The term “open source” can be tricky. For many people, it’s taken to mean that a particular piece of software is free and that they can do whatever they wish with it. But the reality is far more complex, and the actual rights you’re afforded as the user depend entirely on which license the developers chose to release their code under. Open source code can cost money, open source code can place limits on how you use it, and in some cases, open source code can even get you into trouble down the line.
Which is precisely what the Fedora Project is looking to avoid with their recent decision to reject all code licensed under the Creative Common’s “Public Domain Dedication” CC0 license. It will still be allowed for content such as artwork, and there may even be exceptions made for existing packages on a case-by-case basis, but CC0 will soon be stricken from the list of accepted code licenses for all new submissions.
Fedora turning their nose up at a software license wouldn’t normally be newsworthy. In fact, there’s a fairly long list of licenses that the project deems unacceptable for inclusion. The surprising part here is that CC0 was once an accepted license, and is just now being reclassified due to an evolving mindset within the larger free and open source (FOSS) community.
So what’s the problem with CC0 that’s convinced Fedora to distance themselves from it, and does this mean you shouldn’t be using the license for your own projects?
The Right Tool for the Job
Those familiar with the Creative Commons and their family of licenses may find the most surprisingly element of this story is that the Fedora Project once accepted CC0 for software in the first place. After all, the intent was always to create a series of licenses specifically for creative works. The goal of the organization and its licenses is literally right in the name.
A successor of the earlier Open Content Project, Creative Commons was founded in 2001 to “overcome legal obstacles to the sharing of knowledge and creativity” by providing a free framework by which individuals and organizations could release things such as music, artwork, or educational material. But software was never part of the equation. Why would it be? Seminal software licenses such as the GNU General Public License and the MIT License had already been available for over a decade at that point.
To avoid any ambiguity the Creative Commons even addresses the issue in their FAQ, making it clear that not only are their licenses not a good choice for software, but that better options already exist:
The Patent Trap
If an organization goes out of their way to tell you that what they have developed is not fit for a particular purpose, it seems to go without saying that you should probably take their word for it. The Creative Commons FAQ outlines several excellent reasons their licenses shouldn’t be used for software, but among them, there is one that particularly stands out for users like the Fedora Project — patent rights.
This might seem counterintuitive, since the CC0 license is intended for public domain works and clearly states that the creator is “waiving all of his or her rights to the work worldwide under copyright law” by using it. But the problem is that patents aren’t covered by copyright law. In fact, a look at the full-text version of the license shows that CC0 contains a troubling clause under “Limitations and Disclaimers” that addresses this specifically: “No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.”
In other words, while the creator may be willing to give up the copyright to whatever has been licensed under CC0, they are still free to patent it. More troubling, they still reserve the right to leverage that patent however they see fit. Theoretically, that means the developer who originally released a piece of source code under CC0 could later claim that anyone who used the code was infringing on their patent, and potentially demand royalties.
Playing With Fire
It’s pretty clear why the Fedora Project would be worried about something like this. Imagine a piece of CC0 licensed code gets merged with one of the system’s core packages, and ends up being distributed to millions of users. Suddenly the original developer emerges from the shadows, claims patent infringement, and demands compensation. Could Fedora’s lawyers, or more likely Red Hat’s, beat such a claim? Maybe. Is using CC0 code worth running the risk of finding out for sure? Not a chance.
It’s worth mentioning that this is by no means a new concern. In fact, the patent clause is what kept the Open Source Initiative’s (OSI) License Review Committee from being able to conclusively determine if CC0 actually met their definition of an open source license back in 2012. The Committee couldn’t reach consensus, as members were concerned that putting such language in a software license would set a dangerous precedent. Given its tumultuous history, Fedora’s decision to ever accept CC0 in the first place is even more perplexing.
But what does that mean for the individual hacker? Should you use CC0 for your own projects? It depends on what you’re looking to accomplish. CC0 is fine choice if you want to give away a creative work (such as a song, poem, or piece of art) and aren’t concerned about what happens with it in the future, but according to Creative Common’s own documentation, it simply wasn’t designed with the unique aspects of software licensing in mind.
A better question might be, should you use CC0 code that you find floating around on the Internet? The answer to that is more nuanced, but given everything we’ve just gone over, one must wonder what kind of developer would still chose to use it. Unless you’re prepared to deal with the consequences of finding out, I’d suggest you leave it alone.
I wonder what the list of affected Fedora software is.
nothing makes me want to write less code than licensing. also if github didn’t force me to chose a license, id upload more code. if i want to give away something i made for free, i should be able to do that without wading eyeball deep in legalese.
this is why I CC0 everything I make
I just don’t care either
I wish I could add a CC0+ meaning “I promise I won’t be evil forever” or something
it feels ridiculous that I have to say it though…
If only google had managed to figure out the “forever” bit.
I also do public domain dedications on almost everything I make. None of it is good enough for commercial use, so if you find it useful, cool, but I don’t need people contacting me for it’s use. It’s free; knock yourself out.
add a clause to your will…
MIT-0 License is what you’re looking for.
Translated, it says “You can use and modify this software however you want, with no restrictions or conditions”
That’s precisely the problem. Using and modifying the software says nothing about associated patents. Whereas licenses like Apache 2.0 protect people against patent claims.
Isn’t that the point of having a couple of common licenses which you can pick with just a couple of clicks? As far as I understand it as soon as you create the work you own the copyright, and just giving it away with a promise that you’ll never sue anyone who uses it isn’t legally safe, so organisations who care about this won’t touch it. *Not* adding a license is legally much more restrictive than picking one of the ones Github makes easily available or.
Just slap an Unlicense on it:” Do whatever you want with this, but I’m not responsible or liable for it”.
Literally any Free Software Foundation approved license is OK to use. Where exactly lies your problem picking one?
“Any” is still too many. Why do so many exist if they’re all suitable?
This is the problem, and I concur with OP.
Simple, they are not all suitable for every individual/companies desires – maybe they want accreditation when you are using their work, maybe they want you to have to provide all modifications you make ‘copyleft’, or maybe they just don’t give a crap at all.
Any and all of those are fine for the folks that are writing code and don’t really care what happens to it, they never have to do anything about it again and if somebody does breach the more restrictive terms it doesn’t matter to them. But it may get the term breaker in hot water.
If you really care at all what you pick then do the little bit of research, ONCE. You can then pick whichever you prefer every time trivially from now on…
I use AGPL. Hardline.
I use MIT for library code, AGPL for end user stuff. But MIT is a pretty good default for people like OP who don’t care how others use the code they post.
Public Domain.
There is no such thing as a human creation that is public domain. Only ‘facts’ like information can be public domain.
This is because some entity still needs to claim title over the works, to then give away those rights over the works that were automatically granted by law.
So a name needs to be on it. So any other claimant that may have rights around the works has an entity to prosecute in law.
Any music by “gan ainm” is public domain.
Not knowing Irish law (I’m assuming Irish based on the name) I cannot comment on how that actually works. The issue is that many nations have implicit copyright on works. Meaning you cannot actually release it to the public domain until that copyright period has expired.
Even more annoying, is in some jurisdictions, you can actually copyright a _collection_ of public domain works. Because you put the work in to putting it together. So, you might not be able to relase public domain works as public domain even.
Basically, pick an open license, when that copyright expires, it goes to public domain.
@LordNothing said: “nothing makes me want to write less code than licensing. also if github didn’t force me to chose a license, id upload more code.”
You should always have a copyright statement and a license in place, if anything to protect you by stating ownership and limiting liability and warranty. Take the “Unlicense” for a spin. Full permissions, no conditions, limited liability and warranty.[1][2]
1. The Unlicense
https://choosealicense.com/licenses/unlicense/
2. Unlicense
https://en.wikipedia.org/wiki/Unlicense
Would you be ok if I took your source code, sold it as commercial software, and then patented it and litigating others for using an idea you made?
That’s what a license protects.
Technically if he doesn’t specify a license, no one can use his code (except GitHub, I guess, because it’s licensed to them under their terms of service). In the US all works are automatically copyrighted, so OP would have to explicitly license it so others could use it.
lol You’d upload more code and then promptly lose the right to work on any of it that was worth having. The rest of the computing community will survive without your special contributions.
malicious patent troll patents SomethingCool and releases some CC0 code somewhere
coder1 adds that to a library under BSD or MIT2clause
coder2 adds it to Microsoft’s code
coder3 reverse engineers it
coder4 puts it in some GPL3 front-end tool
So, which one committed the patent infringement? The idea that copyright, trademarks, and patents are completely separate concepts was nice, but flew out the window when patents were issued for recipes.
I hope they use a little common sense, like continuing to accept CC0-licensed code this not innovative and has clear long-standing examples of prior art. If I want to release my text alignment widget under CC0, I don’t see a problem.
There’s nothing stopping a troll from slipping a quick one past the patent examiners and fling an infringement claim, but that’s true of any code, not just code that’s licensed under CC0, and if there’s a clear lineage of prior art, it should be easy to invalidate.
Pete, maybe you can say something like “This text alignment widget is released under the terms of CC0, with the exception that I waive and grant full licenses to all of my trademarks and patents that apply to this text alignment widget.”
Now you’ve made a new license that will need separate approval, and it’s not worth it most of the time
> but that’s true of any code, not just code that’s licensed under CC0
not all code. For example, the Apache 2.0 license, or the BSD 3-clause Plus Patent license, include a license to any applicable patents on the code, so that anything that would be infringing is no longer.
No expertise, but I’d say 1, 2 and 4 are definitely infringing the patent. 3 probably isn’t, assuming I’m understanding it correctly.
I CC0 everything I release because I can’t stand the legalese surrounding this hobby
I wish I could CC0+, promising “I won’t be evil in perpetuity” or something, but it feels ridiculous to even have to say it…
Then you’re using the wrong license. Did you even read the article? CC0 is falling out of favor specifically because of the hidden legalese like this.
Just look at the full text, it’s 3x as long as something like that BSD or MIT license.
It has nothing to do with ‘hidden legalese’. It’s specifically to do with an explicit lack of legalese on the part of CC0.
Since Fedora/RedHat has this to say about the Unlicense:
“Fedora recommends use of CC-0 over this license, because it is a more comprehensive legal text around this tricky issue.”
https://fedoraproject.org/wiki/Licensing/Unlicense
I’m guessing Unlicense may be added to the list soon.
Why would anyone be surprised that Fedora changed their policies? I am reminded of a story where Abraham Lincoln changed his stance on some issue. Someone questioned him and his answer was something like, “I’m smarter today than I was yesterday”. Smart people are always ready to learn and make changes accordingly.
Articles like these help software developers to choose the right license. Clearly CC0 is WRONG for software. The people who put CC0 together say so, the Fedora crew has now seen the light, so get with the program.
PS – I think everything I put on github is GPLv2 — just for the record.
Out of curiosity, what’s keeping you from switching to GPLv3?
That was an interesting read, thanks. Seems like a reasonable decision. Is it legally complicated to switch licenses I wonder?
Generally speaking, all authors must agree to relicence
Given the history of software I’m surprised to see so many comments that people would rather not choose a license at all and just CC0 everything. That’s what a lot of early programmers in the 60s and 70s did only to get burnt by companies later.
I have no use for all those non-comm licenses but it’s GPL or at least LGPL for anything I am going to give away free!
Indeed, wonder what these commenters’ stance is on privacy… i bet its ‘i have nothing to hide’
Privacy? We are talking about open source software here. I.e. the decision to share has been made long ago.
id rather share code because if i don’t its going to rot on my hard drive until entropy consumes it. it has nothing to do with privacy. i keep more code private than i upload to github. if i make something i think others can use i like to share it. most code i write isnt fit to share, is something very specific (say the firmware to a one off gadget i made), or if i have plans to commercialize it. when i do hand out free code, i like to do so unconditionally.
id rather not license at all. cc0, unlicense, and even beerware are all still licenses. im not sure if public domain is technically a license or not. i think that’s just a state of being licenseless because all licenses have expired. and by that i think all works should be public domain by default if released without a license.
Unfortunately, that’s not how this works. Copyright is automatically afforded to the author, so at any point you could turn around and say “Oh, that stuff I didn’t license? I never said you could use it.” And the courts would side with you. Discerning people will not build upon your software.
The whole point of CC-0 is because many countries do this, to the point where even just saying “this is public domain” isn’t enough.
The term “open source” is just a marketing stunt to pull free software its teeth.
And they are succeeding in washing our brains. Quoth the article:
“The term “open source” can be tricky. For many people, it’s taken to mean that a particular piece of software is free …”
See? It’s working.
Corporate prefers “permissive” (see? another subtle term: permissive to whom?) licenses they can strip-mine while keeping their stuff close to their chest.
The next escalation is here: Github Copilot. Why is it that Microsoft strip-mines all code out there (be it MIT, GPL and what not) and doesn’t its own code?
IT’S A TRAP!
Two reasons to default to an ‘all rights reserved’ license if none is given: accidental and malicious release. I’m sure there are more. I’m specifically thinking about the ‘Acerthorne accidental live stream’. I have some ‘straw man’ examples as well but I am saving those for Zozobra. ;)
I thought a section of a talk given by the former Busybox/Toybox developer was good and relevant.
https://youtu.be/MkJkyMuBm3g?t=1528
Section of the talk about GPL enforcement.
https://youtu.be/MkJkyMuBm3g?t=300
Problem is, depending on how you look at it, a lot of other “free” software licenses aren’t really free but copyleft. Which is why some people wanted to use CC0, intending for it to be in the public domain, whereas other “free” licenses often have all kinds of rules and restrictions attached to them.
Probably what is wanted and needed is establishing or strengthening the public domain protections in each country and then drafting new licenses if needed to make sure the software is dedicated to the public domain.
http://copyfree.org/ lists some competing “free” licenses and some of their limitations
I don’t think the reasoning makes any sense. Of the commonly used open source licences only Apache and Mozilla licenses even mention patents. For example, GPLv2, BSD or MIT licenced code could be a patent trap.
In addition, the patents being about monopolizing ideas instead of implementation, you don’t need to be original author to attack with patents. And even Apache or Mozilla licenses patent licence from the original author. If somebody else owns the patent, you can still be sued if you distribute product using patented ideas.
CC-0 is no worse than MIT, GPLv2 or BSD when it comes to parent patents. It’s not meant for software but the license very clearly gives you all the rights possible when it comes to copyright. And if you read the GPLv2 license, it’s based purely on copyright law.
GPLv2 does have protection against patent traps. Licenses are a very complex topic which is best left to lawyers to discuss. If Fedora lawyers did this, you can bet they have a very strong legal reason to do so.
https://wiki.endsoftwarepatents.org/wiki/GNU_General_Public_License_Version_2
Various lawyers have said that some of those licenses have an implied patent grant…
Wtf? Have you all forgotten the red hat lawsuit from the 1990s? If open source is going to work it has to be because patent trolls have absolutely nothing to sue over
This is a major problem across the industry right now. Many developers apply licenses to code while not fully understanding the deep implications of the license they choose. Sometimes, developers also mix and match code with different incompatible licenses on repos like GitHub, and due to the high number of contributors it will never be realistically possible to fix the mess without a full rewrite.
I tried a few times to advocate for developers to reconsider their choice of license, but either there were external contributors that were unreachable so it was not possible to re-license, or, sometimes, I got butt-hurt reactions too…
Some websites, particularly Thingiverse or Printables, offer a very limited set of licenses, forcing users to choose certain licenses (mostly CC licenses !!!). There is no BSD or Apache license for instance, which is super unfortunate.
I wish Systemd and PulseAudio were released under the CC0 licence! :)
If you want to release code sans license then simply do it anonymously.
And make the code completely useless for anyone who has to stay legal.
Your unlicensed code cannot be legally used by anyone else. Copyright law says only the author may use it.
Putting your released code under a license grants other people the right to use your code.
Look at Audacity. Is started off as open-source free software. Then it was bought by a company which added telemetry and spyware to it to limit what users could do… all in the name of legality.
I hate to say it, but it kinda looks like we all have to code and compile our own stuff Linux-From-Scratch-Style in order to avoid this trap.
I hate computers!
There is a work-in-progress license called the Worldwide Public Domain Dedication (WPDD) [1], based on CC0, that I think is sort of like the CC0+ you described. It’s basically just CC0 modified to include patents, but it’s not a finished license yet, it’s better not to use it yet.
[1] https://jxself.org/wpdd.shtml