Trying again to find a license for FSWS

FSWS, standing for a pretty unimaginative “Flameeyes’s Static Web Site”, is simply a bunch of XSL template files that I have developed for my own website to start with and now serves a couple others of a few friends of mine. It is a close relative to what me and Darren worked on for the xine website but it’s not derived directly; it’s rather that I took decisions based on my experience with that, and with the non-generic templates I used for my website before that.

Now, I have written before of my searching for a license for the framework a few months back, and I’ve not yet found something that works for me. I asked Matija for help but I ended without the time to mail him the details and.. what the heck, why should I mail just him the details of what I’m looking for? Isn’t this what the “social” web is all about?

So again, let’s see the specifics about this: I want FSWS to be Free Software, by any standard, and I want it to be copyleft as well: if you modify it, I’d like to see the improvements, and make use of them, since if I modify it, my changes are available to everybody to begin with. This takes out the options of the simplest licenses, such as CreativeCommons, or MIT. Ideally, GPL should do the trick, but as we all should know, it’s a license that works best with non-Web software; for the “new world” of Web, even FSF created a new license, the AGPL; I’ve used AGPL-3 before, for my rbot plugins (the bugzilla one is used by the willikins bot that is on the #gentoo channels on Freenode).

But is AGPL-3 a good choice as it is? Nope, probably not. As I noted in that previous post, using AGPL-3 would make the generated website licensed under AGPL-3 as well, since it’s template we’re talking about. As you can guess, it’s not going to make it any fun to use a similarly-licensed system. And this is something that FSF knows themselves; the equivalent “old world Unix” situation is autoconf and its M4 macro files, for which they created a licensing exception that happens to be more or less what I need for my own code.. of course, the exception as it is, is not really general enough to apply to my use case.

In general, there are just a few points I need to make sure are respected:

  • the templates themselves are the core of the project; edit them, make them available; for what I’m concerned, I’m not interested in having the link to FSWS visible on the websites using it, just as long as there is a link to a downloadable tarball for them, something like a <link rel=“fsws:sources”> tag;
  • the generated website should be able to have any license at all; CC-ND, AGPL, proprietary, nothing should be stopped;
  • you can override and extend FSWS with more template elements; I’m actually a bit undecided on how to handle them; for what I’m concerned they should probably be allowed just as the resulting output, but it then get murky when you re-use the code from the original templates…

So now, what should I do for licensing this work, and publishing it? I want to get it right the first time, rather than deal with the fallout of bad decisions later!

Some interesting possible side-effects of AGPL-3

If you don’t know the AGPL-3, it’s the GNU Affero General Public License version 3 . The interesting difference between this license and the more common GPL-3 is that makes the user able to receive the sources of the software used to provide them with a networked service.

Now this is a quite interesting license, because it fills a “loophole” of the GPL: if you provide a service over Internet that makes use of a software released under the GPL, you’re not asked to provide the source for it, even if you modify it, as long as you’re not distributing the software itself.

This “loophole”, as it might be seen by some, was already being considered years ago on the NoX-Wizard project, an Ultima OnLine server emulator that, in addition to the standard GPL-2 license, added an extra restriction of making available the source code of an eventual modified copy that was used as a public server.

I’m sure for many people this is a restriction in freedom, instead of an improvement, as they are no more free to take advantage of Free Software without giving back anything as long as they are keeping the modified version on their own systems.

On the other hand, I think it’s an important edge the one that AGPL provides to users and developers. Beside allowing the code to be available to every user of the service, it also has some interesting side-effects that I’d like to put a bit of light upon.

The first is that it makes it much more important for the people modifying the application to get in touch with upstream to make their changes included in the original repository: it makes sense to be able to just point to the upstream repository rather than having to deal with a different repository per service.

Related to this, it makes it possible for the various upstreams to see what the users are modifying of their code, and make the needed changes in the original codebase so that they can improve the software for all its users.

But even more interesting, AGPL-3 allows a much more powerful approach to services’ security. With the source code available, any security expert can look at the code, and see if there are obvious vulnerabilities. The most basic example is SQL injections or XSS vulnerabilities that might be introduced in an otherwise completely safe codebase by someone touching the code to integrate it in a different setup, or to extend its functionalities.

Of course this last note is not entirely positive, as it also means that any person with a decent knowledge of the language used can find those vulnerabilities too, and it might be a security risk if that person does have malicious intents.

This would give a compltely new meaning and an intersting spin to “beta” release of services, and would introduce, for web services, a peer-review that might actually make web security much tighter; as it is now, it’s vastly a security-through-obscurity approach.

On the other hand, I sincerely doubt that any “big” of the web services would see to start releasing their code as AGPL-3. The reason for this is quite obvious: a lot of services are there, offered “for free”, but have privacy statements that clearly show their primary intent is to harvest information about you; you might not mind, as it might actually help you somehow (like Amazon’s reccomendations) but if you actually knew the extent to which they arrive to gather your information, it might actually discourage you from using their service.

At any rate, I think I finally made up my mind, and once I’ll be back working on my Free Software projects, I’ll finally relicense Gitarella as I was thinking of doing last year. I already licensed my rbot plugins under that license and it seems to be working fine.