After growing rancor within the fledgling GraphQL community, Facebook, this week, announced that it would be changing the license associated with the GraphQL specification. The GraphQL.js reference implementation and the client-side framework known as Relay will also both be changed to the MIT License.
This has been the week for Facebook to attempt to expunge the BSD + Patents licenses it had been using for its open source projects up to this point: earlier this week the company announced a license change for React and other open source projects under the BSD + Patents license. Instead of that license being associated with the GraphQL specification, and with any implementations thereof, the specification will now be licensed under the Open Web Foundation’s Agreement.
This clears up a great deal of confusion around what exactly Facebook was attempting to do with its previous licensing model. Some would argue that the company was simply protecting itself in new and interesting ways, similar to how companies like IBM and Oracle patent everything defensively to head off potential patent trolls down the road.
Facebook had, in fact, patented GraphQL outright back in 2012. The underlying understanding with their community was that this would protect everyone from patent trolls, specifically because the BSD + Patents license allowed for Facebook to counter sue anyone suing them over patent infringement around the GraphQL specification.
In the end, however, these types of rights are of little concern to the end developer, and having another license in the basket to deal with made things more difficult for everyone at the table. This is a common pattern that has been repeated in open source for many years. Companies like to think they are special and require their own unique license to get involved in open source. Microsoft tried it with Codeplex. Sun always liked its own licenses, like CDDL.
They always come back to the major licenses: GPL, MIT, and Apache. Sun licensed Java under GPL, and Microsoft now loves the Apache 2. These are the licenses corporations and lawyers understand. Companies that try something different see their projects circumvented: hence Preact.
This happens so often that the Apache Foundation has its own category for incompatible licenses: Category X. This makes sense, as ensuring open source license compatibility is a major way that such foundations and standards bodies can help enterprises better get their minds around all this legal mumbo-jumbo.
In Apache’s case, even the GPL is included in Category X. That’s because the GPL is more stringent than the Apache license: that’s the whole point of these two licenses not being compatible. In July, Facebook’s BSD + Patents license was placed in this category, and the GraphQL and React communities have been poking Facebook to make a change ever since.
Facebook tried to defend its position and gave a fairly hard “no” to the community in August. Obviously, they decided to move fast and break things, this time around. In the end, it’s better for everyone involved, and most importantly, it’s better for the GraphQL community, which is right at a crucial stage of formative development.
Bruce Perens, open source pioneer and the fellow who actually created the legal definition of the term “open source,” said that Facebook has been trying to figure this license thing out for a while now and that despite this week’s change, it’s still not gotten things right.
He pointed out that the previous license essentially granted users of GraphQL free use of the patent behind the standard, but also stipulated that this usage forbade the ability to sue Facebook over any patent infringement, anywhere. Perens suggested that IBM’s clout within the Apache Foundation may have led to that organization’s dislike of the BSD + Patents license.
Perens went on to say, however, that the OWFa license is little used, and offers a significant and terrifying loophole to its patent grants.
The problem, said Perens, is in paragraph 8.6, subsection 2 of the OFWa license, which reads:
8.6. Permitted Uses. “Permitted Uses” means making, using, selling, offering for sale, importing or distributing any implementation of the Specification 1) only to the extent it implements the Specification and 2) so long as all required portions of the Specification are implemented. Permitted Uses do not extend to any portion of an implementation that is not included in the Specification.
That means patent permissions are only granted to full implementation of the specification. This could lead to some very ugly repercussions, said Perens.
“They don’t want to give you their patents if you implement one tiny piece,” said Perens. “Say you implement one line of the standard, and it’s done in a totally unrelated program to the standard, and you say to the judge, ‘I had a license from the standard patent grant.’ Facebook doesn’t want to be taken advantage of that way, so they say you have to implement all required portions of the standard. That’s asking too much. I would agree with a wording like, ‘a substantial portion of the standard.’ If you say all required portions, you’re not allowing people to innovate in the standard. They can’t expand it or drop things they don’t want.”
Even worse, said Perens, such a clause could lead to a bug invalidating patent protection grants. Imagine a bug that disables a feature of the standard so that it’s not functioning. Would this enable the patent grant to be invalidated, as a crucial piece of the specification was not implemented?
The problem is, said Perens, that Facebook may indeed have to write its own license to get what it wants out of this open source specification for GraphQL. And that’s OK, he said. The problem is not that Facebook has tried to do this its own way, but rather, that Facebook has done this in the dark and simply thrown newly licensed software over the wall.
“They need more community review before they drop these on us. Maybe they shouldn’t give it to us, maybe they should propose something first,” suggested Perens. Considering that this week’s licensing changes are all now live in the wild and winding their way into business projects is definitely a good argument for working with the community, rather than simply choosing and then changing the decision a few months later due to controversy.
Feature image via Pixabay.