Apache Bans Facebook’s License Combo

The Apache Software Foundation has moved the “Facebook BSD+Patent grant” license combination (FB+PL) to its “Category X” licensing list, effectively banning inclusion of any software under FB+PL from Apache projects. That included RocksDB, which has consequently just dropped FB+PL and added the Apache License v2 on Github, and React.JS which does not look like it will resolve the issue so fast.

Update, 22 September: Facebook has announced it will switch React to the MIT license.

Here’s what we know so far (subject to updates, last day’s in green, latest marked 🆕):

  • Facebook has released a number of software technologies that it created as open source, including React.JS framework and RocksDB.
  • FB+PL: The license Facebook preferred for new projects was the “Facebook BSD+Patent grant”
    • This comprises the OSI- and FSF-approved 3-clause BSD license, and a unilateral patent grant by Facebook.
    • Neither OSI nor FSF has issues with adding “additional permissions” to an approved license, and Facebook’s grant is clearly an additional permission.
    • The patent grant is unilateral, meaning it does not require any reciprocal grant of rights from anyone using or creating derivatives with Facebook code. In particular it does not require granting the same rights as Facebook grants, so is less onerous than even the Apache License patent grant in this regard.
    • The rights granted do however terminate automatically in the event of the licensee commencing patent action against Facebook. Any patent action, whether related to the project at hand or not. Even hardware patent action.
    • In the original version the Grant could be read as also terminating rights in the event of any other form of litigation against Facebook, including defence against patent claims and cases unrelated to patent claims. Facebook changed the text in 2015 to clarify neither of these were the case.
    • The Apache License (ALv2) also includes a patent termination clause in the event of litigation. The problem alleged on the Apache discussion is that the termination clause in FB+PL is too broad, broader than the one in ALv2 which only relates to the project at hand, creating an important imbalance of rights for any Apache project choosing to use Facebook’s code.
  • The original cause of the Apache issue was Facebook’s database engine RocksDB.
    • RocksDB originally used just FB+PL, but at the end of April 2017 also added GPLv2 (without the “or any later version” clause). This suggests Facebook originally believe FB+PL to be compatible with the GPL but became aware of community issues so added GPL. This was possibly to support its use by MySQL and MariaDB.
    • It also suggests Facebook believed FB+PL was a neat solution to licensing code so as to be compatible with both GPL & Apache projects.
    • However, Apache stalwart Roy Fielding alleges that Facebook legal staff agreed with him when he commented FB+PL is intentionally incompatible with the Apache License (clarified several times).
    • Whatever the case, Facebook has now changed RocksDB licensing to dual GPLv2-only or Apache License, completely removing the contentious patent grant, in one monumental commit.
  • Open source community members with sensitivity to patent matters have been concerned that the Facebook approach was problematic from the start.
    • Termination of a patent grant does not affect licensing of the copyright under BSD terms. Some (especially opponents of software patents) argue that consequently Facebook’s approach is no worse than omitting the Grant in the first place.
    • A common question is thus “why is having a patent license until you commence litigation worse than not having one at all?” The answer is subtle. Many corporate lawyers operate on the assumption that all open source licenses that do not mention patents (BSD, MIT etc) implicitly grant a patent license. Clarifying this ambiguity is seen as harmful — that’s why approval of CC0 at OSI was abandoned, for example.
      Including an explicit patent grant removes the possibility of an implied patent license being argued in court and is seen as an escalation of the patent conflict by Facebook. Given many voices at Apache are being quietly guided by corporate counsel, this seems the most likely underlying explanation, although Aaron’s explanation of the justification for the ban (below) also seems correct.
    • In the React.JS discussion (see below) lawyer Aaron Williamson provides an excellent summary of the presenting core issue at Apache:

      The React license’s patent grant is narrower than Apache-2.0’s, because it prohibits patent suits against Facebook that Apache-2.0 would not. The licenses are still compatible, in the sense that they can be used together within the same work. However, the overall license for that work (call it Apache+React), is less permissive than Apache-2.0 because of React’s patent restrictions. It is Apache Software Foundation policy not to distribute software that cannot be licensed, as a whole, under the terms of Apache-2.0. Therefore, it will not accept the React license into its own project because it would make the project’s license more restrictive than Apache-2.0. 

  • The Apache ban affects several popular technologies — especially React.JS — used by many, many Apache projects so the controversy will rumble for some time.
    • A seperate Apache Legal thread covers use of React.JS. React developers are discussing the matter.
    • An update from Facebook suggests they do not intend to relicense React.js as they have RocksDB.
    • The fact React was originally Apache-licensed and switched to FB+PL suggests Facebook believed the licenses to be compatible.
    • Several people have suggested that switching to Preact (which is MIT licensed) is a good alternative if Facebook decide to keep React Apache-incompatible.
    •  The Apache Superset project is based around React.JS and so has asked if it should perhaps be wound up and revert to Airbnb if the React ban stands. Superset is a visual data exploration project that’s struggled to find a usable name at Apache.
    • 🆕 Facebook finally commented on August 18th that it will not relicense React.
  • In a useful Medium post, lawyer-turned-coder Dennis Walsh argues “there’s no there there” — that the practical consequenes of falling foul of Facebook’s terms are trivial and the fuss is misplaced. I disagree, not because he is wrong but because that’s not the point; Facebook is breaking loads of social and community rules by its actions regardless of their local impact. I’ve written an explanation of five reasons Facebook has made a mistake.

Pending questions

  • Why has Apache taken this step now, and not when the issue first arose in 2014?
  • Why did Facebook pick the Apache License for RocksDB and not OSI-approved licenses closer to the intent of FB+PL? These include UPL and BSD+Patent. (Tweeted)

Further reading

(Thanks to Patreon patrons for making this tracker possible)