The discussion of the new Graphviz license sort of petered out, but I think there is a widespread interest into reaching a conclusion. Therefore, I'm trying to ferret out dissent by the ancient and venerable tactic of asserting that a consensus exists:
*D R A F T* Debian licence summary of the Common Public License version 1.0 It has been brought to the attention of the debian-legal mailing list that the pupular graph rendering software Graphviz has been relicensed under the [1] Common Public License. The general interest in having Graphviz as a part of Debian have lead us to conduct a review of the new license, even though such reviews normally take place only at the request of a software author or prospective packager. [1] http://graphviz.org/License.php Conclusion: Though the discussion on debian-legal has not been completely conclusive, none of the proposed objections against the freedom of the CPL have received widespread support. It is thus likely that the ftpmasters would accept a package of the current upstream Graphviz version into 'main'. (There is currently a package of a Graphviz version prior to the relicensing in 'non-free'). CAVEAT: The Debian project's decisions about the freedom of a piece of software are not final in the sense that they cannot be reversed later as a deeper understanding of the license and/or the Debian Free Software Guidelines develops. Reevaluations do not happen on a set schedule, but can be opened anytime someone notices a point that has not been observed in the initial discussion. We consider this to be an integrated part in the project's continued effort to stay true to the principles laid down in our Social Contract. Historically, the trend in our application of the DFSG has been toward less tolerance of license requirements that could be construed burdensome for the licensee. Though the current consensus is based on the sincerely expressed opinions of the participants in the discussion, upstream authors of CPL-licensed software should be aware that it is conceivable that a later consensus will deem the license not free. This is, of course, the case whenever we decide that a license is free, but we feel it appropriate to warn about it explicitly in this case, because of the relative weakness of the consensus, and also because the features of the license that attracted doubt do not appear to be deliberately designed into the license. The discussion of the license uncovered two possible problems with it. As mentioned in conclusion, there is not any consensus that either of the problems makes the software non-free, but they could nevertheless be considered "bugs" in the license. We stongly encourage upstream authors as well as IBM (the license drafter) to fix these points in a future version of the software and/or the license, even if the fixes are not currently considered necessary for inclusion in Debian. Problem 1: Section 4 of the license contains, among other things: | Therefore, if a Contributor includes the Program in a commercial | product offering, such Contributor ("Commercial Contributor") | hereby agrees to defend and indemnify every other Contributor | ("Indemnified Contributor") against any losses, damages and costs | (collectively "Losses") arising from claims, lawsuits and other | legal actions brought by a third party against the Indemnified | Contributor to the extent caused by the acts or omissions of such | Commercial Contributor in connection with its distribution of the | Program in a commercial product offering. There is a fear that the literal application of this clause will cause a commercial distributor (note that the license defines "Contributor" as any distributor, even one that does not change the program itself) to incur a completely open-ended liability whose size he can do nothing to to control or limit in advance, save for refraining to distribute the software at all. For example, consider a Debian user who, in agitation over not being able to get Graphviz to do what he wants, manages to spill hot coffee over his body, gets severe burns, and sues AT&T for $2.7e6 in damages. This suit will (hopefully) be thrown out of court as frivolous, but AT&T would probably incur some legal costs in the process of *having* it thrown out of court. However, the accident would not have happened unless somebody had sold the user a DVD with Debian (and Graphviz) on it, and in this way the suit can be said to be "caused by the act" of distributing Graphviz commercially to the user. A literal application of the indemnification clause might therefore make the DVD distributor liable for AT&T's legal expenses. We can consider this clause free only because we cannot imagine that any court would allow it to be enforced at the draconian level implied by its verbatim meaning. In fact, we cannot imagine a court enforcing it at all beyond the cases where the commercial contributor could be held liable based on negligence, irrespective of any additional contractual or license obligations to that effect. In summary, this can only be free because we believe it is a legal no-op. If, later, a court precedent turns out to prove our belief wrong, by upholding this or a similar clause in a case where there is no negligence on the part of the identifier, we shall have to henceforth consider all such clauses non-free and remove, for example, Graphviz and Postfix (whose license contains identical language) from Debian's 'main' section. Problem 2: Section 3 of the license contains this language, which also applies to distribution of modified sources: | When the Program is made available in source code form: | a) it must be made available under this Agreement; | [...] Similar requirements are commonly found in other "copyleft" licenses such as the GNU GPL, and generally considered to be compatible with the DFSG. However, it becomes potentially problematic in combination with this language from section 7: | The Agreement Steward reserves the right to publish new versions | (including revisions) of this Agreement from time to time. No one | other than the Agreement Steward has the right to modify this | Agreement. IBM is the initial Agreement Steward. IBM may assign | the responsibility to serve as the Agreement Steward to a | suitable separate entity. Each new version of the Agreement will | be given a distinguishing version number. The Program (including | Contributions) may always be distributed subject to the version | of the Agreement under which it was received. In addition, after | a new version of the Agreement is published, Contributor may | elect to distribute the Program (including its Contributions) | under the new version. The result of this is that a programmer who wants to distribute a version of the program that contains modifications authored by himself must allow IBM to later publish a new version of the license that gives somebody (or anybody) more rights than the programmer himself had in the first place. This later version will automatically and retroactively apply to the modifications. (For example, the new version of the license might state that the restrictions in section 3 and 4 do not apply to people who pay IBM to be exempted. In this way the programmer's work would be turned into a cash cow for IBM exclusively, which he probably will not be happy with). It is instructive to compare this to the situation with the GNU GPL, which contains a superficially similar upgrade mechanism. A programmer who releases his work under the GPL, "version 2 or, at your option, any later version" runs a simiar risk that the Free Software Foundation will later issue a new GPL which is more permissive than the programmer would have accepted. The difference is that the GPL never _requires_ anybody to license their work under the "any later version" scheme. Even if a programmer bases his work on code he got under "version 2 or later" he is permitted to license his own modifications to it under a strictly "version 2" license if he distrusts the FSF. There is no consensus on debian-legal that the implied requirement to let IBM retroactively sublicense modifications to the work is or is not burdensome enough to consider the license non-free. After all, most free software contributors seem to find it unproblematic to contribute code under, e.g., "GPL, version 2 or later" terms. However, it is reasonable to expect that the Graphviz authors did not intend the license to work that way. We would suggest that they at least amend their licensing notice with an explicit exemption that would allow contributors to escape the upgrade mechanism if they sufficiently distrust IBM. (We do not mean to suggest that there is any reason to distrust IBM in particular. As far as we are aware, the individuals currently in charge of IBM's free software activities are perfectly honest and well-meaning people who would never dream of betraying the trust placed in them by the Graphviz authors by using the license they manage. However, the legal power to issue revised license terms rests not with those particular people, but with the legal entity IBM, a publically held corporation. As a general rule such entities can be expected to uphold moral, non-legal, commitments only for as long as it is considered commercially beneficial, or as long as the shareholders don't notice). -- Henning Makholm "We can hope that this serious deficiency will be remedied in the final version of BibTeX, 1.0, which is expected to appear when the LaTeX 3.0 development is completed." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
