Until then here is my spicy story: - In 2019: Minio Sales contacted Nutanix (like this user mentioned https://news.ycombinator.com/item?id=32152645) hoping for a nice big cheque.
- 2019-2021: Nutanix cites Apache-2 license and refused to pay.
- 2021: Minio changed its license to AGPL (probably few others like Nutanix)
- 2021: Nutanix knows this and refuses to use AGPL version with their product.
- 2022: Discussion went on for another year and nothing came out from Nutanix.
- Now: Minio decided to publicly shame the company.
By the time I joined in June 2021, MinIO was deprecated and we were using an in-house S3 REST API server. I am skeptical that any of the APGL code was distributed because we just weren't using it around the time that MinIO changed from Apache to AGPL.
I don't know if that makes MinIO bad, better or good but it's all about money.
- What are the consequences for these companies?
- Do they share revenue with the open source projects?
- Can they simply distribute these services without any consequences?
- If not, When and How does a small open source project org enforce track and their license?
See Redis for example, two Israeli dudes took the open-source Redis, made tons of money.
Everyone is happy: the two founders became rich, the VCs became rich.
What about the authors and contributors of Redis ? Well thank you for the gift. As a present you can have the privilege to work for us to keep maintaining your bugs. Don't complain too much.
Then you can rewrite the history to make it sound like you created Redis and it's a win, while it's actually just a very smart dude in Italy who wrote most of the software using his own sweat and support from his employer (Pivotal).
He was eventually hired by Redis-the-company, allowed them to use the trademark (originally they were Redis Labs which was a compromise with him), went to their conferences, trained their Redis developers (who contributed to Redis-the-open-source), etc.. I assume he was happy with the deal as he spoke positively about them and chose to spend a lot of time with them, and eventually retired after I presume getting a nice amount of money from the decade-long adventure.
In the long term I think this kind of behavior is going to kill open source for things beyond libraries and building blocks.
Everything open on the Internet is destroyed by exploitation of one form or another: appropriation, spam, scams, etc. I've become fond of saying "the Internet is a dark forest."
If people want to make money off open source, then dual licensing is a good way.
Permissively licensing code and then when companies use it as they wish (due to the permissive license), complaining about it does not look good.
Now this is exposed the next question is if Nutanix Objects is just a MinIO wrapper then what value are they even proving here?
If someone is to blame, then it's the company leadership and legal department. As much as we want to make us engineers more important than we are, we are not decision makers. Blame should be put where it belongs.
Imagine a medical doctor or civil engineer claiming that knowing the laws of their professions is "mudane". That's why no one takes programers seriously.
> we are not decision makers.
You totally can decide to not work on stuff you are not comfortable with. It's not like there's a shortage of software engineering jobs.
Blame lies with those who are complicit by choice, just as much as those who are directing the behaviour.
Oh, come on. Engineers these days are not stupid. While I agree that their boss could plainly lie to them that he bought a commercial license, it was more like, "What will we use for the underlying storage?" "Maybe MiniIO, they're S3-compatible and efficient." "Fine. Can we use their code, though?" "Sure, it's open source, and we are a *aaS business, so no problem." I saw this kind of thinking before.
One of the issues with open source software, from a branding perspective, is that you can technically be in the clear, but violate the social contract that implicitly exist in the community. Many companies fail to factor that part in when running licenses through legal.
We use a lot of FOSS in our company. We pay licenses and contribute very little (our job isn't to improve gitlab or docker, we are shipping a software product on top of that), but I wouldn't know where exactly we are in the legal-illegal spectrum to save my life.
I consider myself an employee, not an entrepreneur. If I was an entrepreneur, I sure would happily seek legal advice on what exactly is fair use of open source. But really, I wouldn't know who to trust on the free advice market to figure out what I'm allowed and not allowed to do when starting up. I have absolutely 0 interest in legal stuff and it's mostly scary and confusing to me (and that's probably why I don't do any entrepreneurship, not even a side hustle in consulting), and I wish I and other salary men would be given a break about what the company is doing.
Nutanix shouldn't do what they are doing, but I don't think engineers should be to blame. At the end of the day, if an employee would have to go through everything that the company might not do perfectly right before deciding on a job, we would work nowhere. I wouldn't work for Oracle, but where to draw the line exactly ?
I wonder how many other licences they're violating this way.
MinIO uses AGPL which explicitly includes network usage so Nutanix is forced to provide all patches and associated code.
https://github.com/minio/minio/commits/master/LICENSE
This really seems like Nutanix just didn’t include the MinIO NOTICES file in their OSS disclosures for some reason. Something so minor should have been an easy oversight to fix. Without actually testing out Nutanix, it’s hard to know if they are actually violating this part of the Apache license. MinIO isn’t included in their “open source packages we use” webpage, but that’s not where the NOTICES message would need to be included. Either way, it’s odd that things escalated like this.
The newer AGPL versions of MinIO would offer its own licensing challenge for Nutanix (which is part of the reason for the switch to AGPL). But that’s not even what MinIO is focusing on in their post. MinIO also don’t show the version of their software that they claim Nutanix is using. And it’s very possible that Nutanix froze the minio version in April 2021 (quite likely the case).
However, in later releases they seemed to have replaced the minio based protocol adapter to something that they developed in-house in C++ and have no longer using minio in their protocol stack.
- As you said, MinIO was used to translate S3 REST API requests to internal RPCs.
- MinIO was replaced with an in-house S3 API server.
- I distinctly remember seeing a patch 6-12 months ago where MinIO was removed from the build.
Read Apache v2 attribution clauses.
But the parent to your comment says they don't use it (any more)???
If they then continue to redistribute it, they are committing a copyright violation. That’s when there is cause for a lawsuit.
I wonder how it works. What is the act of revoking an open source license exactly? I assume they simply sent a letter and wrote a blog post? Pretty sure in my country it would have no legal force. Is it different in the US?
There's all kinds of specific legal teeth for that behavior.
The press release is high on FUD (can’t revoke an irrevocable license, no evidence presented they have deployed the AGPLv3 version) and low on details why it took them three years to issue a press release when an injunction would have been granted pretty quick if Nutanix were truly in violation of the Apache license.
I don’t claim to know the details but I do know a little bit the rights under Apache2 and (unless my understanding is incorrect) MinIO’s claims are baffling.
They changed their license from Apache recently. https://en.wikipedia.org/wiki/MinIO#Re-licensing
[1] https://drewdevault.com/2020/07/27/Anti-AGPL-propaganda.html
however every company thinks in its own way:
https://itextpdf.com/how-buy/agpl-license
> You may not deploy it on a network without disclosing the full source code of your own applications under the AGPL license. You must distribute all source code, including your own product and web-based applications.
and they also kinda fork the license with this text:
> When using iText 7 Community under AGPL, you must prominently mention iText and include the iText copyright and AGPL license in output file metadata, and also retain the producer line in every PDF that is created or manipulated using iText.
I mean this makes it really hard to trust the license at all, what would happen if I build a sever that can modify/create/convert pdfs and release the source code and than I have another program that calls this server internally with a http client, is that still some kind of linking or is it more like mongodb?
I would happily build something with agpl when I could use itext/ghostscript and build something like minio which could than be used behind the scenes, but if that is not possible or if it is a grey zone than I'm not sure if agpl is a cool license at all. every company who uses the agpl writes something different about it, thats why an "official" clarification would be really really cool.
It's the paradox of tolerance: you must not tolerate those who find others intolerable.
It’s a viral license. It infects everything it touches.
Of course, they all differ in subtle ways, so you have to try for yourself.
"2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form."
Afaik Apache only requires you to maintain the copyright when distributing in source form (ie you don’t need to mention the license in binary form) but I’m not a lawyer and maybe misread. The license is certainly irrevocable and patent indemnifying provided you don’t violate it.
You can’t both try to engender good will by releasing your code as OSS and then simultaneously going after someone who would seem to be complying with the terms with FUD. To see the FUD most clearly:
> and we believe they may also be in violation of the GNU AGPL v3 versions of MinIO
If that were the case you’d actually be in a court of law enforcing the license rather than trying to sway any kind of public opinion.
This almost certainly stems from their switch to AGPLv3 to ensure that cloud providers can’t use it as part of their own offering. That’s fair but also provides context on motivation.
That's essentially what I find contentious, is whether "subject to the terms and conditions of this license" it is irrevocable or it is irrevocable irrespective of whether the terms of the license are being violated. With its phrasing I assumed it's the latter.
https://www.nutanix.com/viewer?type=pdf&path=/content/dam/nu...
Looks like it's just there for show.
> we believe they may also be in violation of the GNU AGPL v3 versions of MinIO.
`may also be`? you are not even 100% sure whether they are using your AGPL v3 version? I have no clue, what the heck you were discussing for 3 years.
Moving from Apache-2.0 to AGPLv3 is a clear trap for those who use Minio as part of their commercial offering. With AGPLV3 one need to "disclose your source code" where as its not required with Apache-2.
If you started your "Open source" project with AGPL it is a different thing but to start the project under Apache-2 and few years later introducing AGPLv3 is kind of lame and unethical, IMHO. https://github.com/minio/minio/discussions/12156
Why? The alternative competitors like VMware are better? I'm not up to date on the details but perhaps you may want to elaborate. Thanks.
http://techrights.org/2020/04/28/openwashing-vmware-after-gp...
https://sfconservancy.org/copyleft-compliance/vmware-lawsuit...
MinIO is licensed under AGPL (the current versions, at least): https://github.com/minio/minio/blob/master/LICENSE
It effectively mandates that the modified version needs to be made available: https://en.wikipedia.org/wiki/GNU_Affero_General_Public_Lice...
The GNU Affero General Public License is a modified version of the ordinary GNU GPL version 3. It has one added requirement: if you run a modified program on a server and let other users communicate with it there, your server must also allow them to download the source code corresponding to the modified version running there.
Secondly, why should the modified version remain a "secret"? Would competition suddenly spring up? Or maybe the project contains tight coupling to the rest of the platform, which could be considered a security risk?
Why isn't open sourcing a modified version something that would take a few hours anyways, since then none of this would be an issue?
(disclaimer: I discuss SSPL below because I find it interesting; apologies for the tangent)
Honestly, the state of software licensing sometimes puzzles me. For example, MongoDB switched over to SSPL altogether: https://www.mongodb.com/community/licensing
If you make the functionality of the Program or a modified version available to third parties as a service, you must make the Service Source Code available via network download to everyone at no charge, under the terms of this License. ...
MongoDB is free and the source is available. Versions released prior to October 16, 2018 are published under the AGPL. All versions released after October 16, 2018, including patch fixes for prior versions, are published under the Server Side Public License (SSPL) v1. See individual files for details.
And yet, to the best of my understanding, the entirety of the DigitalOcean platform isn't open source (even though many projects are): https://github.com/orgs/digitalocean/repositories
Or even anything that might have something to do with MongoDB in particular: https://github.com/orgs/digitalocean/repositories?q=mongo&ty...
It just feels like one of those "rules for thee, not for me" situations, since it wouldn't be feasible for small companies to compete with them. Edit: someone mentioned them probably running the enterprise version which is probably the explanation for this!
That said, the thought experiment of building a company (including all systems) as 100% open source is really interesting, whether such a thing would be feasible if people stopped caring about "guarding" their IP and whatnot.
> And yet, to the best of my understanding, the entirety of the DigitalOcean platform isn't open source (even though many projects are): https://github.com/orgs/digitalocean/repositories
I don't think it's required to open source everything, only the bits that provide the MongoDB service. I don't know if they've done that.
Also, the SSPL seems to be a little controversial [1] as it appears to want to relicence all software it's running near under itself.
[1] https://en.wikipedia.org/wiki/Server_Side_Public_License
Yes, that's my exact point - these things are sometimes full of finer points. I don't doubt that DigitalOcean have talked with MongoDB and have probably figured out some sort of a deal, or another way to offer it as a service (someone mentioned them using the enterprise version, where the terms are probably different).
Though offering MongoDB as a service for a small no-name company all of the sudden seems impossible, unless they actually want to open soruce lots of their own code.
> Also, the SSPL seems to be a little controversial [1] as it appears to want to relicence all software it's running near under itself.
Of course, there was backlash to it even existing, much like larger companies didn't really like AGPL being a thing either.
Then again, I guess one could argue that MongoDB definitely can create such a license, as a reaction against cloud platforms utilizing their solution: https://www.mongodb.com/blog/post/mongodb-now-released-under...
This should be a time of incredible opportunity for open source. The revenue generated by a service can be a great source of funding for open source projects, far greater than what has historically been available. The reality, however, is that once an open source project becomes interesting, it is too easy for large cloud vendors to capture most of the value while contributing little or nothing back to the community. As a result, smaller companies are understandably unwilling to wager their existence against the strategic interests of the large cloud vendors, and most new software is being written as closed source.
I guess that MinIO or any other company could also do something similar, have dual licenses, where interested parties can pay for commercial usage and whatnot.