[Koha-devel] ReactJS license problems

[Thomas Dukleth]

I take Kivilahti Olli-Antti's response as helpfully encouraging
examination of alternatives to ReactJS.  I also try to emphasise that the
actual sufficiently disqualifying problems with the ReactJS license are
with license incompatibility as opposed to some possibility of problems
over some scenario with patents which might never become an issue for any
Koha user or contributor.

[Remainder of reply inline.]


On Mon, July 24, 2017 10:25, Kivilahti Olli-Antti wrote:

[...]


LICENSE INCOMPATIBILITY.

> I wouldn't be overtly alarmed by this license issue,

The problem is primarily that the current ReactJS license seems to be
incompatible with GPLv3, the license which we use for Koha as a whole. 
All the code which we incorporate into Koha, such as any programming
libraries incorporated into Koha, must be compatible with the overall
license for Koha.  The Free Software Foundation (FSF) have a helpful guide
to various software license and their GPL compatibility of various
licenses, https://www.gnu.org/licenses/license-list.en.html .  FSF have
not yet included the Facebook BSD+Patents license in their licenses page
which is updated very infrequently and cannot include every variation on
standard license terms.  In the absence of specific comment from FSF or
their lawyers which we could obtain if the issue seemed too unclear, we
may take the issue as carefully treated after consideration over months as
reported by people at the Apache Software Foundation in communication with
Facebook legal counsel confirming intended incompatibility between the
Facebook BSD+Patents license for patent terms in Apache License version 2
(ALv2) where there is some language in GPLv3 which seems to also be
incompatible on the same point of revocation of the implied patent license
in the 3 clause BSD license.  I cited Roy T Fielding's comment in my
original message,
https://issues.apache.org/jira/browse/LEGAL-303?focusedCommentId=16046579
.


FREE SOFTWARE ALTERNATIVES.

> however if there is a
> more free alternative we should use it.

Some have questioned whether the Facebook BSD+Patents license could
qualify as a recognised free software license at all as the breadth of the
patent license termination terms seem to violate the minimal requirements
for freedom and the patent terms of the Open Standards Requirements of the
Open Source Initiative (OSI), https://opensource.org/osr .  The Facebook
BSD+Patents license has very different terms from the OSI BSD+Patents
license, https://opensource.org/licenses/BSDplusPatent .

Some alternatives to ReactJS are under licenses for which there are no
doubts about whether they are free software compatible with GPLv3.

> I don't mind having inconveniences due to using more free software.
>
> Struggle for our privacy, freedom of speech, and environment is
> inconvenient, but well worth the investment, however costly.
>
> The important framework improvements are "one-way data flow" and the
> underlying "state machine" (Redux-compatibility). Maybe server-side
> rendering.
> Looks like atleast InfernoJS proclaims support for those.
>

MINIMISING PATENT PROBLEMS.

There would be different issues to consider if the ReactJS license had
some problematic patent terms but somehow not so problematic as to be
incompatible with GPLv3.

> Another take on the issue:
> https://medium.com/@dwalsh.sdlr/react-facebook-and-the-revokable-patent-license-why-its-a-paper-25c40c50b562

Dennis Walsh ignores the license incompatibility issue of Facebook
BSD+Patents license in relation to ALv2 and also seems to similarly affect
GPLv3 and GPLv2.  He assumes that the primary hazard over patents from a
Facebook BSD+Patents license is from Facebook directly.  He assumes that
no Facebook patents exist which read on ReactJS where he did not find them
easily enough and no one has reported them to him.  He does not treat the
breadth of conditions for patent termination unrelated to any particular
software under the Facebook BSD+Patents license which obviates assumptions
about costs of replacing software relative to the costs of litigation.  He
dismisses any alternative scenarios citing one particular unlikely case,
however, the most likely scenarios are indirect from the breadth of
termination conditions and outside the scope of anything which he has
considered.  Any scenario for which there is an actual problem may be
unlikely, however, if you or your organisation are in the midst of such a
scenario the likelihood of its occurrence is moot for you or your
organisation.

Problems in patent disputes are often indirect as in the scenario
described by Aaron Williamson which I had originally cited, 
https://github.com/facebook/react/issues/10191#issuecomment-316380810 . 
Starting from Aaron's example I could imagine some scenario which
corresponds to what I am informed is the usual type of problem which is
faced over patents, however, my alteration of Aaron's example may suffer
in some detail from not being a lawyer. A university with a state mandate
in law to pursue patents arising from government funded research could be
be substituted for Cisco in Aaron's example.  An issue covered by a
traditional patent, not one reading on software, could be the issue
pursued against a Facebook subsidiary.  After terminating all patent
licenses granted to the university under the Facebook BSD+Patents license,
Facebook might not pursue a patent action over ReactJS use by the
university especially where the use prior to termination would have been
licensed.  Yet, the university's loss of any Facebook patent license to
assert in defence may be the opportunity for a patent troll (holding
patents without any product using them) to threaten the university over
some patent reading on ReactJS.  The patent troll would know that the
university would be likely to agree to pay protection money to license the
patent held by the troll to avoid the cost of litigation especially
without a Facebook patent license for the university to assert in defence.
 The troll would also not have to risk any possible Facebook patents being
asserted by the university to invalidate any claims in the patent which
the troll would be asserting.  The goal of the patent troll is to obtain
protection money without much risk of actually having to face the
financial costs or other hazards of litigation.

Even if GPLv3 license compatibility would not be a problem and even if
almost all Koha users would never have even a traditional patent nor a
mandate to pursue patents, we should not create potential burdens upon
organisations which may be candidates for using Koha beyond the relatively
simple obligations respecting free software.  Certainly, we should not
create a burden which Aaron Williamson describes as "compliance requires a
burdensome -- maybe impossible -- degree of diligence."


Thomas Dukleth
Agogme
109 E 9th Street, 3D
New York, NY  10003
USA
http://www.agogme.com
+1 212-674-3783