AGPL and the cloud: what are your obligations?
Affero GPL and Cloud Applications
The Affero version of GPL (AGPL) license, issued by Free Software Foundation in late 2007, goes one step further, extending the GPLv3 rules to applications that are not distributed. These include software developed mainly for in-house applications and software deployed in web-services or cloud applications. Specifically, if the software deployed in a cloud application contains, in its entirety or modified form, any AGPL-licensed software, the source code for the entire running application must be made available to the community.
AGPL obligations, in summary are the following:
- Freedom of use - no license fee to use, modify, redistribute.
- Copyleft - reciprocal usage & disclosure/permission requirements.
- Source Code Provision requirement – source code must be provided with any distribution (propagation) of code (original and modified).
- Modifications are allowed, but all modified files must have their source code freely available for use and modification by others.
- Combination with other code is NOT permitted unless the other code is compatible or can be converted to GPL terms [copyleft].
- Anti-Circumvention Protection - no code covered by GPLv3 may be included in or constrained by any anti-circumvention mechanism (technical or legal).
- Software Patent License Grant - a software patent that is based in any part on GPLv3 code and distribute the product, you are deemed to grant a license to use, modify and redistribute that patent to all downstream users of the product.
- “Tivo-ization” clause - if your product (that uses or is based around GPLv3 code) is bound by other licensing terms that are restrictive or otherwise incompatible with GPLv3, you may not convey (distribute) the product.
Certain versions of popular web applications such as SugerCRM, Launchpad and PHP-Fusion are licensed under AGPL.
Just like traditional software, it’s important to know what is in your code as early as possible before it goes to market. As with all quality management processes discovering your license obligations early in the development process reduces the cost and time spend fixing problems right before the product is released. Many cloud applications are not distributed, and therefore do not fall under obligations associated with many copyleft licenses, except the recent ones such as AGPL. To gain a clear understanding of third party components and their license obligations a process must be put in place where external content is identified, tracked and managed. This can be done within a structured open source adoption process, either manually, or increasingly deploying automated tools.