[Koha-devel] ReactJS license problems

[Thomas Dukleth]

Recently, people at the Apache Software Foundation have found that
software released by Facebook using the Facebook BSD+Patents license, such
as ReactJs, has patent terms which are incompatible with patent terms in
Apache License version 2 (ALv2).  Similar incompatibility seems to exist
for patent terms in GPLv3 which Koha uses and GPLv2 which Koha had used
previously.

Unless Facebook chooses to fix the issue for ReactJS in some satisfactory
manner as they have with RocksDB, there seems to be an insurmountable
licensing issue preventing the use of ReactJS in Koha which had been
proposed for the use with the OPAC.

ReactJS alternatives such as Preact, https://preactjs.com/ , and Inferno,
https://www.infernojs.org/ , should be investigated.  Preact and Inferno
use the permissively compatible MIT Athena license:
https://github.com/developit/preact/blob/master/LICENSE,
https://github.com/infernojs/inferno/blob/master/LICENSE.md .  Inferno
changed to the MIT Athena license in 2016 after previously using the
Mozilla Public License version 2,
https://github.com/infernojs/inferno/commit/144f96e8cf55c0ff3a7b27ab151f5d376b1106cc
.

In general, we need to be somewhat wary of potential licensing issues when
using programming libraries.  Merely reading the license file is not
always sufficient for knowing the license which is applies to the software
as in the example of ReactJS detailed further below.  The license
invocation statements may need to be read or parsed which could include
every licensing header of every file.  Furthermore, projects may change
licenses over time which can introduce license conflicts as happened with
ReactJS.


REACTJS LICENSE HISTORY.

Originally in 2013, Facebook released ReactJS under ALv2, , and required
community contributors to submit to a contributors license agreement
assigning all their rights to Facebook,
https://github.com/facebook/react/commit/75897c2dcd1dd3a6ca46284dd37e13d22b4b16b4
.  In 2014, the license terms were changed to Facebook BSD+Patents,
https://github.com/facebook/react/commit/dcf415c2b91ce52fd5d4dd02b70875ba9d33290f#diff-6a3371457528722a734f3c51d9238c13
.  In 2015, the patent terms were modified with a version 2 for the
PATENTS file,
https://github.com/facebook/react/commit/b8ba8c83f318b84e42933f6928f231dc0918f864#diff-7373d27f0ea94a5b649f893e20fffeda
.


FACEBOOK BSD+PATENTS LICENSE.

Facebook have been applying a Facebook BSD+Patents license to Facebook
Open Source projects generally.

The current license terms are invoked with language such as the following
from README.md, https://github.com/facebook/react/blob/master/README.md . 
"React is BSD licensed. We also provide an additional patent grant."  The
LICENSE file contains a the permissively compatible 3 clause BSD copyright
license in LICENSE, https://github.com/facebook/react/blob/master/LICENSE
.  The patent license in PATENTS is problematic,
https://github.com/facebook/react/blob/master/PATENTS .

Facebook have an Open Source License FAQ with a few sentences for just a
little clarification of their Facebook BSD+Patents license,
https://code.facebook.com/pages/850928938376556 .  The following question
and answer may be confirming the understanding that the breadth of
conditions for terminating the Facebook patent grant applies to any
Facebook patents which are granted for any and all software which Facebook
have released under the Facebook BSD+Patents license, not merely those
Facebook patents for one particular program at issue.  "Does the
additional patent grant in the Facebook BSD+Patents license terminate if
Facebook sues me for patent infringement first, and then I respond with a
patent counterclaim against Facebook?  No, unless your patent counterclaim
is related to Facebook's software licensed under the Facebook BSD+Patents
license."  Facebook patent terms appear to be designed to protect Facebook
from patent litigation in a broader and more one sided manner than patent
terms in free software licenses such as ALv2 and GPLv3 which do not have
such breadth of termination, thus depriving users of patent defences under
more circumstances.

Roy T Fielding at the Apache Software Foundation has received confirmation
from Facebook  legal council that the explicit patent grant in the
Facebook BSD+Patents license is intended to revoke any implied patent
grant from the 3 clause BSD license,
https://issues.apache.org/jira/browse/LEGAL-303?focusedCommentId=16046579
.  Revocation of the implied patent grant is sufficient for
incompatibility with the ALv2 and the Facebook BSD+Patents license . 
Accordingly, the Apache Software Foundation have required Apache Software
Foundation projects to not incorporate software with the Facebook
BSD+Patents License, https://www.apache.org/legal/resolved#category-x . 
Those Apache Software Foundation projects which have already included
software with the Facebook BSD+Patents license are required to remove the
covered Facebook software from their projects.

Revocation of the implied patent grant also seems to be sufficient for
incompatibility with the GPL.  GPLv3 has the following language to protect
patent defenses in section 11 Patents.  "Nothing in this License shall be
construed as excluding or limiting any implied license or other defenses
to infringement that may otherwise be available to you under applicable
patent law."  GPLv2 had other language to the same effect.

Some discussion of the issue at the Apache Software Foundation for ReactJS
specifically can be found at
https://issues.apache.org/jira/browse/LEGAL-319 .

Aaron Williamson writing under the username copiesofcopies has the best
description of the complexities of patent relationships involved in the
Facebook patent terms,
https://github.com/facebook/react/issues/10191#issuecomment-316380810 . 
[I have consulted Aaron in the past for Koha when he was a lawyer at the
Software Freedom Law Center.]


REQUESTING REACTJS LICENSE CHANGE.

Recently, people at Facebook conceded to change the license for RocksDB to
the choice of ALv2 or GPLv2 only
https://github.com/facebook/rocksdb/commit/3c327ac2d0fd50bbd82fe1f1af5de909dad769e6
.  [Remember that ALv2 is compatible with GPLv3.]

There is an effort to encourage people at Facebook to similarly change the
license for ReactJS, https://github.com/facebook/react/issues/10191 .


WHO WORRIES ABOUT PATENTS?

Patents reading on software may not be a problem in your jurisdiction
currently.  A copyright license without any implied patent grant may seem
good enough for you and never mind the incompatibility of software
licenses if the incompatible terms are only about patents.  Even in the US
where the problem of patents reading on software originated, the US
Supreme Court seems to be eroding the problem as some cases emerge. 
However, the problem of patents being read to cover software is not going
away any time soon and the hazard may have merely been temporarily
constrained a little in the US while patent lawyers work around newer
constraints.

The patent problem will remain for software in the US without either the
unlikely event of a court case in which can only be concluded by excluding
software from the scope of patents or the US Congress passing legislation
to that effect.  Even if tomorrow software would be found out of scope for
patents in the US, the problem would still remain in many other
jurisdictions where the US trade representative has worked tirelessly over
years to export an overly broad scope for patents by hook or by crook in
local laws, treaties, or wherever the application of patents can be added.
 People pursuing the interests of businesses, such as many large
corporations, which use patents to suppress innovation and competition
will also continually try to lobby governments to broaden the scope of
patents to cover software even in jurisdictions where the breadth of
patents has continually been restricted to exclude software.

Some states in the US have legislative mandates for the state universities
to pursue patents.  Some of these universities may have an interest in
using Koha.  Using Koha should not expose any user to greater patent
litigation risks than using some other software.

Even if you or your organisation do not exercise patents, any jurisdiction
in which patent infringement lawsuits can be brought exposes everyone in
that jurisdiction to the hazard of possibly needing to defend against
patent litigation or pay protection money to anyone posing a credible
threat of such litigation.  News reports about patent lawsuits mostly
refer to those who create or distribute whatever may be covered by patents
at issue, however, users who do not create or distribute but who are
perceived as having sufficient resources to pay enough are targeted
privately with the mere threat of patent lawsuits and coerced into paying
protection money.


ADDITIONAL REACTJS LICENSE PROBLEMS.

Even if people at Facebook would relicense ReactJS again under a suitable
GPLv3 compatible license, there are still other license problems about
which to be wary.  Facebook does not grant any license to redistribute
code from code examples provided in the ReactJS documention or elsewhere,
https://github.com/facebook/react/blob/master/LICENSE-examples .  In my
experience, Facebook are an outlier in their treatment of their own code
examples so differently from the license for their own software project.

License policies for Facebook Open Source should be expected to protect
the interests of Facebook but there is a need for enough common ground to
trust including software in Koha even without anything from code examples.


Thomas Dukleth
Agogme
109 E 9th Street, 3D
New York, NY  10003
USA
http://www.agogme.com
+1 212-674-3783