Apache Foundation and Facebook in Standoff Over React.js License
So far neither side has blinked in a standoff that most likely hasn't ended yet.
August 22, 2017
Here's a story that has the two things that open source advocates like to fight about discuss most: licenses and software patents. It started on July 15 when the Apache Foundation's legal affairs director, Chris Mattmann, made a comment to a thread on a discussion board that began two months discussing a little quirk that had been found in the wording of Facebook's open source BSD-plus-Patents license.
"No new project, sub-project or codebase, which has not used Facebook BSD+patents licensed jars (or similar), are allowed to use them," he wrote. "In other words, if you haven't been using them, you aren't allowed to start. It is Cat-X."
In Apache-speak, "Cat-X" means that software licensed under that license isn't suitable for being relicensed under the Apache license.
"If you have been using it, and have done so in a *release*, you have a temporary exclusion from the Cat-X classification thru August 31, 2017. At that point in time, ANY and ALL usage of these Facebook BSD+patents licensed artifacts are DISALLOWED. You must either find a suitably licensed replacement, or do without. There will be NO exceptions.
"Any situation not covered by the above is an implicit DISALLOWAL of usage.
"Also please note that in the 2nd situation (where a temporary exclusion has been granted), you MUST ensure that NOTICE explicitly notifies the end-user that a Facebook BSD+patents licensed artifact exists. They may not be aware of it up to now, and that MUST be addressed."
Oh, what a can of worms had been opened.
The Apache Foundation is to the open source web server project, Apache, what the Linux Foundation is to Linux. And like the Linux Foundations, over the years it's taken many open source projects under its wings, with all projects under its care licensed under the Apache License, because its easier to have everything under the same license and because...well, it's their license.
The "offending" license, loosely called BSD+Patents, is Facebook's own open source license, which is pretty much a copy of another popular open source license, the BSD 3-clause license, the later being compatible with Apache and most other "permissive" licenses. However, Facebook's version contains an added caveat regarding software patents. Basically, it says, anyone who uses the code, directly or indirectly, cannot take legal action against Facebook for patent infringement without losing the right to use and distribute that code. Also, if someone using the code sues anyone else for patent infringement that involves Facebook's code, rights to the code is also lost.
"Facebook's license is basically BSD3 with the patents conditions 'tacked' on,'" Jim Jagielski, former president and current board member of the Apache Foundation explained to IT Pro. "The main reason why BSD+Patents isn't compatible is that it is too broad on conditions where it kicks in and provides protection just to Facebook. This basically overrules the patent grant protection of the Apache License version 2, which makes it incompatible."
In a blog post from July, Bruce Perens, the main author of The Open Source Definition and co-founder of the Open Source Initiative, explained the problem in more detail:
"The problem is that Facebook has replaced the implicit grant with an explicit one with a 'strong' retaliation clause. If a company uses React.js, they essentially give Facebook a license to their ENTIRE patent portfolio, no matter how large. Actually, they agree to forego to sue for infringement, but it’s essentially the same thing. Most companies would find this unacceptable. This is called a 'strong retaliation clause. '"
"[I]f Facebook were to state that if you sue anyone regarding your patent grants that are exercised in the React.js software, your license terminates, that would be OK. Indeed, Apache uses similar text in their own licenses. This is called a 'weak retaliation clause.'"
The widespread use of code from Facebook maintained React.js, a popular developer tool for building interfaces with JavaScript, is the reason why this issue is particularly problematic for Apache. Unless Facebook changes the license, all of Facebook's code will have to be removed from all projects that have been using it. In some cases that might be impossible, meaning popular applications will no longer be available. In July, when Apache became aware of the problem and declared the license off limits, it was widely hoped that Facebook would relent and either rewrite the license or adopt a new one.
On Friday, Facebook's engineering director, Adam Wolff, issued the company's decision:
"[M]any have asked us to consider relicensing React and all of our other open source projects. What has become clear through these discussions is that the ASF has very different considerations than Facebook does for how it maintains and distributes open source software.
"I'd like to apologize for the amount of thrash, confusion, and uncertainty this has caused the React and open source communities. We know this is painful, especially for teams that feel like they're going to need to rewrite large parts of their project to remove React or other dependencies. We've been looking for ways around this and have reached out to ASF to see if we could try to work with them, but have come up empty."
In other words, it ain't going to happen.
Not yet, anyway. Most likely, the fallout is just beginning for Facebook. Now that the license has been closely examined, there's a good chance that it will be found to be incompatible with other "permissive" open source licenses as well. Perhaps more damage will come from large corporations with considerable patent portfolios that have integrated Facebook's open source projects into their own data centers. Remember, React.js is being used practically everywhere.
In other words, stay tuned. This probably isn't over yet.
Read more about:
Meta PlatformsAbout the Author
You May Also Like