I frequently assert that the Affero GNU Public License (AGPL) is a nonfree license. People always seem surprised that I say this, or say I’m wrong, because the anticapitalist zealots at the Free Software Foundation have endorsed it and have got other organizations to certify it as free software.
It’s very obviously not. Don’t believe the hype. Let’s review:
Here’s the actual text of the AGPL.
(The part you want is section 13, “Remote Network Interaction”.)
Freedom 0: The freedom to run the program as you wish, for any purpose.
Freedom 1: The freedom to study how the program works, and change it to make it do what you wish. Access to the source code is a precondition for this.
Freedom 2: The freedom to redistribute copies so you can help others.
Freedom 3: The freedom to distribute copies of your modified versions to others. By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.
The FSF and many others regard an important consequence of freedom 0 as a bug. That consequence being that you can take publicly available free software, make modifications to it, and run it privately in service of your business.
They call this the “Application Service Provider” (ASP) loophole, and they really don’t like it, because capitalists leverage software that they so graciously gave away as a gift to, you know, make money. Many other businesses that use the term “open source” for street cred (such as MongoDB and now famously Hashicorp and previously Redis) also don’t like it, because they are engaging in open source cosplay as marketing for their business and don’t actually give a shit about software freedom.
The problem is, Freedoms 2 and 3 are negative rights - they are freedoms to have the option to redistribute without interference from the copyright holder, not an obligation to do so. Using free software, even modified free software (freedom 1), to run a business is a clearly protected activity under freedom 0.
(Of course, licenses like the GPL can create obligations to distribute source code - but only if you are actually distributing software first, but that’s not comparable, because software and services simply are not the same thing, despite the common usage of the term “SaaS”. There’s a fundamental and material difference between me handing you a calculator and me telling you that the answer to 2+2 is 4.)
They see this as bad, because they think you should be forced to publish your modifications to the software you use internally, even if you don’t want to. This is, among other things, a major violation of your personal privacy (this is actually the main reason that I personally hate the AGPL - it’s compelled speech).
The AGPL is a license that attempts to force you to publish your modifications to the software you use internally, by requiring you to publish the source code of the software you run on a server (not strictly true, more on this later), if you make it available to users as a network service. The problem is, you can’t actually do this in a software license. A software license deals in permissions, not obligations. You can’t force people to do things with a software license, you can only grant them permission to do things. The AGPL is a license that grants you permission to run the software, but only if you agree to use that same software, in process, to publish your modifications to the software you run on a server. This is not a software license, but what is commonly referred to as an “end user license agreement” (EULA), because it has more than just a copyright license in it. EULAs are very distinct from software licenses (though they frequently include a software license within them).
Free software is and has always been against EULAs, because of freedom 0.
They’re trying now to square the circle, because freedom 0 is fundamentally incompatible with forcing people to use software a certain way (that is, to make it a requirement that the service you provide over a network to your customers also provides them with the modified software source code to that same service).
It’s a EULA pretending to be a copyright license.
The AGPL is a nonfree license, because it violates freedom 0 by restricting the purposes for which you can use the software (such as keeping its own source code private). It violates freedom 1 as well, by restricting the set of modifications you can make to the software (such as removing the anti-privacy misfeature the AGPL requires that the software furnish its own source code to users over the network).
It restricts how you may use and modify the software to prevent uses that the FSF doesn’t like. The FSF is, at the core, being dishonest about this because they are trying to scam people into believing that it isn’t a EULA, because “everyone knows” that EULAs are violations of freedoms 0 and 1.
It’s not just me saying this. Hector Martin (@marcan), founder and former lead dev of the Asahi Linux project (Linux on M-series Macbooks), wrote the following:
I really wish the FSF would stop pushing this nonsensical license and misleading everyone into thinking it does things it doesn’t. Their PR around it absolutely does not reflect the actual wording and consequences of the license. It’s deceptive and harmful to the free software ecosystem.
Now, let’s get to the actual nitty gritty: the AGPL as written is impossible to actually comply with in normal everyday use, and I would venture to say that every single developer working on AGPL software is violating the license every single time they touch it.
As a consequence of this I suspect it’s unenforceable in practice. (To date, it has never been adjudicated at trial.) I’m not a lawyer, and this is not legal advice.
To wit, AGPL Section 13, “Remote Network Interaction”:
Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph.
This was obviously written with webapps in mind; they’re trying to compel people who run such software to link to a download of the source code used to provide the service. There are several problems with this, both conceptual and practical.
Conceptually, this exists to allow end users to download the source and do something meaningful with it, such as modify it further for their own purposes. Let’s look at the biggest and most used SaaS in the world for an example. If I gave you the complete source code to Google, would that allow you to do something meaningful with it, such as run your own search engine with your local modifications? It’s a ludicrous proposition, and the logical basis for such a requirement is fundamentally damaged. Software isn’t services and services aren’t software.
But, let’s skip that for a moment. Let’s say you’re a developer and you clone an AGPL repo, and run the server locally. You’re all good, the in-app link still points to the source code. Then you make a change and “npm run” to try it out, but now the link in the app points to the original version upstream, not your version running on your local computer. License violation! So you update the link to point to your modified copy. Oops, there’s no way to do that - your version only exists on your laptop, which isn’t running a webserver or is behind NAT; no URL to your modified copy exists to link to. So you push your code up to a public git repo, and change the link to point to that. Now you’re in compliance again, but only for a moment. The first moment you make a change, and re-run the server (without committing and pushing your change to the remote public repository first), you’re violating the license again as the network service is running but the source code is not available to any users thereof.
This is a fundamental problem with the AGPL. It’s impossible to use AGPL software in a normal development process that is compliant with the license terms. The only way you could do it, I think, is to embed the complete source code of the program into the binary itself, and serve it directly from there. This works for webservers, but what about, say, a database server, that has no way of serving arbitrary files to end users? Or must we include a listening HTTP port in every AGPL program? What about that pesky freedom 1 that allows us to modify the program in any way we see fit (such as removing an unnecessary web server component)?
The AGPL sucks in every way you look at it. It’s damaging to the free software movement, because it undermines the credibility of the FSF and enables charlatans like Minio, Matrix/Element, Proxmox, Bitwarden, Anki, Mastodon, Mattermost, and many many others to get all of the public credibility of being an open source project, without actually being free software, or respecting software freedoms.
Credit where credit is due: I’ve harbored these feelings for a long time, but it wasn’t until marcan really laid it out specifically that I was able to crystallize these thoughts into a fully formed opinion.
The core issue here is that people now seem to believe that releasing software under free software licenses morally obligates the recipients to release their modifications in turn (which is more readily encapsulated in the viral copyleft provisions of the original GPL, tellingly one of the least popular open source licenses).
The problem is, it’s simply not reasonable. It only got amplified because people were using modified free software to make gobs of money, to which the original authors then felt entitled. They believed that because they spent time, effort, and money making software, that the changes that others made should correspondingly be “contributed back” to them, because “big rich corporation” and “little guy”.
Gifts absolutely do not work like that. To release free software is to give a gift to the world, freely. It is not a transaction, and it does not confer any requirement on the recipients of those gifts to “give back”. Amazon taking Redis and modifying it and selling it as a service doesn’t cost the original authors a single thing or harm them in any way, and the idea that they are entitled to anything in return is simply a delusion.
When you give free gifts to the whole world, you are also inseparably and simultaneously giving free gifts to the rich and powerful. You are giving gifts to people who will use your software to do harm, to violate the privacy of their users, to make money off of your work, and to otherwise personally enrich themselves in any way they can possibly imagine. This is the value of free software to the world. Freedom 0 is fucking important.
Famously, Douglas Crockford used the MIT license with a custom modification when releasing JSLint:
The Software shall be used for Good, not Evil.
This was a little bit of a joke, but notoriously rendered the license nonfree, as such a restriction plainly violates freedom 0.
We explicitly have the right to use free software to do Evil. (“Evil” in the eyes of the licensor, of course.)
I support this wholeheartedly. It is analogous to supporting free speech for those who say things you don’t like.
Other nonfree license examples that restrict use are the Hippocratic License (prohibitions against violating human rights, war, surveillance, etc), Peace Public License (no military or law enforcement use), and the Do No Harm License (prohibitions against use for war and weapons and fossil fuels).
The FSF and others now see Freedom 0 as a “loophole” that needs to be closed, that their gifts should come with strings attached if you’re going to use them to run a service to make money. This is a fundamentally broken and toxic view of software freedoms. “Use it for anything, but not like that” renders your position fundamentally unserious.
There’s a common trope of calling open source software users “entitled” because they file snippy bug reports, or demand features, and otherwise act ungrateful for the gifts that they receive. This is a valid criticism of the community.
The problem is that open source developers are acting even more entitled with their embrace of the AGPL: entitled to violate the privacy of their users who use their (freely given!) source code because they’re modifying it to make money. If you want a EULA on your software, stop giving it away as free software, duh. You don’t get it both ways.
Jeffrey Paul is a hacker and security researcher living in Berlin and the founder of EEQJ, a consulting and research organization.