↤ August 19th, 2017
Translation: French by @gnieh_
Disclaimers: I am not a lawyer. I’m not speaking for Facebook, the ASF, or CouchDB. This is a personal view on the matter.
tl;dr: Projects at the Apache Software Foundation can no longer use dependencies that are distributed under Facebook’s “BSD+Patents” license, including React.
I’m trying to explain the situation in simple language and without bias. There is a lot of misinformation around this issue that I hope I can clear up here. If there is anything that I got wrong here, please do let me know.
April 20th: Apache Cassandra asked ASF legal if they could use RocksDB as a dependency, which was then licensed as BSD+Patents or GPL2.
June 17th: After a lengthy discussion, ASF’s Vice President of Legal Affairs Chris A. Mattmann concluded that Facebook’s BSD+Patents license is not compatible with ASF’s policies about dependencies.
July 15th: RocksDB changes its dual-license from BSD+Patents to Apache License 2.0 & GPL2 (that means you can choose to use either license when adding RocksDB as a dependency). As a result, RocksDB is now compatible with all ASF policies again.
July 17th: upon searching for other dependencies with the BSD+Patents license, React is singled out and the ASF is asking for clarification in the hopes that it can follow the RocksDB example.
August 18th: Facebook releases a statement and closes the respective GitHub issue stating they are staying with the BSD+Patent license.
To understand the conflict, we need to examine what the ASF and Facebook respectively are trying to achieve with their policies and licenses.
Aside: I want to make doubly clear that I’m not trying to take sides in any of this, I’m merely explaining the underlying intentions of very dense legal texts. In my opinion, both Facebook and the ASF can do whatever they want in terms of licensing. And if their goals differ, that might lead to conflict, like in this case. That’s unfortunate, but that’s the messy world we live in.
It is the ASF’s Policy, that anyone using Apache projects as a dependency for an Open Source or commercial project can do so without (m)any restrictions.
The Apache License 2.0 lists a few restrictions, briefly:
In return, the Apache License 2.0 then grants you a copyright license that lets you do whatever. This is what’s most relevant to other Open Source projects.
It also grants you a patent license, which is most relevant to commercial users of Apache projects.
As an example, this means I can take Apache CouchDB and release it as a new commercial and closed-source database JanDB. Given that I abide by the requirements mentioned in the Apache License 2.0 (as summarised above), with or without modifications, for free or for money or any other purpose I choose.
This “downstream freedom” is a major intention of why the ASF exists in the first place and is as such encoded in their policies and licenses.
Now, the Apache License 2.0 includes one more restriction and its part of the aforementioned patent license. If you are using an Apache project you can’t use any of your patents to claim that the ASF or anyone else who is using that same project is infringing on your patent without losing the patent license to the Apache Project.
In the JanDB example, if I hold a particular patent on database technology, I can’t sue any other CouchDB users over that patent, without also losing my patent license for CouchDB from the ASF. I can still sue them over other matters, including patents infringed on by other software the other companies are using.
In order to make it simpler for Apache projects to decide what kind of licenses its dependencies can have, the ASF has created a handy overview of allowed, and disallowed licenses, and everything in between. The disallowed licenses are classified as “Category X” licenses. This list includes a number of very popular Open Source licenses including the GPL family and many others.
Facebook’s focus with its BSD+Patents license is protection against so-called “frivolous” or “meritless” lawsuits. In short: if you are a big company with lots of money and exposure, enterprising assholes will try to come after you for whatever reason to legally extract some of that money or exposure. Patents are a prime vehicle for such asshattery.
The BSD+Patents license is designed to minimise these lawsuits for Facebook, and with the August 18th decision they have confirmed that this remains a high priority.
The Facebook patent clause has a similar restriction to what the Apache License 2.0 states, except, it is broader in definition. Whereas the Apache License 2.0 version specifically restricts its clause to “the Work” (say Apache CouchDB), the Facebook patent license is revoked when any “Patent Assertion” is brought up against Facebook.
So if you have a patent that you think some part of Facebook infringes upon, but is unrelated to your use of React, you lose your patent license to React when you decide to sue Facebook over that patent. In the Apache License 2.0 case, you only lose the patent license if you assert the same infringement for the project you are yourself licensing (say Apache CouchDB in the “JanDB” example).
In October 2014, Facebook switched React from the Apache License 2.0 to BSD+Patents explicitly, because it contains a broader protection and in October 2016 have confirmed their intentions in call between the ASF and Facebook.
Projects at the Apache Software Foundation can not use any dependencies that are labelled as Category X by the ASF’s Legal team. This includes React + ecosystem projects that are also released by Facebook under the BSD+Patents license. Projects that already use such dependencies can not make any new releases past August 31st, 2017 including these dependencies, and have to migrate away from these dependencies now.
Affected projects are (at least): Cordova, Superset, TrafficControl, Ambari, Allura, Whimsy, Spot, Myriad, CouchDB, Lens, SensSoft, Sling (Updated August 22nd).
remove the dependency altogether, or find an alternative that has a compatible license, and deal with whatever extra work that needs to be done to make the migration.
move to a plugin architecture where the BSD+Patents licensed plugin is maintained and distributed outside of the ASF, but can be added by end-users.
Aside: it is true that there are projects that have (or claim) API compatibility with React, that come with compatible licenses. “Just use X” is a common recommendation that ignores a bunch of realities:
React is more than just it’s core, but there is a wide ecosystem for many related tasks around building web apps. Many of those related projects are also licensed under BSD+Patents, so they can’t be used either, and few or no replacements exist for those. So “moving to X” is not as trivial as it might sound, depending on the level of other projects that are used on top of React. As a point of data, for CouchDB’s Fauxton admin interface, the porting work is estimated at 3+ months of dedicated developer time for switching away from React. In our case, it’s a significant time investment that takes valuable developer time away from other pressing matters.
React includes a number of technical innovations, some folks have suggested to move to another framework that includes a subset of these innovations (say JSX), but not any of the other ones, including API compatibility. Moving to such a framework is significantly more work than the previous option. In CouchDB/Fauxton’s case, that is very likely prohibitive, but we’re still exploring options.
The ASF Legal team doesn’t proactively review any and all software licenses. This issue was brought up on April 20th, 2017, and resolved within the ASF by June 17th.
Nothing.
The incompatibility is between the BSD+Patents license and ASF policy.
Nothing.
Nothing.
Unless you are part of the ASF or another organisation that has a similar policy regarding the BSD+Patents license. There seem to be a few.
I can only speculate, but React is a much much larger target, was differently licensed from the get go, and Facebook is interested in having RocksDB support in Cassandra and seems to be contributing that work. But I wouldn’t know for sure.
Yes.
But I’d rather have the ASF and Facebook be upfront about their intentions than leaving things in the dark like most other Open Source projects and companies.