recognized as a "public domain" license, it does not require copy-pasting the license text, and I like the wording, the name and the project goals. Cons: I don't thinks it's OSI approved, and some companies like Google exclude it from the allowed list. I'm afraid it may create more technical problems for re2c uses than the seemingly more restrictive MIT license.
-
Zero-Clause BSD / Free Public License 1.0.0 (0BSD). Pros: OSI approved, short, recognized as public domain, no requirement to copy license notice. Cons: not FSF approved, less widely used.
Other alternatives were also considered, but seem to be worse than the above: ISC is like MIT but less widely used, CC0 seems more for data than code (and the webcite says not to use it for public domain, "Using CC0").
I'm leaning more towards MIT, although I personally like the Unlicense better.
From https://www.gnu.org/licenses/license-list.en.html
Expat License (#Expat)
This is a lax, permissive non-copyleft free software license, compatible with the GNU GPL.
Some people call this license “the MIT License,” but that term is misleading, since MIT has used many licenses for software. It is also ambiguous, since the same people also call the X11 license “the MIT License,” failing to distinguish them. We recommend not using the term “MIT License.”
For substantial programs it is better to use the Apache 2.0 license since it blocks patent treachery.
Thanks for the link @sergeyklay! I considered Apache 2.0 but was surprised by its length compared to Expat/MIT. The latter I can at least force myself to read.
I think this is how the https://www.gnu.org/licenses page classifies the current re2c license:
Informal license (#informal)
An “informal license” means a statement such as “do whatever you like with this” or “you can redistribute this code and change it.”
In the United States, these licenses are supposed to be interpreted based on what the author seems to intend. So they probably mean what they appear to mean. That would make them non-copyleft free software licenses and compatible with the GNU GPL. However, an unlucky choice of wording could give it a different meaning.
However, many other countries have a more rigid approach to copyright licenses. There is no telling what courts in those countries might decide an informal statement means. Courts might even decide that it is not a license at all.
If you want your code to be free, don't invite gratuitous trouble for your users. Please choose and apply an established free software license. We offer recommendations that we suggest you follow.
Although it has an entry for public domain as well, but this seems to mean the absence of license:
Public Domain (#PublicDomain)
Being in the public domain is not a license; rather, it means the material is not copyrighted and no license is needed. Practically speaking, though, if a work is in the public domain, it might as well have an all-permissive non-copyleft free software license. Public domain material is compatible with the GNU GPL.
If you want to release your work to the public domain, we encourage you to use formal tools to do so. We ask people who make small contributions to GNU to sign a disclaimer form; that's one solution. If you're working on a project that doesn't have formal contribution policies like that, CC0 is a good tool that anyone can use. It formally dedicates your work to the public domain, and provides a fallback license for cases where that is not legally possible.
In any case, it argues for having a formal license.
@skvadrik I am not a lawyer or any specialist in this matter. However, as far as I see (from my own experience), Apache 2.0 license is most suitable for use both in the corporate sector and for individuals. There is no restriction for "making money" using your own derivative and you can safely include parts licensed under Apache 2.0 into your paid (and closed) project. My own experience tells me that companies are usually wary of products licensed on GNU GPL. And in my personal opinion, this is a major obstacle for a project (its future and distribution) if it is licensed in such a way that it can be used exclusively in purely free and open source projects.
P.S. Also I would like share you Bison Conditions just for reference: https://www.gnu.org/software/bison/manual/html_node/Conditions.html
Sure, I'm not considering a copyleft license (GPL). Re2c has been in the public domain since the beginning, and it will remain there. I don't want to change the way the project is used --- only to clarify the status by using a well-known license ("public domain" is not generally recognized as a license).
I did not know that Bison disallowed using the generated parsers in non-free software. Thinking about it, re2c would not have the same problem, because it does not use a fixed program template: the interface code is written by the programmer, and the lexer code is compiled from the regular expressions, so the resulting generated program does not contain re2c code. However, I think some users bundle re2c itself in their non-free software.
Thanks for the advice about Apache 2.0. I need to read it more carefully.
Just discovered a tool for comparing 51 different free/open source licenses, created by the EU: https://joinup.ec.europa.eu/solution/joinup-licensing-assistant/joinup-licensing-assistant-jla
@sergeyklay Cool! it is a bit disappointing that so few licenses pass the Support -> Governments/EU filter, and the intersection of Law -> US law and Law -> EU/MS law has zero licenses.
Anyway, setting Compatible -> Permissive, Support -> Strong community, Support -> OSI approved and Support -> FSF/Libre, we are back to same choice Apache-2.0 vs MIT.
I was leaning towards Apache-2.0 after our previous discussion, but then got discouraged by OpenBSD attitude, http://www.openbsd.org/policy.html (here is also some discussion):
The original Apache license was similar to the Berkeley license, but source code published under version 2 of the Apache license is subject to additional restrictions and cannot be included into OpenBSD.
@sergeyklay Seems so! There is still time to change our minds until the next major release.
I know I'm just a nobody on this project (I've submitted a pair of bugs) but might I suggest that you dual-license the project? Keep the public domain dedication but also license it under the MIT license? That seems "nicer" to the people who committed to a public domain project, since the project stays available in the public domain, but it also makes it easier for organizations where public domain is not legally recognized to use the project under the well-established MIT license.
The reason the public domain is special to me as a developer is because it is the only way to share code the way code was FOSS was meant to be shared: with no legal repercussions possible for either party. Have you ever maintained a project in a statically-compiled language like golang? I work on such a project at my job. Every library you import in the whole project is legally being redistributed as part of the binaries that you ship. The sheer number of imported dependencies whose licenses and copyright notices need to be distributed with your binary is ridiculous. Thousands of lines of text, which change every time any developer on the project adds or removes a new dependency. The only way to get it right is to write automation, but that's a whole bunch of work that only exists to satisfy laywers. It's a frustrating waste of time as a developer.
Public domain code avoids that situation... wherever lawyers for the receiving party will allow it. But that's a step in the right direction.
As a side note, IANAL but my understanding of the situation is that since most project that interface with re2c generally just treat it as a component of the toolchain, redistribution is rarely a concern and it doesn't generally make much difference it re2c is legally libre or not. There are a ton of proprietary software projects that use gcc to build; but they are not required to also be GPL'd. Where it would make a difference is if somebody was extending re2c or copying code from re2c into their own tokenizer. Perhaps that is not news to you at all, but it may affect your decision.
@rexroni , thanks for your advice! I didn't think of dual-licensing. That might be a good idea, I'm all for avoiding the bureaucracy.
I think people sometimes want to embed re2c in their codebase as a subproject, so for them the license propably matters.
I don't know if is possible to "dual-license" with public domain - it's not a license. Licenses are something that have effect under the copyright framework, and making something public domain takes it out of that framework, so any license restrictions have no legal basis. I'm a big fan of public domain software, and it's high on the list of reasons I picked re2c from a comparison table of lexers. Great as it is though it turns out to be more complicated than it should be, from talking to Richard (maintainer of sqlite, which is public domain and is probably the piece of software with the second highest number of running copies, after zlib) it seems like they can't take contributions from at least some of the EU, because those citizens can't put their work in the public domain: https://sqlite.org/copyright.html
@cyanogilvie Yes, I read something about public domain being not a license. I decided against any change at the moment, since I'm not aware of anyone having a problem with re2c being public domain. At the time when I opened a bug I was afraid that I won't be able to publish a paper about re2c, but it was ok in the end --- just a web page with scary text "you must choose a license" and no real-world consequences.
I am confused. I thought CC0 is basically public domain.
Every time I read about licenses, I end up being massively confused. I try to check at least three things:
- Is it good for the re2c community (to the best of my understanding)
- Is it approved by FSF
- Is it approved by Open Source Initiative
To me CC0 seems to be almost the same as public domain. FSF says it is ok. But the Open Source Initiative does not approve it. At the same time it approves Unlicense which explicitly states CC0 as its source. Is it confusing? Yes.
So I really don't know. It all seems like an empty discussion that goes in circles. At the same time I realized that it's not so important (e.g. the journal publication went well without any changes). I think for now, it is ok to keep status quo.
I'm surprised that being public domain is really a problem. That said, isn't the Unlicense simply a formalized dedication to the public domain that has an SPDX short identifier? Given that, Unlicense would seem to be essentially the right thing since it isn't actually a change as much as a clarification.
Have you considered the Boost Software License 1.0? https://www.boost.org/users/license.html
- Wikipedia: "It is a permissive license in the style of the BSD license and the MIT license, but without requiring attribution for redistribution in binary form.[13] The license has been OSI-approved since February 2008[14][15] and is considered a free software license, compatible with the GNU General Public License, by the Free Software Foundation" https://en.wikipedia.org/wiki/Boost_(C%2B%2B_libraries)#License
- FSF: "This is a lax, permissive non-copyleft free software license, compatible with the GNU GPL." https://www.gnu.org/licenses/license-list.en.html
- OSI: since 2008. https://opensource.org/licenses/bsl1.0.html
If you want re2c to remain in the public domain, why not just license it under CC0? It's a long license, but it lets you (and others) do pretty much whatever you want with the code.
CC0 has an explicit patent exclusion, which at least Fedora is not okay with.
Thanks everyone for your input.
For the time being, I think it's all right to stick with the public domain.
My reasons for changing it were:
It is getting increasingly difficult to use current license as a proof that re2c is free software. There is no SPDX. Github and journals like Software Impacts do recognize it.
Now, this is not true --- despite some scary warnings I was able to go through the publishing process for https://www.softwareimpacts.com/article/S2665-9638(20)30018-X/fulltext and other papers without any problems. As for SPDX, since re2c does not have the convention of adding license text at the top of each source file, this is not really a problem either.
Let's keep the bug open for discussion, and also as a record of all the licenses that have been considered so far, and their pros and cons.
Jumping in as a domain expert, in SPDX tagging and as open source license policy wonk. There is no "standard" "public domain declaration", because PD is not defined in all jurisdictions.
The SPDX tag that is equivalent to "public domain" is "CC0". Defined by the Creative Commons, it basically says, in tightly written deeply reviewed legalese "if PD is defined in your jurisdiction, this is PD. If it is not, we grant you the rights to do anything you want with this".
For your use case, just use CC0.
Thank you.
When I worked on RE2C several years ago for several years this was not a problem. My goal was to replace Flex use in PHP with RE2C and as Ulya said, RE2C is generator that is not part of the project or creates a license header itself. So back then it was not a problem. However, I would never use the tool in a company unless we finally picked a license.
That said, what actual reasons prevent us from picking something like Apache-2.0, MIT or any other prominent license? Even GPL could work.
Now I regret that I never had this discussion 10+ years ago. But we should imho pick a license because more and more companies are working towards a SBOM and will refuse any non licensed code. Plus going forward more and more companies will need to adhere to rules governing their open source usage, even outside SBOM efforts.
My 2p
Cheers
On Wed, Aug 2, 2023, 17:31 Mark Atwood @.***> wrote:
Jumping in as a domain expert, in SPDX tagging and as open source license policy wonk. There is no "standard" "public domain declaration", because PD is not defined in all jurisdictions.
The SPDX tag that is equivalent to "public domain" is "CC0". Defined by the Creative Commons, it basically says, in tightly written deeply reviewed legalese "if PD is defined in your jurisdiction, this is PD. If it is not, we grant you the rights to do anything you want with this".
For your use case, just use CC0.
Thank you.
— Reply to this email directly, view it on GitHub https://github.com/skvadrik/re2c/issues/301#issuecomment-1662424345, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABQ7NSKN2SSY6HIYAMQ624DXTJXDTANCNFSM4PSWNTMA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
The code is basically CC0. There is a CC0 SPDX. Seems like all you could ask for.
(As for why to not to use another license? Because CC0 is already fine.)
Sure. Better than nothing. But it is an inappropriate license. It pertains to creative work on general and does not cover aspects of software development. Using a license that is backed by an software Organisation that has lawyer resources to make it not a moot text is still superior. In any event the people who have done the majority of work on the past 20 years should be able to pick and agree on what they deem suitable. My two choices were started earlier 😉
On Wed, Aug 2, 2023, 18:38 Perry E. Metzger @.***> wrote:
The code is basically CC0. There is a CC0 SPDX. Seems like all you could ask for.
(As for why to not to use another license? Because CC0 is already fine.)
— Reply to this email directly, view it on GitHub https://github.com/skvadrik/re2c/issues/301#issuecomment-1662561569, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABQ7NSMRHNAPJFSRC3LCKJ3XTJ66NANCNFSM4PSWNTMA . You are receiving this because you commented.Message ID: @.***>
I make much of my software public domain (CC0 because of Europe) when I don't feel like it would be useful to restrict its use in any way. It's a totally appropriate license for software development. There's no need to use something more restrictive.
CC0 explicitly refuses to provide a patent license, which is a problem for Fedora IIUC.
"CC0 explicitly refuses to provide a patent license, which is a problem for Fedora IIUC." Neither does a public domain declaration.
Is there actually anything patent-able in re2c? I'm not your lawyer, but it looks to me like the answer is "no".
Another issue is, since this project started with a license that was an attempt at a PD declaration, one cannot just slap a modern license onto it. You would have to get the active or passive-with-timeout permission of every contributor in the project's history. You also can't just retroactively apply a modern patent license to the project, because thats a license that was not present when the contributors made their contributions.
But starting with an attempt at a PD declaration, you can put a CC0 or MIT-0 or 0BSD license on it, and it will be legally clean, there will be no successful claim of equity, damages, intent, or copyfraud.
Just put a CC0 on it. If you dont like the Creative Commons, then put MIT-0 on it.
https://spdx.org/licenses/MIT-0.html
All the basic algorithms in the program are decades old. Even if patents existed at one time, which they didn't, they would have long since expired.
It is also not possible to impose relicensing without getting the permission of all the contributors. CC0 is not (effectively) a license change, so it's okay, but imposing something like a license that discusses patents assumes consent of all contributors, and you cannot (legally) retroactively assume that all the contributors have given up their patent rights.
Just put CC0 on it and be done. Anything else is a legal mess.
As for Fedora, that's their problem. However, Fedora is full of MIT and BSD and ISC licensed code, none of which has a patent clause, so presumably you're wrong if you claim it's a problem for them.