Instantly share code, notes, and snippets.

What would you like to do?
Some questions and answers about various Free Software licenses.

From the AGPL v3, Section 13: [emphasis mine]

If you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network ... an opportunity to receive the Corresponding Source of your version ...

Q. GPLv3 ensures my software remains free by requiring anyone who conveys a copy to also provide source code, regardless of whether they are distributing verbatim or modified copies.

AGPLv3 has a similar effect for software that is intended to be hosted as a service. However, its clause requiring source code to be provided to network users (section 13) states that the requirement only applies if the party hosting my software has modified it. If they host my software unmodified, they escape the obligation to provide source code to their users. Why?

A. Because placing conditions on the modification of software is the only available mechanism in copyright law it can use to achieve that goal.

From an e-mail exchange with Francois Marier of the Free Software Foundation, July 29, 2015:

The reason for this is that copyleft licenses take advantage of activities that are restricted by copyright law and add requirements (e.g. the requirement for source code) before these activities can be performed.

The GPL adds requirement around distribution / copying because that's an activity that naturally occurs when giving software to another party.

The AGPL on the other hand tries to address the issue of software freedom when the software stays on the server and isn't distributed to users, therefore it cannot use the same "hook" as the GPL. Instead, it adds requirements around another activity that is restricted by copyright: modification of copyrighted works.

Does this language enable a loophole where a party may host a modified version of some AGPL code without offering its source code, by having a colluding third party perform the modification?

If the original author of some code dies or otherwise abandons it, doesn't this mean that the community could lose access to the source code, even if some other party is hosting an unmodified instance?

Having another modify the code doesn't avoid the situation, as Section 13 in the AGPL requires that when you modify it, you provide a mechanism for providing the source code to users. That means the modifier needs to put together that mechanism. The only way to get rid of the offer for source would be to modify it again to remove the mechanism, which triggers Section 13 again and requires source code to be provided.

If my understanding is correct, I would like to use the AGPL3 with an additional restriction, which will cause the requirements for offering Corresponding Source in section 13 to take effect even when hosting verbatim copies. However, it seems like section 10, "you may not impose any further restrictions" prevents me from doing so. Is this correct?

This is correct, it would be a further restriction, which is not allowed, as per Section 7:

"All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term."

Additionally, it's not clear that it would work as a copyright license because it's not tied to an activity that is restricted by copyright.


I am not a lawyer and this is not legal advice.

Q. Does the GNU Affero GPL version 3 force configuration settings made in source code of hosted software to be released to users?

A. No.

From an e-mail exchange with Yoni Rabkin of the Free Software Foundation, September 12 2014:

I am creating a piece of networked software which I wish to release under the GNU AGPL v3 license. Its configuration settings are specified by the user editing its source code directly, not by reading a configuration file at runtime. [Similar to the practice employed by Django's DJANGO_SETTINGS_MODULE]

Does the GNU AGPL force those who host this software to reveal their configuration settings as part of their obligation to convey the Corresponding Source to users of that modified version? I am concerned that this would expose sensitive information that should not be public, like database passwords, hashing salts, etc.

No, there is no requirement to distribute that type of specific configuration settings. The obligation is to release the corresponding source code, which is to say everything needed to install and run the software. The distribution can have placeholder values such as dbpass = MYSQL_PASSWD and db_connection_port = TYPE_PORT_NUMBER_HERE (this is what is typically done in practice.)

I hope this answer is of help.

I am not a lawyer, the above is not legal advice

Regards, Yoni Rabkin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment