[gentoo-dev] [RFC] Adding potentially questionable license AcePerl-Indemnity

[gentoo-dev] [RFC] Adding potentially questionable license AcePerl-Indemnity

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 2470 bytes --]

I've just discovered dev-perl/Ace has some fun questionable licensing
which includes a lovely indemnity clause, which had previously gone
unnoticed, and it stipulates additional requests for research
publications, which is not something mentioned in any license currently
in tree other than Tinker

Following is the entire body of the license I plan to put in
licenses/AcePerl-Indemnity ( name chosen to specifically alert people
tempted to accept this license that Indemnification is an important
part they should actually read )

Current advice also says that due to the terms of this license, we have
to RESTRICT="mirror" this as well, unless the Trustees want to sign off
on potentially indemnifying CSHL

Also following up with CPAN because as its *currently* mirrored on
CPAN, and has been mirrored there for at *least* 12 years, its
potentially in a legal situation as well.

( But that's the fault of the uploader if true, because you can't
upload anything to CPAN without mirroring being something you didn't
expect )

Once this license is added, the plan is to rework Ace-*.ebuild to be under

LICENSE="|| ( Artistic GPL-1+ ) AcePerl-Indemnity" 

Upstream: https://metacpan.org/source/LDS/AcePerl-1.92/DISCLAIMER.txt

Text Body:

==============

The Ace.pm package and all associated files are Copyright (c) 1998
Cold Spring Harbor Laboratory.
 
This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself.  See the Artistic License file
in the main Perl distribution for specific terms and conditions of
use.  In addition, the following disclaimers apply:
 
CSHL makes no representations whatsoever as to the SOFTWARE contained
herein.  It is experimental in nature and is provided WITHOUT WARRANTY
OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR ANY OTHER
WARRANTY, EXPRESS OR IMPLIED.  CSHL MAKES NO REPRESENTATION OR
WARRANTY THAT THE USE OF THIS SOFTWARE WILL NOT INFRINGE ANY PATENT OR
OTHER PROPRIETARY RIGHT.
 
By downloading this SOFTWARE, your Institution hereby indemnifies CSHL
against any loss, claim, damage or liability, of whatsoever kind or
nature, which may arise from your Institution's respective use,
handling or storage of the SOFTWARE.
 
If publications result from research using this SOFTWARE, we ask that
CSHL be acknowledged and/or credit be given to CSHL scientists, as
scientifically appropriate.

==============


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-dev] Re: [RFC] Adding potentially questionable license AcePerl-Indemnity

[Alec Warner]

[-- Attachment #1: Type: text/plain, Size: 3144 bytes --]

On Wed, Apr 22, 2020 at 3:33 PM Kent Fredric <kentnl@gentoo.org> wrote:

> I've just discovered dev-perl/Ace has some fun questionable licensing
> which includes a lovely indemnity clause, which had previously gone
> unnoticed, and it stipulates additional requests for research
> publications, which is not something mentioned in any license currently
> in tree other than Tinker
>
> Following is the entire body of the license I plan to put in
> licenses/AcePerl-Indemnity ( name chosen to specifically alert people
> tempted to accept this license that Indemnification is an important
> part they should actually read )
>
> Current advice also says that due to the terms of this license, we have
> to RESTRICT="mirror" this as well, unless the Trustees want to sign off
> on potentially indemnifying CSHL
>

I think it's less about the Foundation (I'm happy to indemnify them) but
the indemnification reads as viral to me and so anyone that operated a
distfiles mirror would also implicitly indemnify[0] (through mirroring from
us) and it seems unlikely this is a thing we would encourage because our
distfiles operators are relying on some diligence on our own end to avoid
excessive liability for files we provide to them.

-A

[0] Whether this would hold up is another matter, but I'm fine with
restricting the mirroring of aceperl to avoid this complication.



>
> Also following up with CPAN because as its *currently* mirrored on
> CPAN, and has been mirrored there for at *least* 12 years, its
> potentially in a legal situation as well.
>
> ( But that's the fault of the uploader if true, because you can't
> upload anything to CPAN without mirroring being something you didn't
> expect )
>
> Once this license is added, the plan is to rework Ace-*.ebuild to be under
>
> LICENSE="|| ( Artistic GPL-1+ ) AcePerl-Indemnity"
>
> Upstream: https://metacpan.org/source/LDS/AcePerl-1.92/DISCLAIMER.txt
>
> Text Body:
>
> ==============
>
> The Ace.pm package and all associated files are Copyright (c) 1998
> Cold Spring Harbor Laboratory.
>
> This library is free software; you can redistribute it and/or modify
> it under the same terms as Perl itself.  See the Artistic License file
> in the main Perl distribution for specific terms and conditions of
> use.  In addition, the following disclaimers apply:
>
> CSHL makes no representations whatsoever as to the SOFTWARE contained
> herein.  It is experimental in nature and is provided WITHOUT WARRANTY
> OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR ANY OTHER
> WARRANTY, EXPRESS OR IMPLIED.  CSHL MAKES NO REPRESENTATION OR
> WARRANTY THAT THE USE OF THIS SOFTWARE WILL NOT INFRINGE ANY PATENT OR
> OTHER PROPRIETARY RIGHT.
>
> By downloading this SOFTWARE, your Institution hereby indemnifies CSHL
> against any loss, claim, damage or liability, of whatsoever kind or
> nature, which may arise from your Institution's respective use,
> handling or storage of the SOFTWARE.
>
> If publications result from research using this SOFTWARE, we ask that
> CSHL be acknowledged and/or credit be given to CSHL scientists, as
> scientifically appropriate.
>
> ==============
>
>

[-- Attachment #2: Type: text/html, Size: 4048 bytes --]

Re: [gentoo-dev] [RFC] Adding potentially questionable license AcePerl-Indemnity

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 834 bytes --]

On Thu, 2020-04-23 at 10:32 +1200, Kent Fredric wrote:
> I've just discovered dev-perl/Ace has some fun questionable licensing
> which includes a lovely indemnity clause, which had previously gone
> unnoticed, and it stipulates additional requests for research
> publications, which is not something mentioned in any license currently
> in tree other than Tinker
> 
> Following is the entire body of the license I plan to put in
> licenses/AcePerl-Indemnity ( name chosen to specifically alert people
> tempted to accept this license that Indemnification is an important
> part they should actually read )
> 

Are you stipulating that people eager to install this package would
likely go for a dictionary to understand a word they can't even type
properly on the first attempt?

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

[gentoo-dev] Re: [RFC] Adding potentially questionable license AcePerl-Indemnity

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1809 bytes --]

>>>>> On Thu, 23 Apr 2020, Kent Fredric wrote:

> I've just discovered dev-perl/Ace has some fun questionable licensing
> which includes a lovely indemnity clause, which had previously gone
> unnoticed, and it stipulates additional requests for research
> publications, which is not something mentioned in any license currently
> in tree other than Tinker

> Following is the entire body of the license I plan to put in
> licenses/AcePerl-Indemnity ( name chosen to specifically alert people
> tempted to accept this license that Indemnification is an important
> part they should actually read )

> Current advice also says that due to the terms of this license, we have
> to RESTRICT="mirror" this as well, unless the Trustees want to sign off
> on potentially indemnifying CSHL

> Also following up with CPAN because as its *currently* mirrored on
> CPAN, and has been mirrored there for at *least* 12 years, its
> potentially in a legal situation as well.

> ( But that's the fault of the uploader if true, because you can't
> upload anything to CPAN without mirroring being something you didn't
> expect )

> Once this license is added, the plan is to rework Ace-*.ebuild to be under

> LICENSE="|| ( Artistic GPL-1+ ) AcePerl-Indemnity" 

> Upstream: https://metacpan.org/source/LDS/AcePerl-1.92/DISCLAIMER.txt

The important words are:
"This library is free software; you can redistribute it and/or modify it
under the same terms as Perl itself."
which makes it simply LICENSE="|| ( Artistic GPL-1+ )", and of course,
no mirror restriction is needed.

The rest is simply an additional warranty disclaimer. I wouldn't even
see it as part of the license, because it is about usage of the
software, not about its distribution.

As always: IANAL, TINLA.

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

Re: [gentoo-dev] Re: [RFC] Adding potentially questionable license AcePerl-Indemnity

[Richard Yao]

[-- Attachment #1.1: Type: text/plain, Size: 4235 bytes --]

On 4/23/20 3:31 AM, Ulrich Mueller wrote:
>>>>>> On Thu, 23 Apr 2020, Kent Fredric wrote:
> 
>> I've just discovered dev-perl/Ace has some fun questionable licensing
>> which includes a lovely indemnity clause, which had previously gone
>> unnoticed, and it stipulates additional requests for research
>> publications, which is not something mentioned in any license currently
>> in tree other than Tinker
> 
>> Following is the entire body of the license I plan to put in
>> licenses/AcePerl-Indemnity ( name chosen to specifically alert people
>> tempted to accept this license that Indemnification is an important
>> part they should actually read )
> 
>> Current advice also says that due to the terms of this license, we have
>> to RESTRICT="mirror" this as well, unless the Trustees want to sign off
>> on potentially indemnifying CSHL
> 
>> Also following up with CPAN because as its *currently* mirrored on
>> CPAN, and has been mirrored there for at *least* 12 years, its
>> potentially in a legal situation as well.
> 
>> ( But that's the fault of the uploader if true, because you can't
>> upload anything to CPAN without mirroring being something you didn't
>> expect )
> 
>> Once this license is added, the plan is to rework Ace-*.ebuild to be under
> 
>> LICENSE="|| ( Artistic GPL-1+ ) AcePerl-Indemnity" 
> 
>> Upstream: https://metacpan.org/source/LDS/AcePerl-1.92/DISCLAIMER.txt
> 
> The important words are:
> "This library is free software; you can redistribute it and/or modify it
> under the same terms as Perl itself."
> which makes it simply LICENSE="|| ( Artistic GPL-1+ )", and of course,
> no mirror restriction is needed.
> 
> The rest is simply an additional warranty disclaimer. I wouldn't even
> see it as part of the license, because it is about usage of the
> software, not about its distribution.

The language then goes on to add additional terms, so it isn't only
under the terms of the perl license. There are two things that worry me
here.

The first is the indemnification clause. Indemnification in the US is
like an insurance policy. If it were to go to court over something
covered, those who agreed to provide indemnification must pay the legal
expenses of those were taken to court. People have lost in courts for
things as small as commas. I am not a lawyer, but I think this needs
additional attention.

The second is the attribution clause. While it seems silly, this has two
possible interpretations:

1. A disclaimer.
2. A solid requirement for people of a certain field of endeavor imposed
by the license and enforced by either legal or extralegal means.

In the case of the former, it is fine, but in the case of the latter,
this is enough to render the license non-free on two grounds:

1. Clause 5 of the OSD that prohibits discrimination against persons or
groups:

https://opensource.org/osd-annotated

2. The dissident test that we borrow from Debian regarding "excess"
distribution:

https://wiki.gentoo.org/wiki/License_groups#When_is_a_license_a_free_software_license.3F

If this were worded as a reminder, this would not be a problem, but it
seems like it could be considered a non-optional request by virtue of
copyright being restrictive unless explicit permission is granted. If
the language had been along the lines of a recommendation or a reminder
of the requirement that credit be provided as required by the academic
community for academic integrity, then it would have been fine. For
example, something like this would have worked:

> It is recommended that if publications result from research using this
SOFTWARE, CSHL be acknowledged and/or credit be given to CSHL
scientists, as is scientifically appropriate.

However, this is what was written:

> If publications result from research using this SOFTWARE, we ask that
CSHL be acknowledged and/or credit be given to CSHL scientists, as
scientifically appropriate.

Requests aren't always optional, so this might be construable as the
license imposing a requirement. It is a minor point compared to the
indemnity clause, but I think it merits additional scrutiny.

>
> As always: IANAL, TINLA.
> 
> Ulrich
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] [RFC] Adding potentially questionable license AcePerl-Indemnity

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 447 bytes --]

On Thu, 23 Apr 2020 10:32:41 +1200
Kent Fredric <kentnl@gentoo.org> wrote:

Ugh. I just discovered this approach is in use in multiple packages.


https://metacpan.org/source/LDS/AcePerl-1.92/DISCLAIMER.txt
https://metacpan.org/source/LDS/Bio-SamTools-1.00/DISCLAIMER
https://metacpan.org/source/AVULLO/Bio-DB-HTS-3.01/DISCLAIMER

So most of my proposal would have to get re-thought anyway if we were
going to do something about this.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]