I found two apps that seem to be violating the AGPL license. They both use the AGPL-licensed lemmy-js-client library, which means the apps themselves should also use the same license (which is the whole purpose of Copyleft). But they aren’t. I don’t know if Lemmy developers and contributors are aware of this.
The apps:
https://github.com/ando818/lemmy-ui-svelte - Apache license
https://github.com/aeharding/wefwef - MIT license
What should we do about this as a community? I informed one of the app’s developers about this and it doesn’t seem like they care. I wonder if some of the proprietary apps that are being developed right now also rely on this library.
Looks like you are correct, these projects are required to be AGPL: https://opensource.stackexchange.com/questions/2684/monetizing-and-licensing-with-agpl-libraries
When your program uses an AGPL library, then your whole program must be licensed under the AGPL.
I would simply create an issue in the relevant repositories and let them know.
After reviewing this, I’ve updated the license for Memmy. Frankly had no idea, good idea to let people know like you said and just kindly inform them through GitHub or otherwise.
Thanks for changing it so quickly :). Your app looks very cool, btw. I don’t use iOS, but I will start recommending it to others.
Edit: just noticed that it’s for Android too. But I assume it’s not in the store yet?
I think I got stuck in review hell. I resubmitted a build today.
Could you submit it to fdroid too since it is GPL now ;)
File an issue in their repos, sometimes people (understandably) do not understand licencing very well — or it might be they were granted an exception.
If that fails you can contact the library author and the repositories who host the code.
This.
Not all violations are ill-intended, and most amaetur devs aren’t specialists in licensing.
Most professional developers aren’t either. Many companies employ people and/or deploy software to detect license violations
Oracle has entered the chat.
They are loading this library via NPM AFAIK, so it is not included in the repo. Of course the final compiled release should be AGPL, but they are free to use a more liberal license in their own repo as long as it allows combining with AGPL software.
MIT for sure, but I think also Apache license (one way?) allows this so I think on license grounds this is ok. But IANAL.
That’s what I thought as well.
If you just clone the repo there will not be any sources from the AGPL:ed source within the project, only a text mentioning the name.
However if you build it locally, it will pull in the third party libraries. So as long as they aren’t distributing any built packages without a AGPL-compatible license, I don’t think they are doing anything wrong.
(IANAL)
Agreed, I think this is a misunderstanding as well of the AGPL but IANAL
Looks like wefwef just went AGPL: https://github.com/aeharding/wefwef/commit/ff7ee694edc8c7e5c47fc4c597e01aa123ce3ff0
Here’s the relevant section of the GPL FAQ:
https://www.gnu.org/licenses/gpl-faq.html#IfLibraryIsGPL
If a library is released under the GPL (not the LGPL), does that mean that any software which uses it has to be under the GPL or a GPL-compatible license? (#IfLibraryIsGPL)
Yes, because the program actually links to the library. As such, the terms of the GPL apply to the entire combination. The software modules that link with the library may be under various GPL compatible licenses, but the work as a whole must be licensed under the GPL. See also: What does it mean to say a license is “compatible with the GPL”?
I believe it’s up to the license holder to enforce it.
So notifying the respective projects can’t hurt, but if they refuse to comply, and the copyright owner of lemmy-js-client doesn’t care, then the code is probably licensed incorrectly
I mean if you really wanted to enforce it, anyone who contributed to Lemmy-js-client can submit a DMCA takedown. But that would be beyond silly, since most people are just trying to build cool things and don’t want to enter a licensing drama.
Best course of action is to point out the license error and let downstream figure it out.
The Free Software Foundation is a good place to learn about open source licensing and they can assist with enforcement if needed.
I’m just a bystander here, but I would recommend to take this very seriously. The free-software-writing community already gets a certain amount of license abuse from the corporate side (RHEL being a recent example). If we are being lax about license violations internally, that puts us in a much weaker position in the face of whatever is inevitably coming in the future.
E.g., maybe Meta grabs the MIT-licensed app, adds additional technology to it that makes life difficult for the existing Fediverse community, and deploys it, refuses to share their changes. They could do that anyway, and we might have to figure out how to respond to it, but it puts us on a lot firmer ground legally and PR-wise if we’ve been on point about our internal licensing up until that point vs. if no one’s really been bothered about license violations in the past.
It doesn’t mean that someone from the community who’s just trying to contribute something good and doesn’t share that viewpoint suddenly needs to become “the enemy.” We can just have an open discussion about the technical details of licensing and why they’re important. But I wouldn’t take it lightly.