Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dual licensing under Apache and MIT #2339

Closed
mwcampbell opened this issue Apr 26, 2022 · 33 comments · Fixed by #3108
Closed

Dual licensing under Apache and MIT #2339

mwcampbell opened this issue Apr 26, 2022 · 33 comments · Fixed by #3108

Comments

@mwcampbell
Copy link

How difficult would it be to dual-license PyO3 under the Apache and MIT licenses, like Rust itself? This would work around the incompatibility between the Apache license and GPL 2. I ask about this because I'm thinking about using PyO3 in an add-on to a GPL 2 program.

@davidhewitt
Copy link
Member

A good question. I am by no means an expert in licensing law.

https://opensource.stackexchange.com/a/2032 suggests it could be very difficult. If all previous PyO3 contributors need to grant approval then in practice this may be impossible.

I'm sure that this must be done from time to time with open source projects. If you can find examples of how projects have done this in practice, I would be happy to cast my vote for dual licensing if a process was agreed.

@alex
Copy link
Contributor

alex commented Apr 26, 2022

We did this on pyca/cryptography many years ago: pyca/cryptography#1209 is how we did it.

@kngwyu
Copy link
Member

kngwyu commented Apr 27, 2022

Yeah I think in theory we can do it, though it might take time since we now have 182 contributors.

@davidhewitt
Copy link
Member

@alex thanks for sharing that. How did you identify the list of contributors to contact? Was it just everyone who had ever submitted to the repo?

@alex
Copy link
Contributor

alex commented Apr 27, 2022

Yeah, git log

@mwcampbell
Copy link
Author

I'm willing to personally donate some money to help pay someone to take care of this. There's a GPL2-licensed Python-based project I care very much about that, I think, could benefit from gradually adopting Rust in some extension modules. It would be unfortunate if the technical implementation of this had to be compromised due to a license incompatibility.

@davidhewitt
Copy link
Member

Sorry for running slow on this. I'm not sure a financial incentive is necessary here. It should be straightforward enough to generate a list of contributors and ask for approval.

Presumably that list would include all contributors from rust-cpython before this project was forked? A good first step may be to seek opinions from @dgrunwald and @fafhrd91 on what they think of changing PyO3 to be dual licensed.

@kngwyu
Copy link
Member

kngwyu commented May 18, 2022

I just note that rust-cpython is distributed under MIT license. I hope it won't make the problem more complex.

@DataTriny
Copy link
Contributor

I'm also interested in this.

@dgrunwald and @fafhrd91: would you agree to such a change?

If yes, I'm willing to handle the task of contacting everyone and updating necessary files.

@dgrunwald
Copy link
Contributor

I am OK with dual-licensing rust-cpython under the Apache and MIT licenses.

@mwcampbell
Copy link
Author

As far as I can tell, rust-cpython is already licensed under only the MIT license. That's fine with @DataTriny and me. It's the Apache license that's problematic, since it's incompatible with GPL 2. So the license of PyO3 needs to change, but not the license of rust-cpython.

@fafhrd91
Copy link
Contributor

it is fine with me

@davidhewitt
Copy link
Member

Thanks @DataTriny! Do you want to start a PR to change the license? On that PR discussion you can maintain a checklist which can be maintained and can chase up all past contributors?

To keep things correct I think we should also request new contributors agree to their changes being relicensed while we are in the transition period.

@DataTriny
Copy link
Contributor

@davidhewitt Yes, that's exactly my plan. But I've counted around 250 contributors. So making sure I collect accurate information on everyone will take me a couple of days!

Indeed, making sure new contributors agree to the new licensing scheme before their changes get merged here is necessary. I'll keep an eye on this repo, but it would be nice if you could enforce this rule as well.

@DataTriny
Copy link
Contributor

I just opened #3108. Unfortunately it looks like I can only mention 50 people in a comment, so we'll have to do this gradually...

@mrl5
Copy link
Contributor

mrl5 commented Apr 17, 2023

good luck :) for future you might consider this tiny doc to be useful -> https://github.com/mrl5/private-wiki/blob/master/open-software-licenses.md

@davidhewitt
Copy link
Member

Thanks @DataTriny for starting the thread with #3108. It looks like we have most contributors, however not everyone has replied so I guess we'll need to ping or chase them again? Do you have a plan how we can do that?

@birkenfeld
Copy link
Member

birkenfeld commented May 4, 2023

BTW if only a few are unresponsive, it is worth going through their commit(s) to determine if their contribution is either so small as to not be relevant for copyright, or can be reimplemented, or not even present anymore in the current code base.

@DataTriny
Copy link
Contributor

Indeed we still haven't heard from 40 people or so. I wanted to wait a bit before contacting contributors directly by email but I think enough time has passed, so I will start doing it.

However, I expect to not receive a reply from everyone, so at some point I plan to go evaluate each contribution. If it's small, we will have to get rid of it and maybe rewrite it.

It would not be safe to ignore someone and relicense with their contribution still in the git history.

@davidhewitt davidhewitt pinned this issue Jun 2, 2023
@davidhewitt
Copy link
Member

Done and opened #3199

@DataTriny
Copy link
Contributor

DataTriny commented Jun 4, 2023

As only a few past contributors haven't given their consent, and since it's becoming very hard to get their attention through emails or social media, I have compiled their commits in the below table.

Commit Author Current status Possible actions
384f32a @cecini Only a few LOCs remain and have been moved to pyo3-build-config/src/impl_.rs, change log written by @davidhewitt apparently. Could be replaced as part of housekeeping for #3204?
51e7d55 @potocpav Modified impl block seem to not exist anymore. Discard the commit.
2c0a866 @thanatos The fixed example have been removed. Discard the commit.
80502bd @thanatos All typos that have been fixed are on lines that have later been modified in one way or another. Discard the commit.

What should "Discard the commit" mean? Ideally we would like to have their names out of the git history, but this might be too destructive of an action.

@adamreichold
Copy link
Member

What should "Discard the commit" mean? Ideally we would like to have their names out of the git history, but this might be too destructive of an action.

I think that is certainly too destructive. I think it would be preferable to for example commit this analysis and the verdict for the various commits into the repository as well to have paper trail for the future instead of rewriting history.

@davidhewitt
Copy link
Member

One option could be to commit a git revert for each of the commits to discard. Downside - it might be a bit busywork-heavy, as any modifications which conflict with newer changes would need manually fixing up (possibly forcing new implementations to be written instead). Upside - it very clearly actions the removal of those contributions in the git history.

@DataTriny
Copy link
Contributor

I plan to send a last email probably tomorrow.

I also think revert commits is a good option. I have never done this on that scale, but we don't have many commits and they are all limited in scope. I can start this work during the weekend.

It would probably be better if I commit them before the relicensing update, in separate PRs. What do you think?

@alex
Copy link
Contributor

alex commented Jun 6, 2023

I am not a lawyer, you should consult with a lawyer and not take legal advice from software engineers on the internet. (Se

In copyright law, there is the idea that some contributions to works are de minimis, and therefore are not eligible for copyright, because they are too small to truly be a creative work (see https://www.lsd.law/define/de-minimis-test). To my understanding, several of these commits likely fall into this category, and thus permission from the original author isn't required to relicense it, because as a matter of law they do not hold a copyright interest.

I cannot stress enough that I'm not a lawyer, nor do I play one on television. If you'd like to speak to a lawyer with expertise in these issues, Van Lindberg (General Counsel to the Python Software Foundation) may be able to provide real advise.

@davidhewitt
Copy link
Member

Thanks - I plan to find time to reach out to Van Lindberg and also to the Rust Foundation next week.

@DataTriny
Copy link
Contributor

Sorry for not coming back to this earlier, I still have other priorities at the moment.
Thanks @alex for the resource. The fact that you are not a lawyer is not an issue, the fact that the link you provided don't seem to reference previous court decisions is more problematic. What we have to find IMO is an instance of a court ruling in the software space that would give us indications. Is fixing a typo important for copyright? Probably not. Is updating a paragraph in the documentation enough? Maybe, maybe not.

I don't plan to reach out to the remaining contributors at this point. They probably won't reply so we have to take care of the 6 commits left.

@mwcampbell
Copy link
Author

@davidhewitt Have you found time to reach out to Van Lindberg or the Rust Foundation yet?

I now know of a concrete case where this relicensing effort matters: MathCAT for Python uses PyO3, but includes an add-on for the NVDA screen reader, which is under GPLv2. This add-on might itself introduce a license incompatibility, but I know that the primary developer of MathCAT wants to introduce it into the core of NVDA, and that would definitely raise the issue of the incompatibility between the Apache License and GPLv2. I opened this issue in the first place because I wanted to use PyO3 for a future NVDA add-on project of my own, but that's only hypothetical; the MathCAT add-on is already here.

@davidhewitt
Copy link
Member

Afraid not yet. I've blocked out some time on Friday to reach out. (Unfortunately my family were sick when I had attempted to block out time the other week.)

@davidhewitt
Copy link
Member

The response from Van Lindberg (many thanks):

You have two options:

  1. Remove / reimplement the contributions as you have discussed
  2. Sublicense. The Apache License allows sublicensing under a different license. That means that you can provide all or a subset of the rights you received under a different license. The trick here is to realize that the contributions will still be Apache licensed and you will need to acknowledge that fact, but you can identify that those parts are Apache-licensed and then sublicensed by you under MIT. It's a little more work to explain, but would allow you to move ahead. Over time you could remove/reimplement or just be ok with that one little complication.

I didn't ask about "de minimis" contributions specifically (my bad).

I suggest we move forward by reverting the commits, I'll open a PR to do that.

@DataTriny
Copy link
Contributor

DataTriny commented Aug 15, 2023

With #3387 merged, I rebased #3108 so I think it is now ready for a final review. Let's make this quick, preferably before merging any pull request from new contributors.

@davidhewitt davidhewitt unpinned this issue Aug 16, 2023
@davidhewitt
Copy link
Member

Great effort everyone, we did it! I think there's not too much left which I think must make it into the 0.20 release, so hopefully within a couple of weeks we will publish a new version with this license.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

11 participants