Except it’s not just hosting the covered work itself as SAAS that triggers a distribution, but any derived work. If you use (say) AGPL MongoDB in your SAAS bug tracker, your bug tracker now needs to be AGPL too. The virality doesn’t stop at hosting a SAAS MongoDB.
That's probably not correct. While the AGPL is a little ambiguous, it probably does not infect other apps. That's why I created the Candid Public License (CPL): https://github.com/candiddev/cpl
Every lawyer I’ve talked to takes my interpretation. It may be overly cautious of them, but in practice, if something becomes the prevailing legal view, it de facto is the correct interpretation, at least until it is tested in court.
Recall that the GPL (non-affero) categorizes runtime linking to GPL’d binaries as a derived work. (This is why the LGPL exists, to allow for what the regular GPL restricts.)
The logic of the lawyers I’ve talked to (2 different companies on multiple occasions with different lawyers) is that the same wording that causes network access to count as “distribution” in the AGPL, also causes networked API access to count as a derived work.
It’s not all that crazy of an interpretation, IMO. My lawyers may suck and be overly cautious, but I’d wager this uncertainty is exactly why any sane company stays as far away as possible.
> Recall that the GPL (non-affero) categorizes runtime linking to GPL’d binaries as a derived work
If its not a derived work under copyright law requiring a license, a license offer can’t transform it into a derived work requiring a copyright license.
So, thought experiment: say I do want to take AGPL MongoDB, alter its source code, and host my modifications as a SAAS without releasing my modifications, and get away with it.
One way I could do this is by completely implementing its wire-format API of MongoDB as a proxy server to my derived MongoDB, and offer that up as my SAAS.
I could use a defense that I’m not distributing MongoDB, I’m distributing my proxy service I wrote myself. It just happens to be that my proxy service talks to MongoDB to do its job, but according to you that’s not a derived work, because network access doesn’t count.
For AGPL to still protect MongoDB in this scenario, the proxy-plus-mongoDB combo would have to count as the derived work, and I think the only way to do this is to count any API access as deriving a work. I think this is at least how the lawyers I’ve talked to described it.
GPL has already established that runtime linking counts as a derived work. If what you’re saying is true about “not a derived work under copyright law requiring a license”, then I don’t understand why the LGPL exists.
GPL's source disclosure requirements trigger on distribution.
AGPL's trigger on distribution or on allowing remote user interaction over a computer network.
> I could use a defense that I’m not distributing MongoDB, I’m distributing my proxy service I wrote myself
You aren't distributing either of them. When you run code on your server and people interact with it over the network that's not a distribution. If it was a distribution there would be no need for AGPL. GPL would be sufficient.
> It just happens to be that my proxy service talks to MongoDB to do its job, but according to you that’s not a derived work, because network access doesn’t count.
It's not a derivative work because it doesn't incorporate copyrighted elements of MongoDB (assuming you didn't actually copy code from MongoDB).
> For AGPL to still protect MongoDB in this scenario, the proxy-plus-mongoDB combo would have to count as the derived work, and I think the only way to do this is to count any API access as deriving a work.
AGPL would protect MongoDB in that scenario because you are allowing remote users to interact with MongoDB over a computer network. That this interaction happens to be taking place through a proxy shouldn't be relevant.
> You aren't distributing either of them. When you run code on your server and people interact with it over the network that's not a distribution. If it was a distribution there would be no need for AGPL. GPL would be sufficient.
I think you’re misreading this part of my comment: MongoDB is (or at least, was) AGPL, and AGPL defines network access as distribution. So I would have to justify whether offering my proxy service to network access counts as distributing MongoDB, or if laundering it through a proxy works around this. Remember that in my example, I did modify mongoDB. But I’m not technically offering this modified mongoDB as a service, I’m offering my proxy as a service, and hoping that it doesn’t count as “distribution” of my modified mongoDB. (i.e. I’m not distributing mongo, I’m distributing my proxy, and my proxy is not AGPL.)
> AGPL would protect MongoDB in that scenario because you are allowing remote users to interact with MongoDB over a computer network. That this interaction happens to be taking place through a proxy shouldn't be relevant.
Well, that’s the thought experiment that my example is intended to provoke… it seems obvious that my dumb proxy is a way to work around the AGPL, but what if we tweak the example? What if I make a web UI where you type mongo commands and it gives you the result? (Still pretty obvious, no?) What if I make a simple dumb CRUD app that happens to use MongoDB? (Less obvious…) what if the CRUD app is itself an extremely thin wrapper, and although it doesn’t implement any MongoDB protocols, it leverages built-in mongoDB functionality for 99% of the logic?
The point is, it’s not hard to imagine a legal theory that says “if network access equals distribution, then network access equals a derived/combined work”. It’s the theory that the legal departments of several companies I’ve worked for have taken. And I’d argue that if you have a proprietary product that uses an AGPL service as part of the backend, you have a rather large reason to be worried.
By my reading, the AGPL doesn't define "distribution" at all. It defines "conveying":
To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying
This definition specifically excludes networked API access.
Here's what the AGPL says about network access:
Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph.
It only applies if you "modify" the program. Does creating a proxy service count as modifying the original program? I think it could count as a derived work, but I would be very surprised if that counts as a modification.
Doesn't it prove GP's point? If you use MongoDB in your commercial software it gets infected with AGPL, because people interact with it over the internet - just like linking does with GPL.
> GPL has already established that runtime linking counts as a derived work
No, whether runtime/dynamic linking (or even static linking) creates a derivative work under copyright (as is when, to the extent it does, such a use would nonetheless be fair use and still not require a license) is still a contentious topic, and AFAIK there are no cases strongly suggesting a general answer.
A license offering permission cannot itself resolve when the law requires such permission. Arguing that it can is like saying my offering terms of permission to use my home and claiming that they apply to use of the public street out front establishes that I own the street.
If your argument is that AGPL can’t restrict me from using mongo in a proprietary product because copyright law itself does not restrict this, then you may or may not be right, I don’t think any of us know for sure until this is tested in court. I will say that the AGPL is written with the assumption that this is restricted by copyright law, so I don’t think your interpretation is the common one.
> One way I could do this is by completely implementing its wire-format API of MongoDB as a proxy server to my derived MongoDB, and offer that up as my SAAS
This is what Cosmos DB for Mongo DB is (wire format endpoint that talks to Msft’s own DB backend.)
The AGPL says "including scripts to control those activities" but if I understand what you are saying properly it means that the text of the AGPL is overreaching and some parts of it wouldn't be applicable?
Would the details depend on the country? Like it might be one thing under US law, and another in another country?
If the AGPL defines network access as distribution, it stands to reason that network access also counts as linking. See my other comments about a hypothetical proxy that thinly wraps mongoDB as an AGPL workaround, for why this gets hairy very quickly.
AGPL does not add any distribution clause... all distribution clauses are taken from the GPL...
The AGPL adds a modification clause so that if you ever modify the code even if you do not distribute the application, you still have to share the code or at least link to the version of the source code that you use. The loophole that AGPL fixes is that there are ways to avoid distribution.
This AGPL/GPL virality urban legend should have ended years ago.
