Re: [Trustees] Proposed Revisions to the IETF Trust LegalProvisions (TLP)

[Marshall Eubanks <tme at americafree.tv>]

Dear Simon;

Just to save people from having to wade through lots of text  
unnecessarily, the major issue we are discussing here
is the "license by reference" aspect of the proposed TLP's BSD license  
requirements.

On Jun 23, 2009, at 1:16 PM, Simon Josefsson wrote:

> Marshall Eubanks <tme at americafree.tv> writes:
>
> > Simon asked that this go to the IETF list.
>
> Thanks for moving this back to the IETF list.  I believe these
> discussions should be public.  Many considerations appears to have  
> been
> made that the wider IETF community is unaware of.

At least in this case, there was no secrecy intended - I just hit  
"reply all." It had
come to me with the distribution stripped out.

> I would expect information like this to be part of the IETF Trust
> minutes, but it seems no minutes have been published since September
> 2008: http://trustee.ietf.org/minutes.html

We are working on this and expect to get caught up soon - but minutes  
will rarely capture
all of the details of such discussions.

> > Begin forwarded message:
> >
> > > From: Marshall Eubanks <tme at americafree.tv>
> > > Date: June 23, 2009 11:30:50 AM EDT
> > > To: Simon Josefsson <simon at josefsson.org>
> > > Cc: Trustees <trustees at ietf.org>
> > > Subject: Re: [Trustees] Proposed Revisions to the IETF Trust
> > > LegalProvisions (TLP)
> > >
> > >
> > > On Jun 23, 2009, at 10:18 AM, Simon Josefsson wrote:
> > >
> > > > "Contreras, Jorge" <Jorge.Contreras at wilmerhale.com> writes:
> > > >
> > > > > > > 4.e -- this new section clarifies the legend requirements for  
> > > > > > > Code
> > > > > > > Components that are used in software under the BSD License.
> > > > > > In short,
> > > > > > > the user must include the full BSD License text or a shorter
> > > > > > > pointer
> > > > > > > to it (which is set forth in Section 6.d)
> > > > > > ...
> > > > > > > 6.d -- the BSD legend/pointer described in 4.e above
> > > > > >
> > > > > > The text in 6.d doesn't work.  Part of the BSD license (quoted in
> > > > > > your
> > > > > > document) is this paragraph:
> > > > > >
> > > > > > Redistributions in binary form must reproduce the above copyright
> > > > > > notice, this list of conditions and the following disclaimer in  
> > > > > > the
> > > > > > documentation and/or other materials provided with the
> > > > > > distribution.
> > > > > >
> > > > > > If you replace the BSD license with a pointer, you would violate
> > > > > > that
> > > > > > part of the BSD license.
> > > > > >
> > > > > > To avoid simple mistakes when changing things related to the
> > > > > > BSD license
> > > > > > (which now appears to be the norm rather than the exception) I
> > > > > > believe
> > > > > > it would be a good idea for the IETF Trust to talk with people  
> > > > > > and
> > > > > > organizations who understands open source licensing.  I'm sure  
> > > > > > the
> > > > > > Software Freedom Law Center could help here.
> > > > >
> > > > > Simon (removing the large cc list):
> > > > >
> > > > > This language was added after extensive review and consultation  
> > > > > with
> > > > > open source experts, including members of the IESG.  There are
> > > > > several
> > > > > open source projects (including some run by Yahoo) that use a
> > > > > pointer
> > > > > for the BSD license, rather than the full text.  We do not think
> > > > > this is
> > > > > a violation of the BSD language.  You may disagree, which is why
> > > > > there
> > > > > is a public comment period for these documents.  But please don't
> > > > > assume
> > > > > that these decisions were taken rashly or without serious
> > > > > consideration.
> > > >
> > > > Can you name the open source projects that operate like this?  I've
> > > > never heard of a model like this before, and I'm interested to  
> > > > learn
> > > > about it if it is used successfully.
> > >
> > > Dear Simon;
> > >
> > > There was a lot of discussion about this inside the Trust, and I was
> > > originally in favor of
> > > sticking with the BSD 15 line template and was very dubious about a
> > > "license by reference" approach. However, there was push-back on the
> > > length of this (from, e.g. Pasi Eronen), and then Russ found out
> > > that for YAHOO the
>
> Before continuing the response, should we understand that the  
> rationale
> for this change is to shorten the license text that has to be included
> in derived works?  Did the Trust do anything to identify whether the
> wider IETF community feels this is a problem?  In other words: on  
> whose
> behalf is this change made?

We received complaints about the February 15th TLP in this regard.

> If that is the rationale, has an alternative to the BSD license been
> considered?

The answer is yes, alternatives were considered, but this is a  
complicated issue.
Part of the advice we received from the legal people
we talked to was to use a common license choice, lest corporations  
simply never use the code, to save
the expense of getting legal approval of the license. BSD seemed
to be strongly favored here, as something that is well known and used  
by lots of parties. This advice, as
far as I can tell, was virtually unanimous, both to the Trust as a  
whole, and to myself and others in our
individual discussions.

The GAP below seems simple, but that doesn't mean that corporate  
counsel would regard it as simple. I do not
know. (In my experience is very hard to get a corporate counsel,  
especially counsel you are not paying for, to
say that anything is OK. I am inevitably reminded of the J.R.R.  
Tolkien's saying :

"Go not to the elves for counsel, for they will say both yes and no.")

All of this makes it hard for me to see the wisdom of adopting another  
license.

>  The GNU All Permissive (GAP) license is comparable in size
> to the excerpt in 6.d.  The entire GAP license reads:
>
>     Copying and distribution of this file, with or without  
> modification,
>     are permitted in any medium without royalty provided the copyright
>     notice and this notice are preserved.
>
> Another option is to describe the common practice that many open  
> source
> packages are using: include a short blurb in the file or function that
> contains the derived work, pointing to a file included in the
> distribution.

Just as an aside, one thing that worried me about this was that we  
would have little or no control over
packages using IETF code. It seems better to me to keep a notice close  
to the code, instead
of requiring it in another file in a distribution that could be  
removed entirely, say if the
distribution was used in another distribution.

> > > > > YUI JavaScript library and the Django web framework (used in
> > > > > datatracker.ietf.org) don't include the license terms in every  
> > > > > file.
> > > >
> > > > The code contain this:
> > > >
> > > > /*
> > > > Copyright (c) 2009, Yahoo! Inc. All rights reserved.
> > > > Code licensed under the BSD License:
> > > > http://developer.yahoo.net/yui/license.txt
> > >
> > > It is not hard to find examples of this, both within Yahoo and
> > > without.
> > > See, e.g., http://developer.yahoo.com/yui/docs/AttributeProvider.js.html
>
> This usage is typical and fine.  In general, there are two reasons why
> this usage is fine.

Can you provide a reference here ? This was not the legal reasoning  
brought forth in the
discussions I was part of.

If there are any court cases that deal with this matter, we would love  
to learn about them.

We were told by counsel that there was no court cases involving  
license by reference and so, in their
absence, this would be in the end a matter of judgement on the part of  
the Trust and the IETF. The proposed TLP thus results from our best  
estimate of what is legally sound, informed of course by the Trust's  
legal counsel.

>  Only one condition needs to hold:
>
> 1) The publisher of the material is not a "redistributor" of the code
> under the BSD license.
>
> 2) The copyright holder includes the BSD license in the package.
>
> Note that Yahoo includes the entire copy of the BSD license where it  
> has
> used others code in the YUI package.
>
> The new IETF policy text suggests that recipients redistribute code
> components under the BSD license when they include only the  
> notification
> text in section 6.d.  I.e., not the entire BSD license text.  Doing  
> that
> would violate the letter of the BSD license.  This is not the same
> situation as for the Yahoo case, since the recipients of an IETF  
> work is
> neither the copyright holder nor does the redistributed combined work
> necessarily include the entire BSD license.
>
> > > So, we researched the status of the BSD license in this regard.
> > > I took it upon myself to query various people I know in the open
> > > software community
>
> That is excellent, and I applaud you for it.
>
> I believe this background information is important for the community  
> to
> know about, because information like this creates confidence in your
> work.  I'm curious why information like this is only communicated
> re-actively.  Is it due to lack of manpower?  It may be that
> communicating material like this pro-actively would create less work  
> in
> the long term.

It could be. I did not communicate this because I just assumed it was  
part of my job not to
approve anything without doing due diligence.


> > While the individual responses are private (I could certainly ask
> > people if they mind being quoted, but I wanted to get this out  
> > today),
> > typical is this :
> >
> > > "Yahoo is following common practice."
>
> They are indeed.  My claim is that the new IETF policy would result in
> situations where common practice is not followed.
>
> > > I did not receive a single negative response.
>
> Actually, one of the cut out responses said that re-distributors must
> include the BSD template in the distribution.  That is my concern.

I have asked them to comment publicly.

Regards
Marshall

> /Simon
>
> > > I also talked with corporate counsel from a large corporation with a
> > > heavy IETF involvement, who at least did not object to this.
> > >
> > > In addition, the other Trustees did their own research, and this was
> > > discussed both internally and externally over a period of over 2
> > > months.
> > >
> > > And, of course, our own counsel, Jorge Contreras, researched this
> > > and agrees with the feasibility of the license by reference
> > > approach.
> > >
> > > After all of this, the Trust developed consensus around the license
> > > by reference option.
> > >
> > > So, I feel that the Trustees have done due diligence here.
> > >
> > > Of course, there is never a final word on these matters. If you know
> > > reasons why this is inadvisable, I would be glad to hear them. That
> > > is, of course, why all of these matters go to community review.
> >
> > I of course extend this request to everyone. It is important to get
> > this right.
> >
> > Regards
> > Marshall
> >
> > > Regards
> > > Marshall
> > >
> > >
> > > > Which open source experts did you consult about licensing?
> > > >
> > > > Providing background information and rationale behind changes when
> > > > posting drafts would give you the benefit of doubt about these
> > > > issues,
> > > > and would probably build more confidence in the change within the
> > > > IETF
> > > > community.
> > > >
> > > > /Simon
> > >
> > > _______________________________________________
> > > Trustees mailing list
> > > Trustees at ietf.org
> > > https://www.ietf.org/mailman/listinfo/trustees