Licenses of dependencies

Can you cc me please? Thanks!

As much as I don’t want to talk to lawyers, I’ll volunteer.

If the advice is to change the license in order to include the library, I’ll make sure that’s communicated to the TWG for review. There may be trickledown effects that we need to consider.

If it’s ok to stay BSD 3-clause, that really makes life easier.

me too please.

Daniel, I think we’ll have enough TWG representation there if you’d like to skip. I think you missed my post - I’m happy to take the bullet. But if you have specific questions you want to ask probably best if you’re present.

Something I’d like to work on requires a LGPL library, and the way I plan to do it is to provide compile switch to users so they can choose to download and build the LGPL’ed library that Stan compiler can link to.

That’s fine with me! Just so we’re clear on the expectation: whoever is there to talk to the lawyers will need to summarize the advice well enough for the Math developers, the TWG, and possibly the SGB.

Some specifics:

  • We’ll need enough technical people there to discuss exactly what’s included and how it’s used from within Math (@wds15 will be able to provide that context)
  • We’ll need to know what we can and can’t do to the included source. (We currently do some manipulation to the libraries… if this license does not allow that, we can’t do that; we might want to ask about the other licenses while we’re at it or discuss that at some other point)
  • We’ll need to be able to articulate how this affects upstream licensing. I don’t think it will have to change RStan or PyStan since those are GPL, but whatever is applied to Math will probably affect CmdStan. (This is where we’d need to communicate back to the TWG the implications.)

At the end of it, if the lawyers say we can stick with BSD, that’s awesome and we can go on with our business. We should let TWG and SGB know that it’s compatible so it’s recorded for prosperity. The decision is then just a technical decision.

If the lawyers say we have to change licenses, then it becomes a joint Math and TWG decision.

Anyway… you good with all of that (and possibly more)? If so, then I’m happy not to be on the call.


If we’re going to collect other things to talk to the lawyers about:

  • Eigen license and what we need to do when we modify Eigen source; whether we’re ok with BSD 3-clause
  • Boost license and what we need to do when we modify Boost source; whether we’re ok with BSD 3-clause
  • Sundials license and what we need to do when we modify Sundials; whether we’re ok with BSD 3-clause
  • LGPL; @yizhang’s question from above

Yeah you should definitely come as it looks like you have specific questions :P My API to IP lawyers is basically to assume I can ask very specific questions and get answers back as if from an oracle, but that I shouldn’t try to generalize or learn how the oracle works.

Hi!

I have done a bit of more research on the matter and wanted to share that.

My conclusion is that we can simply include the Intel TBB without any hassle at all. The Apache 2.0 is just as permissive as the BSD in practical terms of using / distribution / changing things / commercial use / whatever. The key limitation of the licencse is wrt to patents. So you may use the software without any problem even if patents are in that software (we are protected) - but you are also not allowed to make any legal claims wrt to a patent in court.

So, how do I get there? Well, here is a nice summary: https://snyk.io/blog/mit-apache-bsd-fairest-of-them-all/

Another interesting read is what FreeBSD and OpenBSD has to say about the Apache 2.0 license. So the OpenBSD project is super tight on this. To them any deviation from BSD is a no-go. They argue that the patent stuff is taking away some liberty from you and they also say that the terms are anyway questionable to have any meaning in whatever jurisdiction contexts this would be applied. Now, the FreeBSD project is more open (see https://www.freebsd.org/internal/software-license.html). They are OK with the Apache 2.0 licencse, but inclusion of a package requires permission from the core developers. In fact, the FreeBSD project includes the Intel TBB (https://svnweb.freebsd.org/ports/head/devel/tbb/).

To me this would be enough to conclude that we are fine with including the Apache 2.0 Intel TBB. Moreover, we can leave stan-math as BSD since the FreeBSD project is doing the same and these folks are very cautious about their choices they make - they would never allow license creep to happen to them, I think.

My 2 cents.

Best,
Sebastian

EDIT: Two more good links which are from github:


We should throw that question into the mix. It may be that LGPL is also compatible with everything we need for licensing.

All,
I have asked NumFOCUS about this last week and they do have someone to talk to that has been around block on exactly these issues. I will ask again for the contact info.

Breck

Hey all,

We have had some significant progress on this topic. We’ve talked extensively with a lawyer and posted the resulting Q&A on the wiki.. If I can try to summarize, by including Apache 2.0 licensed dependencies we lose the ability to distribute Stan with any GPLv2 code as a single work (which may include packaging them together as a single binary executable, but probably doesn’t include Docker images in my reading). We don’t currently use or plan to use any GPLv2 code and at several meetings and email threads all Stan developers involved were okay with making this tradeoff. The lawyer recommended doing the following:

  1. For any places where you would need to create a binary, distribute a script that has the user create the binary, consistent with other examples on CRAN.
  2. Publish your usage, highlighting the separateness if possible: “We may bundle a set of applications and libraries into a single image or file for user convenience when downloading and installing the various packages. However, the different parts of the package are separate and can be extracted and used independently. There are also directions (at [LINK]) showing how to use system-provided libraries to provide the same functionality.

I’d like to now ask the rest of the community here on the forums if anyone objects to us going down this path and including an Apache 2.0 dependency. Please note this is not about the Intel TBB specifically (which, if we decide Apache 2.0 dependencies are fine, will also be evaluated on technical merits in the following weeks), but rather a question of which licenses we are okay relying on in our dependencies.

If anyone objects to the inclusion of Apache 2.0 licensed dependencies, I’d ask that you speak up by September 15th. If anyone objects, we’ll hold a Stan electorate-wide majority vote to settle the issue.

Thanks!

1 Like

I couldn’t make these meetings, so I don’t know which developers have signed off. Are @bgoodri, @jonah, and @paul.buerkner on board? Is the SGB on board? The reason I ask about those two groups specifically is that the former will have to deal with any software issues and the latter any legal issues.

1 Like

I also think we need something like a mailing list for devs to alert them to important decisions like this, as I’d have never seen this without a limited-distribution email.

2 Likes

Yes

1 Like

No one explicitly signed off. Is discourse not a mailing list for devs? If you or any of those folks object please let us know and we can go to a vote. Everyone, please tag anyone else you think may want to be included.

This thread has been going for 3 months and seems like it likely has a good collection of people who care about this issue subscribed to it, but again please explicitly tag anyone else. This isn’t trying to be a secret decision, obviously.

Hi!

To make it explicit: The deadline for raising a request to have a vote on the matter of including Apache 2.0 dependencies is planned to end on September 14th - to account for all time zones let it be September 15th.

And I think we can tag all stan devs using this:

@Stan_Development_Team

The main side-effect of this is GPLv2 incompatibility in binary bundles as I understand, but please have a read of the wiki.

Sebastian

1 Like

No. It’s a huge mailing list for everyone with so much traffic I can’t keep up. I try to keep up with the developers thread, but it’s not pushed to me like email, so I could easily miss something that was only up for a week.

I’ll write to the R devs myself offline then. I’m not sure tagging them here will get everyone’s attention.

Great, thank you both!

+1. For major decisions like this one that needs to go through the TWG, there should probably be a separate TWG thread?

For all developers to chime in, I don’t know of a better list than the developers category, but we could make something like an announcement category that’s separate and low traffic.

Where did this date come from?


cc: @ariddell, @ahartikainen, @mitzimorris

@seantalts suggested to wait for a week, see from above

I only made the date meant by that explicit.

1 Like