Some interesting possible side-effects of AGPL-3

If you don’t know the AGPL-3, it’s the GNU Affero General Public License version 3. The interesting difference between this license and the more common GPL-3 is that makes the user able to receive the sources of the software used to provide them with a networked service.

Now this is a quite interesting license, because it fills a “loophole” of the GPL: if you provide a service over Internet that makes use of a software released under the GPL, you’re not asked to provide the source for it, even if you modify it, as long as you’re not distributing the software itself.

This “loophole”, as it might be seen by some, was already being considered years ago on the NoX-Wizard project, an Ultima OnLine server emulator that, in addition to the standard GPL-2 license, added an extra restriction of making available the source code of an eventual modified copy that was used as a public server.

I’m sure for many people this is a restriction in freedom, instead of an improvement, as they are no more free to take advantage of Free Software without giving back anything as long as they are keeping the modified version on their own systems.

On the other hand, I think it’s an important edge the one that AGPL provides to users and developers. Beside allowing the code to be available to every user of the service, it also has some interesting side-effects that I’d like to put a bit of light upon.

The first is that it makes it much more important for the people modifying the application to get in touch with upstream to make their changes included in the original repository: it makes sense to be able to just point to the upstream repository rather than having to deal with a different repository per service.

Related to this, it makes it possible for the various upstreams to see what the users are modifying of their code, and make the needed changes in the original codebase so that they can improve the software for all its users.

But even more interesting, AGPL-3 allows a much more powerful approach to services’ security. With the source code available, any security expert can look at the code, and see if there are obvious vulnerabilities. The most basic example is SQL injections or XSS vulnerabilities that might be introduced in an otherwise completely safe codebase by someone touching the code to integrate it in a different setup, or to extend its functionalities.

Of course this last note is not entirely positive, as it also means that any person with a decent knowledge of the language used can find those vulnerabilities too, and it might be a security risk if that person does have malicious intents.

This would give a compltely new meaning and an intersting spin to “beta” release of services, and would introduce, for web services, a peer-review that might actually make web security much tighter; as it is now, it’s vastly a security-through-obscurity approach.

On the other hand, I sincerely doubt that any “big” of the web services would see to start releasing their code as AGPL-3. The reason for this is quite obvious: a lot of services are there, offered “for free”, but have privacy statements that clearly show their primary intent is to harvest information about you; you might not mind, as it might actually help you somehow (like Amazon’s reccomendations) but if you actually knew the extent to which they arrive to gather your information, it might actually discourage you from using their service.

At any rate, I think I finally made up my mind, and once I’ll be back working on my Free Software projects, I’ll finally relicense Gitarella as I was thinking of doing last year. I already licensed my rbot plugins under that license and it seems to be working fine.

Exit mobile version