Comment by sokoloff
3 years ago
Having read the minIO allegations last week, I was fully expecting to read some weasel-y/half refutation here.
Instead, this is a strong refutation and, if everything WEKA says here is true, it is much less certain that they've done anything wrong and it seems like it's on minIO to prove that they've used minIO software subject to AGPL rather than only to Apache.
Previous HN discussion: https://news.ycombinator.com/item?id=35299665
If you read the minio blog, they give very detailed instructions on how to check that they are using the software. It shouldn’t be super difficult to figure out if any of the software being distributed today is post license switch.
So what we have here is a very detailed description of what they are claiming is a violation, then a refutation that is very strong, but also doesn’t actually address some of the claims in the other blog, as far as I can tell.
There is a blog from minio that says they switched to AGPLv3 in 2021. It’s unclear to me from the screenshots whether the software is later than that or not.
I hope someone takes the time to do an independent analysis, and a more neutral take.
Note that Weka redacted the language from the Apache license that says “subject to the terms and conditions,” which (not a lawyer) seems to allow a copyright holder to deny permission if they’re not meeting the conditions of the license. Whether they are or not is another question.
> they give very detailed instructions on how to check that they are using the software
It's not that detailed; it just says "there is a minio binary, and that's our minio". Okay, but what version is that? This is the crucial part, because Apache vs AGPL license makes a world of difference.
The Apache attribution requirement seems satisfied; perhaps not as prominently as minio would like, but there is no "prominence requirement". It fails to demonstrate any AGPL code is used, although according to some other comments the monio people have a unique and interesting interpretation of relicensing where they think they can retroactively relicense Apache code to AGPL. The claim that backporting any security fixes would trigger the AGPL is also suspect; typically many security fixes are simple in terms of code changed, and tend to be fairly easy to re-implement independently once you know the description of the problem. Either way, "it's likely that [..]" doesn't really demonstrate much of anything and is certainly not "very detailed".
In short, the minio post is vague and full of assumptions; even without this rebuttal I wouldn't put too much stock in it as it seems borderline FUD.
Not a lawyer and this is an area where I genuinely just don't know, so I'd love to find a place that's explored this and could read more. But WEKA's statement #2 about the irrevocability struck me as odd in its expansiveness. My understand was that "irrevocable" essentially is about arbitrariness and time, that so long as the licensee follows the governing license as written then it continues indefinitely and the licensor may not ever simply decide to revoke it. But if the license terms were broken, then could the copyright holder then say the contract was broken? I didn't think "irrevocable" meant "every other aspect of this contract doesn't matter beyond damages because even if you blow off them all it can't be revoked anyway". Like if I signed a copyright license saying "in exchange for $50/year paid on Jan 1 each year for a period of 10 years I grant a perpetual, worldwide, non-exclusive, irrevocable copyright license to said work" and then they just stop paying after the first year does that mean the license is still irrevocable, but I can sue them for damages? Or is the contract done due to non-performance? Or would that depend on other clauses? What if the value exchange is more of a quid pro quo thing, does that became a rare instance where suit for specific performance would be an option, or would the court translate it to money?
Just really curious, I've seen that term language lots and never really gave it much thought until now. Surely this must have been fought over before. But I'd have expected a lawyer drafted response by WEKA to cite case law and any governing state/national law. Just saying "see the contract says irrevocable so that's that duh!" feels kinda odd.
--
Edit: Also to be clear, this is all purely dependent on any license terms actually having been broken. If none were then yes that'd be that. It just seemed like WEKA was making an argument that MinIO couldn't revoke no matter what.
I think the overarching point is that MinIO doesn't understand their own license. MinIO can't retaliate at will, except by suing. It also shows that - as it has been since the inception of the AGPL - nobody knows what the actual obligations are. MinIO seems to believe that interaction with MinIO, including calling the API, makes your code subject to the AGPL too. They say as much on their compliance page.[1] This is the opposite view of someone like MongoDB, who used to have their software AGPL licensed, but explicitly made their clients permissively licensed, because their expectation from the AGPL was that it is not infectious across process boundaries.
MinIO has taken this to other extremes, including believing that your config file for MinIO is subject to AGPL. Even if you assume that an implicit dependence on an API is making the calling code AGPL, MinIO has the least strong claim for their service being infectious, because their API is mostly a reimplementation of S3.
This is like the "are Java APIs copyrightable" case all over again, except the people who are threatening legal action didn't even invent the API.
[1]: https://min.io/compliance
"When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO."
I read through this as well & it is a joke. Under their interpretation if I run MinIO in the Linux subsystem that is part of Windows, I'd need to open source that.
Their interpretation is so extreme that using a browser would require me to open source the browser. If I used a shell script to test if the service is running, I'd need to make that open source too.
There is also this: "Passing configuration parameters to a MinIO binary instance constitutes making a modified version, as it does not produce an exact binary copy."
How do they know it doesn't produce an exact binary copy? Maybe my x86 computer is quantum based.
I'm pretty sure if I compiled MinIO with a proprietary Golang implementation, MinIO would want me to open source the compiler.
They also include their trademarked logo in the git repo., then try and tack on a supplemental policy about that later. Which you can't do, because the AGPL grants you a license to the logo.
3 replies →
I would interpret the Apache Licenses terms on breaking the license to apply to patents and there it is pretty clear that the party who starts litigation loses their own license. I don't think any open source license writer would intentionally want the situation where a middle-man causes a license to never be valid, and in this case it makes no sense as attribution is meant to be optional information.