Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Copyright violation? #911

Open
1 task done
strager opened this issue Nov 27, 2023 · 8 comments
Open
1 task done

🐛 Copyright violation? #911

strager opened this issue Nov 27, 2023 · 8 comments

Comments

@strager
Copy link
Contributor

strager commented Nov 27, 2023

Environment information

N/A

What happened?

I was looking at Biome's software license and noticed two potential problems:

  1. Biome is based on Rome, but Rome attribution is not mentioned in the Biome's MIT license. (Rome's license requires attribution.) There are ROME_LICENSE files with attribution, but they seem easy to miss compared to the main LICENSE-MIT file.
  2. Biome is released with an Apache 2 license, but Rome was not. Does Rome's MIT license allow relicensing under Apache 2? (I suspect not.) If not, did Biome get permission from Rome's copyright holder to relicense under Apache 2?

I think these might be problems; I am not certain. (I am not a lawyer at all.)

Expected result

I expect one of the following:

  1. Rome transferred copyright to Biome. There is (potentially private) documentation of this transfer somewhere. (Depending on the terms of Rome's CLA (if any), this might include asking all open source Rome contributors (including myself) for copyright assignment/transfer.)
  2. Biome's MIT license mentions the original Rome copyrights, and Biome is only licensed under MIT (not also Apache 2).

Code of Conduct

  • I agree to follow Biome's Code of Conduct
@nhedger
Copy link
Member

nhedger commented Nov 27, 2023

Biome is based on Rome, but Rome attribution is not mentioned in the Biome's MIT license. (Rome's license requires attribution.) There are ROME_LICENSE files with attribution, but they seem easy to miss compared to the main LICENSE-MIT file.

The MIT license says:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

I does not go into details as to where exactly the attribution should be made, only that its present, so I think that what we're currently doing is fine. Mind you I'm no lawyer either.

@ematipico
Copy link
Member

I read a bit online about how things work.

Here are some things that I found that should answer our questions:

  • we are not changing a license, but we are adding a new one;
  • the file ROME_LICENSE covers the part where we give attribution; this is done in different ways, and it changes by org/company. For example, facebook requires to have their header in each file (when Rome was under the facebook org, it worked like this for every file)
  • the new licensing isn't meant to be retroactive, which means that the old version of Biome will only have the MIT license. If we were to enforce Apache 2.0 to old versions, maybe we should have asked Rome Tools? This is a bit unclear to me, but as stated at the beginning, everything is still under MIT so logically there shouldn't be any issue

And of course, I am no expert. I will keep this open in case someone with more expertise than us can shed some light.

Unfortunately, Rome Tools Inc. is no more, so I am not sure how things would work.

@Conaclos
Copy link
Member

Conaclos commented Nov 28, 2023
edited
Loading

The new licenses are applied only to new written code. This should not cause legal issues. It is a common thing among projects.

@strager
Copy link
Contributor Author

strager commented Nov 28, 2023

the file ROME_LICENSE covers the part where we give attribution

This file is missing from Biome's public npm package and perhaps other distributions of the software. I guess this is easy to fix.

we are not changing a license, but we are adding a new one

This is not my understanding. The public npm package's package.json says "MIT OR Apache-2.0":

biome/packages/@biomejs/biome/package.json

Line 15 in 4fa7492

"license": "MIT OR Apache-2.0",

I think this means that I (a recipient of Biome) can use Biome's Apache 2 license and ignore the MIT license. Doing this effectively replaces the Rome MIT license with Biome's Apache 2. I think this is not allowed by the MIT license.

the new licensing isn't meant to be retroactive

Agreed; I didn't think so. I'm talking about the current version of Biome.

The new licenses are applied only to new written code. This should not cause legal issues. It is a common thing among projects.

I understand what you are saying. As I showed above, though, Biome is seemingly removing the Rome MIT license from old code.

@ematipico
Copy link
Member

I think this means that I (a recipient of Biome) can use Biome's Apache 2 license and ignore the MIT license. Doing this effectively replaces the Rome MIT license with Biome's Apache 2. I think this is not allowed by the MIT license.

I am not sure because Apache 2.0 is a stricter version of MIT. If the consumer wants to consume Apache 2.0, they must copy the license AND provide a statement that says "This part of the code was heavily changed". Still, this is in line with MIT.

@Conaclos Conaclos mentioned this issue Nov 28, 2023
Merged
@charliermarsh
Copy link

(Just chiming in as someone that's also been interested in relicensing under MIT OR Apache-2.0 in the past...)

When dual licensing under MIT OR Apache-2.0, you are requiring that all inbound contributions are licensed under both licenses, and allowing consumers of the code to choose either license to govern their use. My understanding (IANAL) is that you need explicit permission from the copyright holders (i.e., the contributors) in order to relicense from MIT to an MIT OR Apache-2.0 dual license. Otherwise, you're effectively relicensing MIT-licensed code (i.e., contributions made prior to the relicense) over which you do not hold copyright.

Back in 2016, there was a campaign around relicensing crates as per this policy -- you can see it in action in sfackler/rust-postgres-macros#19, rust-lang/rustup#44, etc.

What you could do is license future inbound contributions under the dual-license. But consumers of the library would still need to be "consuming" it as an MIT licensed project, since the project includes code that isn't licensed under Apache-2.0. I'm not sure how exactly you'd operationalize this (like, what you'd put in your LICENSE file and the license fields), but in theory it would mean that when you went around to relicense the project in the future, you wouldn't need to ask for explicit permission from committers that contributed after that date.

@strager
Copy link
Contributor Author

strager commented Dec 3, 2023

Apache 2.0 is a stricter version of MIT

Apache 2.0 is not a superset of MIT. If you have software licensed under Apache 2.0 (but not also MIT), you do not need to follow these instructions from the MIT license:

The above copyright notice and this permission notice [MIT] shall be included in all copies or substantial portions of the Software.

@charliermarsh's interpretation of the Apache 2.0 and MIT licenses, and software licensing in general, matches my understanding.

@Conaclos
Copy link
Member

(1) was recently completed. We now include the Rome copyright inside the MIT license files.

Regarding (2), to address any concerns, I suggest relicensing the old Rome code as well.
This will require asking every contributor to the Rome's Rust codebase for the right to relicense under APACHE 2.
I am not sure how we should make it clear that these contributors have accepted to relicense (if they do)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@strager @ematipico @nhedger @charliermarsh @Conaclos