Some interesting possible side-effects of AGPL-3

If you don’t know the AGPL-3, it’s the GNU Affero General Public License version 3 . The interesting difference between this license and the more common GPL-3 is that makes the user able to receive the sources of the software used to provide them with a networked service.

Now this is a quite interesting license, because it fills a “loophole” of the GPL: if you provide a service over Internet that makes use of a software released under the GPL, you’re not asked to provide the source for it, even if you modify it, as long as you’re not distributing the software itself.

This “loophole”, as it might be seen by some, was already being considered years ago on the NoX-Wizard project, an Ultima OnLine server emulator that, in addition to the standard GPL-2 license, added an extra restriction of making available the source code of an eventual modified copy that was used as a public server.

I’m sure for many people this is a restriction in freedom, instead of an improvement, as they are no more free to take advantage of Free Software without giving back anything as long as they are keeping the modified version on their own systems.

On the other hand, I think it’s an important edge the one that AGPL provides to users and developers. Beside allowing the code to be available to every user of the service, it also has some interesting side-effects that I’d like to put a bit of light upon.

The first is that it makes it much more important for the people modifying the application to get in touch with upstream to make their changes included in the original repository: it makes sense to be able to just point to the upstream repository rather than having to deal with a different repository per service.

Related to this, it makes it possible for the various upstreams to see what the users are modifying of their code, and make the needed changes in the original codebase so that they can improve the software for all its users.

But even more interesting, AGPL-3 allows a much more powerful approach to services’ security. With the source code available, any security expert can look at the code, and see if there are obvious vulnerabilities. The most basic example is SQL injections or XSS vulnerabilities that might be introduced in an otherwise completely safe codebase by someone touching the code to integrate it in a different setup, or to extend its functionalities.

Of course this last note is not entirely positive, as it also means that any person with a decent knowledge of the language used can find those vulnerabilities too, and it might be a security risk if that person does have malicious intents.

This would give a compltely new meaning and an intersting spin to “beta” release of services, and would introduce, for web services, a peer-review that might actually make web security much tighter; as it is now, it’s vastly a security-through-obscurity approach.

On the other hand, I sincerely doubt that any “big” of the web services would see to start releasing their code as AGPL-3. The reason for this is quite obvious: a lot of services are there, offered “for free”, but have privacy statements that clearly show their primary intent is to harvest information about you; you might not mind, as it might actually help you somehow (like Amazon’s reccomendations) but if you actually knew the extent to which they arrive to gather your information, it might actually discourage you from using their service.

At any rate, I think I finally made up my mind, and once I’ll be back working on my Free Software projects, I’ll finally relicense Gitarella as I was thinking of doing last year. I already licensed my rbot plugins under that license and it seems to be working fine.

Yet again rbot

Yes, I know I’m boring when I start talking for a few days one after the other about a given topic. At the moment I’m boring with rbot, on which I worked a bit today too.

First of all, the news is that no more dependencies are needed or added to the ebuild, good. I also fixed the time plugin so that it’s disabled if timezone USE is not present. This should let the build stay quiet for a while.

Then I cleaned up the bugzilla plugin a bit, re-enabled it in ServoFlame, added the xine bugtracker and… prepared to release it.

I started versioning it on git, and I put a tarball on my site so that it’s more easily found. I also changed the license, it was MIT, but it’s now Affero GPL 3.

Why Affero? Well, plugins for a bot is something you often end up editing to improve; by forcing users to actually make available their changes it should make it more easy to improve the code on the long run. Also, I find it interesting to see if actually it would be used and the license properly applied (note that the easiest way would be to send the patches upstream so I actually make the modified plugin available to anyone).

If there is request, I’ll probably put back the old MIT-licensed version; actually at the moment even ServoFlame is using that, or rather a modified version of that, rather than the AGPL3 version (which is more advanced); this is because of the other thing I’ve done after preparing a tarball of the plugin: I wrote an ebuild for it.

So if you have my overlay, just emerging net-irc/rbot-bugzilla will give you a rbot with my bugzilla plugin enabled, the httpclient package installed (as it’s a dependency), and the default configuration already with the bugzillas ServoFlame access.

For now the ebuild is in my overlay, I’m still debating with myself if I should add it to portage (and then actually use portage to maintain the bugzilla plugin used by ServoFlame, too), or wait.

Entertaining the idea of Affero GPL

Not sure if you heard, but Free Software Foundation finalised the text of the new Affero GPL version 3.

It seems a decent idea, an interesting idea, and now that it’s no more GPL-incompatible (at least for GPLv3), it seems even more so.

Why am I thinking about this? Well, I wanted to restart working on gitarella in the next future and then I wondered: what if I relicense it under Affero GPL? Beside the CSS styles that I can mostly replace now, as I rewrote most of the HTML anyway, the Ruby code is all mine, and relicensing is not an issue.

The advantage by changing the license to AGPL3 is that if someone wants to fix or change some behaviour in a production Gitarella server, also has to make available the modification. My suggestion would then be to just put a cloned repository of Gitarella itself available on the page, so that it could be fetched right out of that.

I don’t really think this is too much hassle, and it would probably avoid closed-source derivatives put in production. I certainly don’t like modified code put online without sending patches to authors or at least making them available to users (like I did for my typo 4.0 patches).