|
| 1 | +# Third Party Dependencies that have been Relicensed to AGPL |
| 2 | + |
| 3 | +## Background |
| 4 | + |
| 5 | +CNCF's IP policy is set forth in the [CNCF charter], section 11. |
| 6 | + |
| 7 | +Under the IP policy, CNCF projects use Apache-2.0 for their code. The CNCF |
| 8 | +Governing Board reviews and approves other non-Apache-2.0 licenses, for |
| 9 | +code in the repos or dependencies of CNCF projects, on an exception basis. |
| 10 | + |
| 11 | +The CNCF Governing Board has previously adopted an [Allowlist License Policy] |
| 12 | +that permits most permissively-licensed components to be automatically |
| 13 | +approved as exceptions, when used in an unmodified manner. |
| 14 | + |
| 15 | +However, components under other licenses -- particularly under copyleft-style |
| 16 | +licenses -- remain subject to approval by the CNCF Governing Board. This is |
| 17 | +not because such licenses are inherently problematic, but rather because |
| 18 | +they may add obligations that would not be expected by, or acceptable to, |
| 19 | +users of CNCF's projects under Apache-2.0. |
| 20 | + |
| 21 | +## Recent changes to dependencies' licenses |
| 22 | + |
| 23 | +Recently (in early 2021), CNCF projects have discovered that some existing |
| 24 | +dependencies they use have been relicensed by their licensors from |
| 25 | +Apache-2.0 to the GNU Affero General Public License v3.0, [AGPL-3.0]. |
| 26 | + |
| 27 | +The AGPL-3.0 license is a free and open source software license. However, |
| 28 | +it is a strong copyleft license, which means that when used or distributed |
| 29 | +in certain ways, it imposes copyleft obligations that go beyond the more |
| 30 | +permissive requirements of Apache-2.0. |
| 31 | + |
| 32 | +In addition, portions of AGPL-3.0's copyleft obligations apply to contexts |
| 33 | +where the AGPL-3.0 software is interacted with through a computer network. |
| 34 | +In the context of cloud-native software, this means that copyleft |
| 35 | +obligations may come into play under AGPL-3.0 where they would not for |
| 36 | +other GPL licenses, where distribution is the primary relevant trigger. |
| 37 | + |
| 38 | +This can present a problem for CNCF projects, where the license of the |
| 39 | +component they depend on was previously aligned with the CNCF project's |
| 40 | +own license, but is no longer aligned. |
| 41 | + |
| 42 | +## Recommendations |
| 43 | + |
| 44 | +There are a few approaches that CNCF projects should consider taking, for |
| 45 | +dependencies that fall into this category. |
| 46 | + |
| 47 | +### Switch to an alternative component |
| 48 | + |
| 49 | +The project will likely want to evaluate alternative components with |
| 50 | +similar functionality, and switch to one that is Apache-2.0 or that has |
| 51 | +a permissive license under the [Allowlist License Policy]. |
| 52 | + |
| 53 | +### Freeze the component at the version prior to the license change |
| 54 | + |
| 55 | +As a short-term solution, the project might consider freezing the version |
| 56 | +of the component so that it is fixed at the last release prior to the |
| 57 | +license change. |
| 58 | + |
| 59 | +This is unlikely to be tenable as a long-term solution, particularly as |
| 60 | +the prior release is presumably unlikely to continue receiving maintenance |
| 61 | +updates, security fixes, etc. |
| 62 | + |
| 63 | +### Seek an exception from the Governing Board |
| 64 | + |
| 65 | +If the project requires the now-AGPL-3.0 component as a mandatory |
| 66 | +dependency, it can request that the Governing Board grant an exception |
| 67 | +to the license policy. |
| 68 | + |
| 69 | +Please be aware that this is **highly** unlikely to be granted, and that |
| 70 | +the Governing Board has (at the time of this writing) not previously |
| 71 | +granted any exceptions for components that are under AGPL-3.0. |
| 72 | + |
| 73 | +If you do seek an exception, you will want to provide information about |
| 74 | +the specific component(s) and how they are being used. In particular, |
| 75 | +provide details about the boundaries and interactions between the project |
| 76 | +code and the third-party component, and whether the component |
| 77 | +is mandatory or optional for use with the project. |
| 78 | + |
| 79 | +The Governing Board may refuse to grant exceptions at its discretion; |
| 80 | +however, some of the considerations that the Governing Board might take |
| 81 | +into account are as follows: |
| 82 | +* if AGPL-3.0 code would be included directly in the source code repo, |
| 83 | +this is extremely unlikely to be approved as an exception. |
| 84 | +* if use of an AGPL-3.0 component is mandatory to use the CNCF project, |
| 85 | +it is highly unlikely to be approved as an exception. |
| 86 | +* if the component is an _optional_ run-time dependency, and is not |
| 87 | +enabled or incorporated by default, it may be more acceptable as an |
| 88 | +exception. |
| 89 | + * additionally, if the optional AGPL-3.0 component's licensor has made |
| 90 | + available interface tools (such as client libraries) that are under |
| 91 | + Apache-2.0 or a similar permissive license, that may also make it more |
| 92 | + acceptable as an exception. |
| 93 | + |
| 94 | +[CNCF Charter]: https://github.com/cncf/foundation/blob/master/charter.md |
| 95 | +[Allowlist License Policy]: https://github.com/cncf/foundation/blob/master/allowed-third-party-license-policy.md |
| 96 | +[AGPL-3.0]: https://www.gnu.org/licenses/agpl-3.0.en.html |
0 commit comments