Return-Path: X-Original-To: apmail-legal-discuss-archive@www.apache.org Delivered-To: apmail-legal-discuss-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 35EDC10908 for ; Sun, 15 Sep 2013 12:57:12 +0000 (UTC) Received: (qmail 92685 invoked by uid 500); 15 Sep 2013 12:56:49 -0000 Delivered-To: apmail-legal-discuss-archive@apache.org Received: (qmail 92313 invoked by uid 500); 15 Sep 2013 12:56:32 -0000 Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: Reply-To: legal-discuss@apache.org List-Id: Delivered-To: mailing list legal-discuss@apache.org Received: (qmail 92306 invoked by uid 99); 15 Sep 2013 12:56:30 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 15 Sep 2013 12:56:30 +0000 X-ASF-Spam-Status: No, hits=3.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_SOFTFAIL X-Spam-Check-By: apache.org Received-SPF: softfail (athena.apache.org: transitioning domain of contact@taoeffect.com does not designate 208.97.132.177 as permitted sender) Received: from [208.97.132.177] (HELO homiemail-a6.g.dreamhost.com) (208.97.132.177) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 15 Sep 2013 12:56:26 +0000 Received: from homiemail-a6.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a6.g.dreamhost.com (Postfix) with ESMTP id 2097E59806C for ; Sun, 15 Sep 2013 05:56:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=taoeffect.com; h=from :content-type:message-id:mime-version:subject:date:references:to :in-reply-to; s=taoeffect.com; bh=HXVQgSjkkM9WQ0R+2UWLNcgu3gY=; b=GzcG/Q7QA1uN95mVzvAP2QEcFkX4/LHsocl1vHsKqLjXRMAhwNsfRoXGuu+U2 OzC9wsUjg2VXHr8irs+1b4L9n/Nj51osolEXagM76y7wCV6DOgFPEPGmuZhSephY FrjYXW00JqL7mwFQ4PreUPFQLAisH40C+K2SnqpYvO1OIA= Received: from [192.168.2.2] (ip98-180-48-204.ga.at.cox.net [98.180.48.204]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: support@taoeffect.com) by homiemail-a6.g.dreamhost.com (Postfix) with ESMTPSA id CD7DC59806B for ; Sun, 15 Sep 2013 05:56:04 -0700 (PDT) From: Tao Effect Content-Type: multipart/signed; boundary="Apple-Mail=_519F9494-6ADB-4673-AFA8-5A039AC4A8EF"; protocol="application/pgp-signature"; micalg=pgp-sha1 Message-Id: <326DEF1F-1CDF-433A-A295-33520DF352EA@taoeffect.com> Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) Subject: Re: Serious problem with the Apache Contributor's License Agreement (CLA) v2.0 Date: Sun, 15 Sep 2013 08:55:59 -0400 References: To: legal-discuss@apache.org In-Reply-To: X-Mailer: Apple Mail (2.1508) X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail=_519F9494-6ADB-4673-AFA8-5A039AC4A8EF Content-Type: multipart/alternative; boundary="Apple-Mail=_6705A8FD-FBF1-4595-AE3C-1F1E18EEF99D" --Apple-Mail=_6705A8FD-FBF1-4595-AE3C-1F1E18EEF99D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 > And thanks for your emails. Thanks Chris! And thanks for your reply as well! BTW, good morning list! ^_^ Disclaimer: I haven't had my coffee yet. > Probably in the legal definition either of a collective work = (something > that incorporates your > licensed work or contribution, but in a "black box" way, by not = changing > it); or a derivative > work (something that incorporates your licensed work by taking it and > directly modifying it > in some fashion). That would be my read on it. Oh boy. OK. I'm just going to put off addressing this for now because I = don't think we've quite reached the point where it's been proven that = the FAQ matters at all. If that is somehow proven (and I doubt that it = will be), then I'll try to wrap my head around the concepts involved = here and see if the issue remains. There's still also the problem that = both our "reads"/"interpretations" of the text are just that, and the = text itself is too vague to limit itself to any one specific = interpretation. > IANAL. K, well then are you an agent of the ASF who is authorized to make = authoritative legal interpretations of the intent/meaning of Apache's = legal documents? > It's relevant in that the ICLA is a part of the ASF, as is the FAQ = that is > part of the > legal documentation of the ASF. >=20 > Further, http://www.apache.org/licenses/ is referenced in the ICLA, = and > thus > so is the FAQ page [linked from the prior page] and thus > so is the http://www.apache.org/foundation/license-faq.html page = [linked > from the prior page] I see multiple problems here: - By what authority is it the case that the fact that one link was = included in the AL* (with absolutely no context for why it was included) = is an indication that the agreement being signed is not the entire = agreement, and that additional parts of the agreement can be found = through any number of nested links within that link that was included? - Through the "licenses" link I could probably reach every page on the = internet. Where is it specified what reachable links are valid and what = reachable links are invalid interpretations of the license? - The FAQ page has been updated several times in the past, and will = likely continue to be modified in the future. Which version of the FAQ = page is being agreed to by the signer of the agreement? Is this version = somehow preserved somewhere in a method that can verify its = authenticity? This discussion also sidesteps the very serious issue of the fact that = the AL's have been copied by various organizations for their own = purposes. These copies usually contain this text verbatim, but with all = the references to the ASF removed, including the (rather useless, IMO) = link to the ASF license FAQ page. All of these copies can no longer be said to be matched to the ASF's = internet/meaning, whatever it might be. A single bad apple is all it = takes to ruin it for everyone, and really ruin it for the person who = just lost all of the patent rights. If that were to happen, I can see it = potentially setting off a panicked reaction throughout the entire = community. The fact that Numenta, Inc. was able to see this problem with the AL and = went public about it sets a legal precedent that legitimizes the evil = interpretation of the AL, which can then be used in a court of law to = uphold said evil interpretation. My blog post hit the front page of Hacker News last night. Here's a link = to the comments: https://news.ycombinator.com/item?id=3D6387660 The comments include some interesting perspectives: > jwecker 11 hours ago | link | parent | flag >=20 > I don't believe a single stated "No" in the FAQ will be very = meaningful, except to point out that even the creators of the license = failed to notice the loophole. > Edit: Also, the fact that the interpretation can exist and is in = written form is what suddenly makes it an issue, at the very least for = anyone going forward. (IANAL) >=20 And this one: > =09 > SEMW 11 hours ago | link >=20 > > many open source licenses have exactly such terms in order to fight = software patents > This misses the point. If you want an atypically wide patent grant = (covering not just patents infringed by your contributed code, but also = to future contributions by other people which infringe a patent of = yours), then that should be done openly and explicitly. Not by the = backdoor with a clause that doesn't appear to do that but could be = interpreted as doing do if you took it to its logical conclusion. >=20 > (Though it's pretty clear that doing do wasn't actually their = intention, given their FAQ denies that interpretation - see DannyBee's = post) >=20 =97 I'm looking for a straight answer from an authorized agent of the ASF to = this question: If the ASF does not intend to allow for the evil interpretation of their = ALs as described in these emails, then will the ASF make this clear = within the text of the ALs themselves? If not, what is the reason for = the refusal to add the clarification? Thanks, Greg Slepak * AL =3D All of the Apache Licenses (CLA and otherwise) that include the = questionable patent clause. P.S. Please forgive all typos you come across. I still haven't had my = coffee or breakfast and am getting cranky. :-p -- Please do not email me anything that you are not comfortable also = sharing with the NSA. On Sep 14, 2013, at 10:42 PM, Chris Mattmann = wrote: > Hi Greg, >=20 >=20 > -----Original Message----- > From: Tao Effect > Reply-To: > Date: Saturday, September 14, 2013 7:31 PM > To: > Subject: Re: Serious problem with the Apache Contributor's License > Agreement (CLA) v2.0 >=20 >> Hi Marvin, >>=20 >> Thanks for your reply! >=20 > And thanks for your emails. >=20 >> [..snip..] >>=20 >>=20 >>=20 >> Note, however, that licensable patent claims include those that you >> acquire in the >> future, as long as they read on your original contribution as made at = the >> original time. >>=20 >>=20 >>=20 >> This sentence is rather unclear to me. It sounds like what it's = intending >> to say is that you grant a license to any future patent claims you = make >> should they be based on "your original contribution"? If so, how, >> exactly, must they be "based on" it? >=20 > Probably in the legal definition either of a collective work = (something > that incorporates your > licensed work or contribution, but in a "black box" way, by not = changing > it); or a derivative > work (something that incorporates your licensed work by taking it and > directly modifying it > in some fashion). That would be my read on it. IANAL. >=20 >>=20 >> Also, this FAQ is not in any way referenced in the agreement that is >> actually signed, so I don't see how it is relevant to the discussion. >=20 > It's relevant in that the ICLA is a part of the ASF, as is the FAQ = that is > part of the > legal documentation of the ASF. >=20 > Further, http://www.apache.org/licenses/ is referenced in the ICLA, = and > thus > so is the FAQ page [linked from the prior page] and thus > so is the http://www.apache.org/foundation/license-faq.html page = [linked > from the prior page] >=20 > Cheers, > Chris >=20 >=20 >=20 >>=20 >> Kind regards, >> Greg Slepak >>=20 >> -- >>=20 >> Please do not email me anything that you are not comfortable also = sharing >> with the NSA. >>=20 >>=20 >> On Sep 14, 2013, at 9:56 PM, Marvin Humphrey >> wrote: >>=20 >>=20 >> On Sat, Sep 14, 2013 at 4:38 PM, Tao Effect = wrote: >>=20 >> I recently finished a rather long exchange with Numenta, Inc. on a = matter >> related to a paragraph taken from the Apache CLA v2.0. >>=20 >>=20 >>=20 >> For what it's worth, similar language exists in the Apache License = 2.0. >>=20 >> [..] it appears to allow an interpretation that states that I=B9m >> potentially >> giving away royalty-free licenses to all the software patent claims I = ever >> make should I make a single contribution to NuPIC, whatever it may = be. >>=20 >>=20 >>=20 >> If I understand correctly, your concern is that once you've made a = single >> contribution under an iCLA (or the ALv2), a malevolent party might >> contribute >> something to the same "Work" at some point in the future which = infringes >> against an unrelated patent of yours, unfairly wresting a patent = license >> from >> you. >>=20 >> For example: >>=20 >> * An employee of Apple contributes some documentation to Dr. X's >> open-source >> cryptography library. >> * Dr. X subsequently adds a GUI to his cryptography library which >> utilizes >> "slide to unlock". >> * Dr. X has obtained a patent license from Apple for "slide to = unlock". >>=20 >> Does that illustrate your concern accurately? If so, I believe that = this >> FAQ >> entry is relevant: >>=20 >> http://www.apache.org/foundation/license-faq.html#PatentScope >>=20 >> [...] >>=20 >> The only patent claims that are licensed to the ASF are those you = own >> or >> have the right to license that read on your contribution or on the >> combination of your contribution with the specific Apache product = to >> which >> you contributed as it existed at the time of your contribution. No >> additional patent claims become licensed as a result of subsequent >> combinations of your contribution with any other software. Note, >> however, >> that licensable patent claims include those that you acquire in the >> future, as long as they read on your original contribution as made = at >> the >> original time. [...] >>=20 >> Numenta discussed the matter with their legal team and decided to add = a >> few >> words to eliminate the dangerous interpretation. They announced this = via a >> blog post: >>=20 >> = http://numenta.org/blog/2013/09/03/numenta-contributor-license-v1-1.html >>=20 >>=20 >>=20 >> IANAL, but my understanding is that that provision is there to guard >> against >> submarine patents. I'd be curious whether the change described in = that >> blog >> post weakens protections against contributors sneaking in technology = for >> which >> patents subsequently "surface" and for which royalties are demanded = from >> end >> users. >>=20 >> Marvin Humphrey >>=20 >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org >> For additional commands, e-mail: legal-discuss-help@apache.org >>=20 >>=20 >>=20 >>=20 >>=20 >=20 >=20 >=20 > --------------------------------------------------------------------- > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org > For additional commands, e-mail: legal-discuss-help@apache.org >=20 --Apple-Mail=_6705A8FD-FBF1-4595-AE3C-1F1E18EEF99D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252
And thanks for your = emails.

Thanks Chris! And thanks for your = reply as well!

BTW, good morning list! = ^_^

Disclaimer: I haven't had my coffee = yet.

Probably in the legal definition either of a collective = work (something
that incorporates your
licensed work or = contribution, but in a "black box" way, by not changing
it); or a = derivative
work (something that incorporates your licensed work by = taking it and
directly modifying it
in some fashion). That would = be my read on it.

Oh boy. OK. I'm just going = to put off addressing this for now because I don't think we've quite = reached the point where it's been proven that the FAQ matters at all. If = that is somehow proven (and I doubt that it will be), then I'll try to = wrap my head around the concepts involved here and see if the issue = remains. There's still also the problem that both our = "reads"/"interpretations" of the text are just that, and the text itself = is too vague to limit itself to any one specific = interpretation.

IANAL.

K, well then are you an = agent of the ASF who is authorized to make authoritative legal = interpretations of the intent/meaning of Apache's legal = documents?

It's = relevant in that the ICLA is a part of the ASF, as is the FAQ that = is
part of the
legal documentation of the ASF.

Further, http://www.apache.org/licenses/ is referenced in the ICLA, and
thus
so is the FAQ page [linked = from the prior page] and thus
so is the http://www.apac= he.org/foundation/license-faq.html page [linked
from the prior = page]

I see multiple problems = here:

- By what authority is it the case that = the fact that one link was included in the AL* (with absolutely no = context for why it was included) is an indication that the agreement = being signed is not the entire agreement, and that additional parts of = the agreement can be found through any number of nested links within = that link that was included?

- Through the = "licenses" link I could probably reach every page on the internet. Where = is it specified what reachable links are valid and what reachable links = are invalid interpretations of the license?

- = The FAQ page has been updated several times in the past, and will likely = continue to be modified in the future. Which version of the FAQ page is = being agreed to by the signer of the agreement? Is this version somehow = preserved somewhere in a method that can verify its = authenticity?

This discussion also sidesteps = the very serious issue of the fact that the AL's have been copied by = various organizations for their own purposes. These copies usually = contain this text verbatim, but with all the references to the ASF = removed, including the (rather useless, IMO) link to the ASF license FAQ = page.

All of these copies can no longer be said = to be matched to the ASF's internet/meaning, whatever it might be. A = single bad apple is all it takes to ruin it for everyone, and really ruin it for the person who = just lost all of the patent rights. If that were to happen, I can see it = potentially setting off a panicked reaction throughout the entire = community.

The fact that Numenta, Inc. was able = to see this problem with the AL and went public about it sets a legal = precedent that legitimizes the evil interpretation of the AL, which can = then be used in a court of law to uphold said evil = interpretation.

My blog post hit the front page = of Hacker News last night. Here's a link to the comments: https://news.ycomb= inator.com/item?id=3D6387660

The comments = include some interesting = perspectives:


jwecker 11 = hours ago | link | parent | flag=

I don't believe a single=20= stated "No" in the FAQ will be very meaningful, except to point out that even the creators of the license failed to notice the = loophole.

Edit: Also, the fact that the interpretation can exist and is in written form is what suddenly makes it an issue, at the very least for anyone going=20= forward. = (IANAL)


And this one:

SEMW 11 hours = ago | link
> many open source = licenses have exactly such terms in order to fight software = patents

This misses the point. If you want an atypically wide patent grant (covering not just patents infringed by your contributed code, but also to future contributions by other people which infringe a patent of yours), then=20= that should be done openly and explicitly. Not by the=20 backdoor with a clause that doesn't appear to do that but could be=20 interpreted as doing do if you took it to its logical = conclusion.

(Though it's pretty = clear that doing do wasn't actually their intention, given their = FAQ denies that interpretation - see DannyBee's = post)




  =  =97

I'm looking for a straight answer = from an authorized agent of the ASF to this = question:

If the ASF does not intend to = allow for the evil interpretation of their ALs as described in these = emails, then will the ASF make this clear within the text of the ALs = themselves? If not, what is the reason for the refusal to add the = clarification?

Thanks,<= /div>
Greg Slepak

* AL =3D All of the = Apache Licenses (CLA and otherwise) that include the questionable patent = clause.

P.S. Please forgive all typos you come = across. I still haven't had my coffee or breakfast and am getting = cranky. :-p

--
Please do not email me anything that = you are not comfortable also sharing with the NSA.

On Sep 14, 2013, at 10:42 PM, Chris Mattmann <mattmann@apache.org> = wrote:

Hi Greg,


-----Original Message-----
From: = Tao Effect <contact@taoeffect.com>
Rep= ly-To: <legal-discuss@apache.org><= br>Date: Saturday, September 14, 2013 7:31 PM
To: <legal-discuss@apache.org><= br>Subject: Re: Serious problem with the Apache Contributor's = License
Agreement (CLA) v2.0

Hi = Marvin,

Thanks for your reply!

And thanks for = your emails.

[..snip..]



Note, however, that licensable = patent claims include those that you
acquire in the
future, as = long as they read on your original contribution as made at = the
original time.



This sentence is rather unclear to = me. It sounds like what it's intending
to say is that you grant a = license to any future patent claims you make
should they be based on = "your original contribution"? If so, how,
exactly, must they be = "based on" it?

Probably in the legal definition = either of a collective work (something
that incorporates = your
licensed work or contribution, but in a "black box" way, by not = changing
it); or a derivative
work (something that incorporates = your licensed work by taking it and
directly modifying it
in some = fashion). That would be my read on it. IANAL.


Also, this FAQ is not in any way referenced in the = agreement that is
actually signed, so I don't see how it is relevant = to the discussion.

It's relevant in that the ICLA is = a part of the ASF, as is the FAQ that is
part of the
legal = documentation of the ASF.

Further, http://www.apache.org/licenses/ is referenced in the ICLA, and
thus
so is the FAQ page [linked = from the prior page] and thus
so is the http://www.apac= he.org/foundation/license-faq.html page [linked
from the prior = page]

Cheers,
Chris




Kind regards,
Greg Slepak

--

Please = do not email me anything that you are not comfortable also = sharing
with the NSA.


On Sep 14, 2013, at 9:56 PM, Marvin = Humphrey <marvin@rectangular.com>
w= rote:


On Sat, Sep 14, 2013 at 4:38 PM, Tao Effect <contact@taoeffect.com> = wrote:

I recently finished a rather long exchange with Numenta, = Inc. on a matter
related to a paragraph taken from the Apache CLA = v2.0.



For what it's worth, similar language exists in the = Apache License 2.0.

[..] it appears to allow an interpretation = that states that I=B9m
potentially
giving away royalty-free = licenses to all the software patent claims I ever
make should I make = a single contribution to NuPIC, whatever it may be.



If I = understand correctly, your concern is that once you've made a = single
contribution under an iCLA (or the ALv2), a malevolent party = might
contribute
something to the same "Work" at some point in the = future which infringes
against an unrelated patent of yours, unfairly = wresting a patent license
from
you.

For example:

* =   An employee of Apple contributes some documentation to Dr. = X's
open-source
  cryptography library.
* =   Dr. X subsequently adds a GUI to his cryptography library = which
utilizes
  "slide to unlock".
* =   Dr. X has obtained a patent license from Apple for "slide to = unlock".

Does that illustrate your concern accurately?  If = so, I believe that this
FAQ
entry is relevant:

=   htt= p://www.apache.org/foundation/license-faq.html#PatentScope

=   [...]

  The only patent claims that are = licensed to the ASF are those you own
or
  have the = right to license that read on your contribution or on the
=   combination of your contribution with the specific Apache = product to
which
  you contributed as it existed at the = time of your contribution. No
  additional patent claims = become licensed as a result of subsequent
  combinations = of your contribution with any other software. Note,
however,
=   that licensable patent claims include those that you acquire = in the
  future, as long as they read on your original = contribution as made at
the
  original time. = [...]

Numenta discussed the matter with their legal team and = decided to add a
few
words to eliminate the dangerous = interpretation. They announced this via a
blog post:

http://numenta.org/blog/2013/09/03/numenta-contributor-license-v1-= 1.html



IANAL, but my understanding is that that = provision is there to guard
against
submarine patents.  I'd = be curious whether the change described in that
blog
post weakens = protections against contributors sneaking in technology = for
which
patents subsequently "surface" and for which royalties = are demanded from
end
users.

Marvin = Humphrey

----------------------------------------------------------= -----------
To unsubscribe, e-mail: legal-discuss-unsubsc= ribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.or= g








--------------------= -------------------------------------------------
To unsubscribe, = e-mail: legal-discuss-unsubsc= ribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.or= g


= --Apple-Mail=_6705A8FD-FBF1-4595-AE3C-1F1E18EEF99D-- --Apple-Mail=_519F9494-6ADB-4673-AFA8-5A039AC4A8EF Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJSNa5jAAoJEI1U5HQGoWbs1OIIAIkpIRkUzg7YPlUFBGmWyhRy W3SC/j+0DlhLa34cvNHOTtDepfN9M185OeXgMRE7Wju/sQPbzYZeVM4wF+2kaVRU 2POGVuvQCWOUrahoYog2JtfCn/N6OC4tRFvVZLMHsQTv2/Pl/I1VBZcUBR0Xw1sD yOADoEFouVCtc13BUxozM33DJWd4+5PRhyWtTKUAF3TqoJ98ZNbmDvocKlQdrkR0 C5Uq8Wlga+IrxIAGUTLCHNHF2fLLC4rUrNwUzqMTr46YZ+hV6a0C6EkvEtDuLth3 KI9pqewCPPCSZvD2Z8GOk4raorraQ0XezPPHeHePCgSXlk7sXoVDetYZ6/UMSr8= =zzP9 -----END PGP SIGNATURE----- --Apple-Mail=_519F9494-6ADB-4673-AFA8-5A039AC4A8EF--