ZeroTierOne
ZeroTierOne copied to clipboard
zerotier
Licensing discussion thread
Hi,
ZT is packaged for OpenWrt and I just noticed the license change.
Does that mean that ZT cannot be packaged anymore? I wonder if a commercial license can be part of the openwrt packages repo (https://github.com/openwrt/packages). Or if it has to moved out.
The license also does not seem to have a spdx identifier that the package uses: https://spdx.org/licenses/
I read in the license that there may be an open source release. Do I have to wait for that and keep at the previous version until then? - thanks
Also www.zerotier.com can no longer claim that the software is Open Source, and the statement "A commercial license is only needed if you want to rebrand our stuff or create a closed-source derivative work" now needs considerable updates as many things commonly assumed to be permissible under Open Source no longer are.
Hi @mwarning thanks for maintaining the openwrt package!
https://www.zerotier.com/pricing/ has been updated
FREE: Package ZeroTier (labeled as such) and distribute it for free in an app store or other software repository
This page provides more information.
We are adopting this license because (1) many customers' legal departments fear the GPL and won't touch anything GPLed (Linux and the GNU tools tend to get grandfathered in), and (2) a more permissive license would allow larger better funded companies to just take our work and monetize it without us. This has already happened to many projects.
Basically we don't want to end up like RethinkDB, a company that built a great NoSQL clustered database only to have most revenue earned by database-as-a-service providers that re-sold pre-configured instances of their database in the cloud and paid them nothing for it.
@mwarning ZeroTier can still be packaged for free. No license is required to (1) incorporate it into something open source or (2) redistribute it in source or binary form assuming you're not stripping away or changing its name (rebranding or "white labeling").
Basically the only things our license restricts is: (1) incorporation into a commercial closed-source product, and (2) operating a for-profit SaaS service for ZeroTier network management that competes with our own service and not paying us anything ("SaaSification").
Thanks for the clarification and context. So dual-licensing won't solve the issue. ok
The license literally says:
The Business Source License (this document, or the "License") is not an Open Source license
That's saying it does not meet the OSI's definition of an open source license, which includes unrestricted SaaS monetization use.
Reopening for now since others may be interested.
BTW @mwarning does that clarify things or is there still an issue with the DD-WRT port?
@adamierymenko I need to speak to the OpenWrt folks about what restrictions they have for their own package repository.
K, please let me know. We are open to clarifications or minor modifications to accommodate as much of the good non-exploitative open source ecosystem as possible. We're trying to strike a balance between being free for the FOSS world but not allowing exploitation and getting paid enough for our work to stick around and grow.
IMHO taking FOSS and putting it behind a SaaS paywall and not giving anything back (as some companies do) is sort of un-cool.
IMHO taking FOSS and putting it behind a SaaS paywall and not giving anything back (as some companies do) is sort of un-cool.
FWIW, I totally agree with you here. My "issue" such as it is is only with clarity.
To that end, if lawyers are involved, I expect what's going to matter is the text of the license. Guidance provided around it is probably non-binding.
If the goal of the re-license was to calm some companies' concerns about the GPL, and also to prevent the SaaS abuse you mention, was something like dual licensing under BSL plus Affero-GPL v3 considered?
We will work to clarify the best we can, which will be an iterative process I'm sure.
Hmm... and BSL + AGPL3 is perhaps possible. Will have to look into it.
Yeah, I think if we get a lot of pushback from OSS distributions/platforms about including ZeroTier we might indeed do something like ZT-BSL + AGPL3. The former is what's there now, and the latter pretty much prohibits SaaSification and building this into commercial products.
I'm also researching whether the government restriction is needed or not. If it's not we'll remove it.
On Thu, 5 Sep 2019, at 18:56, Adam Ierymenko wrote:
Yeah, I think if we get a lot of pushback from OSS distributions/platforms about including ZeroTier we might indeed do something like ZT-BSL + AGPL3. The former is what's there now, and the latter pretty much prohibits SaaSification and building this into commercial products.
FWIW the FreeBSD port is still on the previous version as I can’t figure out the practical intent of this change. There’s no existing BSL in the ports tree to refer to, and I’m at a loss on how to implement this - how to communicate to users that this distinction needs to be respected.
As an actual customer I obviously support your move, but if you’re hoping this avoids being Sherlock’d, or Apple or AWS simply writing a compatible implementation I think the license is a weak defence. AGPL doesn’t prevent this either.
Finally, I think replacing the licence is worthy of a 2.0 major version bump, and I really hope you can find a suitable existing licence to reuse.
Please, rethink about relicensing it with AGPLv3 as a good solution against SaaSification (great word! heh).
There are companies that rebrand openwrt for their own product (not my case) and the same for some linux distributions: play station - FreeBSD, etc. That cases right now are what you don't want (hide zerotierone in their product in for profit situations without returning probably almost anything)
for this situation
Package ZeroTier (labeled as such) and distribute it for free in an app store or other software repository
generic BSL probably solves better that cases (quitting that exception) and AGPLv3 enforces better your product through author attribution, source code request, etc.
In fact, if you relicense with AGPLv3, the other license could be extremely propietary with the strong conditions you need. "If you don't want GPL enforcement, pay"
@adamierymenko the commit was accepted: https://github.com/openwrt/packages/pull/9937
fwiw, I would feel more secure with the AGPL, it is a well known license.
The updated version of the pricing page still describes ZeroTier as open source. Please fix this: the BSL is not an open source license, something which is stated by the license text itself.
For what it's worth, for admittedly ideological reasons, I uninstalled ZeroTier when I learned about the license change, even though I've found it very useful over the years and was looking forward to using 2.0. I'm glad to learn that dual licensing under AGPLv3 is being considered, and I hope it becomes a reality so that I can reinstall. :)
I confirmed with FreeBSD portmgr group that we can continue to distribute this "as usual" with suitable caveats, notes, and foot-gun indicators.
However, the new licencing is a major turn-off to general users who can't align this with their existing understanding of OSI type licenses. Whether this matters to ZT the company I can't say but I've had plenty of negative feedback on the change from users. Is there a venn diagram linking FLOSS & paying users?
Can you guarantee you have permission from ALL(1) individuals listed here to change the licence: https://github.com/zerotier/ZeroTierOne/graphs/contributors
I doubt it. Just so you know: GPL doesn't allow you to relicence. Not even future additions, because you are not allowed to place additional restrictions on works derived from GPL code.
If not, you guys are just violating the GPL.
(1) Not truely all-all, but most of them. Only additions that are copyrightable count in this case. But thats at least a very big portion of these people.
I want to respond to some of the above:
(1) I am not a huge fan of the BSL, but it's the best solution available to us at this time. See this blog post for an explanation: https://www.zerotier.com/on-the-gpl-to-bsl-transition/ -- many other projects such as CockroachDB and others have adopted the BSL for the same reasons.
(2) The copyright holder of a work is indeed permitted to change the license, and I'm not aware of any objection from others. If anyone does object we can remove their work from the source tree. There aren't really any non-trivial contributions by outside individuals anyway (which is the case with 90%+ of open source projects).
(3) This of course does not apply to third party libraries used by ZeroTier, which remain under their own licenses. AFAIK there are no licenses there that conflict with our own.
The licensing topic is an open question for us. We are contemplating actually creating our own community license that attempts to address these issues while attempting to be as compatible as possible with other OSI licenses.
P.S. I regret using the GPL a bit because it's divisive. On one hand you have a large number of GPL zealots who react intensely to any deviation from the GPL, but on the other hand you have in my experience an equal or greater number of people who will not touch the GPL and don't like to use anything connected with it. When we used GPL we got nothing but negative comments about it, and how that we've dropped it we get nothing but negative comments about dropping it.
I can agree on (1) and (3). To be clear I'm personally not against or pro any licence, every licence has its place.
However when it comes to (2):
The copyright holder of a work is indeed permitted to change the license
Unless it includes GPL work from others, in which case its a derived work
and I'm not aware of any objection from others
You don't need objection, you need formal permission from the other authors. If you don;t you are in violation of the GPL. The violation comes into play the moment you relicence, not the moment they object. Even when it comes to liability: If they object in 10 years and you remove it, you might (depending on jurisduction) still be liable for damages for the 10 years of unauthorised use.
If anyone does object we can remove their work from the source tree
That could work in some cases, yes. However, depending how much your (new, replacement) work looks like the old work it might be fruit of the (gpl) poisoned tree and such still be legally considered a derived work. The GPL is broad enough (and on purpuse in this case) to consider a total refactor still a derived work. But lets not go this deep into it at this time... It depends, it might work, it might not.
There aren't really any non-trivial contributions by outside individuals anyway
I agree, about 95% of code is zero-tier (employee, depending on contracts) owned and some of the others might not be viable for copyright. That being said: From a company I expect someone actually looked at it BEFORE changing licences. Every half decent copyright lawyer would've adviced to look at the triviality beforehand. Because if something is not trivial, the burden is (in the very least) on Zerotier to PROVE they acted in good faith before changing licences. Without analysing if they have the required right to do so, A judge would rule it was a change in bad faith.
The licensing topic is an open question for us.
I do appreciate the honesty and open discussion.
We are contemplating actually creating our own community license that attempts to address these issues while attempting to be as compatible as possible with other OSI licenses.
I think the BSL can be used for said purpose as well. Creating a custom licence is expensive and (in this case) quite needless.
On one hand you have a large number of GPL zealots who react intensely to any deviation from the GPL, but on the other hand you have in my experience an equal or greater number of people who will not touch the GPL and don't like to use anything connected with it.
If you would live any closer i'would get you a beer. This is so underestimated. GPL has a fundementalist group that wants it and a bunch (also sometimes fundementalist to be fair) corporations that don't want it. I myself prefer BSD when I can reasonably get away with it (low risk of code-"theft"), it seems to silence both groups quite well.
When we used GPL we got nothing but negative comments about it, and how that we've dropped it we get nothing but negative comments about dropping it.
To be honest, I think the anti-GPL complaints where from people interested in paying your company and the pro-gpl complaints barely ever payed up. Thats an easy choice. If the Software Freedom Conservacy for example is willing the give you a nice 7 figure a year to keep it GPL, That would also solve any issue. But they don't and you have mouths to feed.
That being said, something constructive:
- Try figuring out which authors have made trivial (typo's for example) and non-trivial changes. Create a nice spreadsheet for future reference
- Throw out a mass email to the people working with the project (if you can find out their email adress) and ask their permission to change the licence. (Having it is never a bad thing)
- If anyone has non-trivial code and doesn't agree with the licence change (or doesn't respond on the request) start working on removing it. Make sure it is done in 1(!) commit and isn't just a code reshuffle, to make sure it is least likely to legally be considered a derived work
- Create a CLA, yes people might hate CLA's. I think your current behavior is more like a company with a CLA, so get one.
TL:DR Licences are hard. I don't blame you. But mistakes are easier to make than anyone should be comfortable with.
Those are great points, and we do need a formal CLA. I'm going to re-check past contributors (even of small things) to make sure there are no issues as well, at least before we release 2.0.
I agree that a new license is a major undertaking, but I really would like to solve this problem in a. more satisfactory way than the BSL. The BSL feels like a half-way-there hack.
Here's my personal opinion:
The real issue is that OSS licenses pre-date the present SaaS / surveillance capitalism era. Unpaid "SaaSification" of open source works -- putting them behind a paywall without contributing anything back -- is definitely against the spirit of open source if not against the letter of specific licenses. If it were a practice back in the 90s and early 2000s when the vast majority of today's licenses were created, I'm pretty convinced they'd have provisions to restrict it. There's an intimate connection between SaaSification and surveillance capitalism as well in that they both represent ways that open source is exploited in ways that are definitely against the spirit and intent of its creators.
In a perfect world I would like a license that made ZeroTier free for individual and personal use, free for use in or alongside free open source software, free for academic and charity use, but would require payment when used in a for-profit venture. Of course that's very hard to spell out in a license. It's hard to restrict for-profit business use without restricting personal use or introducing incompatibilities with other licenses. I'm open to suggestions.
The AGPL is almost there, but there are two problems: (1) it doesn't adequately address SaaSificiation, and (2) it has the letters G-P-L in it. As addressed in our blog post, there is this silly but unfortunately pervasive bias against GPL licenses especially among those who pay us and support our work. It's hard enough to educate customers about your product without also having to debunk decades of GPL FUD (most of which was bankrolled by Ballmer-era Microsoft).
Love the direct and open discussion.
And yes: The AGPL solves 50% of the SaaSificiation problem: Companies profiting from custom improvements. The other 50%: Profiting from the direct work of others isn't adressed.
It would be nice if there was a licence that would:
- Clearly allow self hosting
- Clearly deny Hosting as a paid service
- preferably allowing small scale hosting as a service (Cost sharing for example)
The BSL does that but is too incompatible with other OSI licenses and is not itself an OSI license, hence our desire to eventually find something better or upgrade it in some way. We'd ideally like to play nice with open source but deal with SaaSification.
The SaaSification thing is a particularly strong concern for us because we get a ton of inquiries from people who want to basically do what you say under 'the other 50%': white-label ZeroTier and create their own service. These are often IT firms, ISPs, regional telecoms, etc. Without the BSL we couldn't charge them for this. The GPL also provided a barrier but it wasn't as clear (and of course there was the perpetual GPL FUD problem).
It's no coincidence that database companies have been major adopters of the BSL, with CockroachDB being the most notable but many others too. Databases have been major targets for SaaSification too with many companies doing nothing more than putting OSS databases behind paywalls and making a fortune off them. Any improvements are kept proprietary and nothing is returned to the community. This killed RethinkDB, a very promising hybrid relational-document database that we used in an early version of our backend. (We actually sponsored improvements and had them open sourced, but it was not enough.)
The top targets for SaaS monetization (without compensation to either the original authors or the community) are databases and networking platforms.
I appreciate the complexity of this topic, but the blatant change of license of other people code is as bad as the behaviors you are trying to defend yourself against. The code is currently in violation of the license.
Secondly, I found this starting with the disappointment that FreeNAS no longer can consider Zerotier because of the license change. As a prospective customer, that severely hampers the usefulness of Zerotier and as far as I understand, this is an unintended side effect. I hope you'll work with ixsystems on a solution.
