This article touches a point I have been wondering about regarding the Notice condition: "But web developers, as a whole, haven’t got the memo.".
The JavaScript and npm ecosystem are extremely dependency-heavy. Even if you only take a few yourself, the number of sub-dependencies of even a simple application are often in the hundreds.
Why does "everyone" ignore the attribution of their dependencies and sub-dependencies? Laziness? Risk of getting sued too low? What happens if Oracle buys all the left-pads in the world?
I doubt there's any single answer that isn't tautological. In other kinds of development, like embedded programming, notice files are a part of the cycle. Web developers simply haven't developed the habit.
Which is a real head scratcher, because as a rule, JavaScript developers use JavaScript package managers, and JavaScript package managers, especially npm, provide good license metadata and auditability. You can have an automated tool, usually a plugin for your front-end bundler, compile a pretty good notice file for you, no many how many direct and transitive dependencies you have.
I think there's also a chicken-and-egg problem, in that it's not exactly clear how to make the notices file for front-end code available. Link from website footer? At the top of the client bundle? Comment at the top of the client bundle, with a URL for the notices files?
I'm not following your train of thought here really. Are you saying that people are stripping out the notice from the source code as a matter of course and then redistributing it?
Are their product/business owners aware of the legal obligations that their developers are signing them up for? Do the developers actually have the authority to enter into these licences?
I use a minimal version of the ISC/OpenBSD license.
- I don't know of anything in the Berne Convention or Title 17, U.S. Code, that would require the phrase "with or without fee" so I remove it.
- I use "work" instead of "software." There's no reason to be over-specific.
- I treat the entire text as one notice, rather than specifying each paragraph separately.
Copyright (c) 2021, MyOrganization
THIS WORK IS PROVIDED "AS IS," WITH NO EXPRESS OR IMPLIED WARRANTIES. THERE
IS NO WARRANTY OF MERCHANTABILITY, FITNESS, NON-INFRINGEMENT, OR TITLE.
NO AUTHOR SHALL BE LIABLE FOR ANY DAMAGES RELATING TO USE OF THIS WORK.
Permission to use, copy, modify, and/or distribute this work for any purpose
is hereby granted, provided this notice appears in all copies.
> Why is there ''and/or'' in the MIT license text? Why is it needed?
It's a stupid lawyer thing. A lot of us still write like this. I'm sorry.
> Does the phrase ''this permission notice'' cover the following disclaimer?
Arguable, but why would anyone bother chopping off the disclaimer?
> Also, what is the shortest possible license that is functionally equivalent to the MIT license?
Form and function aren't so neatly separated in natural language.
> Is this really a license?
It's a cute suckless thing. They're edgy like that, among other ways.
> What about the SQLite blessing?
SQLite holds their work out as in the public domain. But you can buy a license (and some commercial guarantees) to make your company's lawyers happy: https://sqlite.org/purchase/license
The "and" means include and the "or" means optional. It needed because it basically states your rights on what you can do with the software and means you can distribute if you choose to distribute the software, it your choice or right to distribute the software (from the MIT License).
The phrase "this permission notice" also cover the "NO WARRANTY" disclaimer for the software because you will have to include the license if you use it in another software but you can provide warranty under a close source license or your license states you will provide warranties. The "copyright notice" and "this permission notice" means the license.
The shortest possible license that is functionally equivalent to the MIT license is the ISC license, it was created to remove language that is not needed. Read the Wikipedia article here https://en.wikipedia.org/wiki/ISC_license. I do not know other licenses than this.
Technically it is a license but do not use it and it is just probably a joke. The SQL Blessing is technically probably a Public Domain waver.
Does anyone know of a similar breakdown for licences like GPL v2 and the like? It's a part of programming I feel like I should know more about but never took the time to look at.
> The implied warranty of “merchantability” under UCC section 2-314 is a promise that “the goods”—the Software—are of at least average quality, properly packaged and labeled, and fit for the ordinary purposes they are intended to serve.
So, all goods have an implied warranty requiring they must be of at least average quality? How does that work? Does average have a different meeting in a legal context?
Suppose I sell you an oil filter for your 2019 Mazda. When you get it home, you realize there's a big hole in it, and it can't be used to replace the one currently on your car.
You call me up and I say "I never said it would work in a car, I just said it was an oil filter (true) which would fit into a 2019 Mazda (true)."
The law says "nice try, you can't be that pedantic. The ordinary purpose of oil filters it to actually filter oil in a car, so when you sold it, there was an understanding that it would work for that purpose."
The article doesn't really get it right. This is what the UCC actually says:
(2) Goods to be merchantable must be at least such as:
(a) Pass without objection in the trade under the contract description; and
(b) In the case of fungible goods, are of fair average quality within the description; and
(c) Are fit for the ordinary purposes for which such goods are used; and
(d) Run, within the variations permitted by the agreement, of even kind, quality and quantity within each unit and among all units involved; and
(e) Are adequately contained, packaged and labeled as the agreement may require; and
(f) Conform to the promises or affirmations of fact made on the container or label if any.
Here is what the official comments to the UCC say:
Paragraphs (a) and (b) of subsection (2) are to be read together. Both refer, as indicated above, to the standards of that line of the trade which fits the transaction and the seller's business. “Fair average” is a term directly appropriate to agricultural bulk products and means goods centering around the middle belt of quality, not the least or the worst that can be understood in the particular trade by the designation, but such as can pass “without objection.” Of course a fair percentage of the least is permissible but the goods are not “fair average” if they are all of the least or worst quality possible under the description. In cases of doubt as to what quality is intended, the price at which a merchant closes a contract is an excellent index of the nature and scope of his obligation under the present section.
So if you understand (a) and (b) in unison, it means that you can't sell someone a lot of goods but then send them all below-average quality units. But, of course, a truck load of apples can still have a "fair percentage" of low-quality apples. Where you're selling a single item, like a computer, then (a) is the better lens of looking at it.
None of this is legal advice. I'm not your lawyer.
We’re in English class, not math class. Forget statistics. There is a sense of the word “average” that means “not out of the ordinary; common.” That’s the sense meant here.
Average has exactly the meaning it has in all other contexts. It seems to be a bizarrely common (and obviously incorrect) meme on HN that half of all elements of a set are below average.
> The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
What’s the reasoning behind asking users to carry around a notice? Why not just let users go without it? Is it for legal reasons or for crediting the authors? I’ve released MIT licensed software before and frankly when someone is using my code, I really don’t care about credit or leaving behind a legacy or such things.
>I really don’t care about credit or leaving behind a legacy or such things.
Then use a different license. In 1-clause BSD and Boost licenses the requirement of preserving copyright notices applies only to source code, while 0BSD and CC0 don't require that at all.
It was typical for software to be distributed in physical media (floppy disks, and, later, CD-ROMs) through brick-and-mortar retail stores. It was not uncommon for someone to sell physical media with otherwise-free software, and so it was desirable to make end-users aware that the software was available for free. The GPL's "accompany it with a written offer... of the corresponding source code" is also an interesting holdover from this era (nowadays everyone just distributes source over the Internet, instead of sending checks and CDs through the mail).
Copyright notices were also typically visible when you first started a program in the 80s and 90s. These were relegated to "about" menus when it became the norm to "design a launch screen that’s nearly identical to the first screen of your app" to make apps feel faster.
Understanding the license in use and the permissions associated with it are important in many contexts. In fact, the MIT license was created in the first place because there were issues associated with just releasing X Windows into the public domain.
How is this “inclusion” typically done for a project that is deployed in compiled format and contains hundreds of libraries with dozens of different licenses? It must be especially difficult on devices where it’s difficult to accept user input or display licenses.
In commercial desktop software I have shipped, it has been a section in help>about with a long list of third party libs each showing a text document.
Great article, similar to a blog post I did recently.
This is a minor nitpick and shouldn't be read as an overall criticism of the author or this post, which is better than the one I did. However, I will note that non-infringement and title are, in fact, implied warranties in the UCC. I'm not sure why the author missed it.
Minor correction: Under UCC § 2-312(3) (link in parent), non-infringement is an implied warranty only if the seller is a "merchant," i.e., one who regularly deals in goods of the kind.
The implied warranty of noninfringement can be disclaimed under § 2-316, and vendors almost universally do so (preferring to make specific express warranties instead when they perceive a market need).
> Lastly, as a result of this mishmash of legal, industry, general-intellectual-property, and general-use terms, it isn’t clear whether The MIT License includes a patent license. The general language “deal in” and some of the example verbs, especially “use”, point toward a patent license, albeit a very unclear one.
I think this is a very carefully couched way of saying "the MIT license doesn't protect the licensee from being sued by the licensor for patent violation." If person A has a patent on algorithm X, and he wrote open source code which implements X, and he licenses this code to person B under the MIT (or BSD) license, and B uses the code, it's feasible for A to sue B for patent violation.
For this reason alone, I think MIT and BSD are awful, archaic licenses that should be avoided at all costs. The Apache 2.0 license is a great substitute.
Other very capable analysts have argued that MIT does grant patent rights, either express or implied. They've also argued that other legal rules, especially patent "exhaustion", remove the risk.
I'm with you on this, though. It doesn't have to be broke. We can fix it.
Blue Oak Council, a nonprofit I'm a part of, published a tier-ranked list of permissive licenses. All of those at the top handle patent explicitly: https://blueoakcouncil.org/list
Until 5 minutes ago, I thought myself pretty copyright-savvy. I've spent perhaps $200,000 on IP attorneys over the last couple of decades--far more than most HNers, far less than many others. I also follow IP law loosely because it interests me.
I would be interested in reading a similar piece from the perspective of someone with a background in the law of continental Europe. I adore this piece of writing, but it's very U.S.-centric in parts.
I think most of this (other than the historical references) is in reference to the effective “strong minimum standards” of the Berne Convention, and to the later treaties established between WIPO member nations. Therefore, it’s almost† globally applicable.
† From Wikipedia, WIPO non-members: Kosovo, Federated States of Micronesia, Palau, South Sudan, and the states with limited recognition. Palestine has observer status.
Except there really isn't any agreement on some of the finer details of the license, no matter how much you want to study and understand it. Does the license text have to be included in only the source code or the compiled software? What if the source code of the derived software isn't made public? What is "substantial portions" of the software? Can a MIT project be relicensed? What is the point of any of these clauses then?
While it is a great license, I wish something closer to just public domain would have become the OSS default, since that is what 99% of developers want anyways.
Among more sophisticated users I don't think there's disagreement on this point. The answer is "no", if by "relicense" you mean "remove the MIT license and put in something else". You can never legitimately remove the MIT license from a file unless you're the copyright holder or their authorized agent.
Where there's less than total agreement is whether the MIT license may be subsumed by another license — e.g. the Apache License 2.0 — when an MIT licensed work is bundled within a package. Can you claim that the complete package is available "under the Apache License 2.0", omitting the fact that the licenses are actually polyglot?
The answer to that question seems to be "everybody does that" and "in practice, the legal risk seems to approach zero", but in theory should two licenses ever prove to have incompatible provisions then things could get sticky in a court case.
I did not realize the MIT License had so many variants [1]. Compare that to Apache License 2.0, which has one canonical form [2]. For this reason alone, Apache seems like a plainly better choice (IANAL).
I was hoping for a discussion of the “substantial portions” term. The explanation focuses on use as a dependency, but what if I take some MIT code and modify it and include it directly in my project? What counts as “substantial portion”?
In general it means "this applies to derivative works." At best, it might provide an argument that APIs aren't covered (now that that's a thing). But copyright law doesn't really recognize "substantial portion" as a term of art (though it's arguably related to one of the prongs of a Fair Use inquiry). IANYL but my personal practice is and would be to ignore the word "substantial."
[+] [-] thed|5 years ago|reply
The JavaScript and npm ecosystem are extremely dependency-heavy. Even if you only take a few yourself, the number of sub-dependencies of even a simple application are often in the hundreds.
Why does "everyone" ignore the attribution of their dependencies and sub-dependencies? Laziness? Risk of getting sued too low? What happens if Oracle buys all the left-pads in the world?
[+] [-] kemitchell|5 years ago|reply
Which is a real head scratcher, because as a rule, JavaScript developers use JavaScript package managers, and JavaScript package managers, especially npm, provide good license metadata and auditability. You can have an automated tool, usually a plugin for your front-end bundler, compile a pretty good notice file for you, no many how many direct and transitive dependencies you have.
I think there's also a chicken-and-egg problem, in that it's not exactly clear how to make the notices file for front-end code available. Link from website footer? At the top of the client bundle? Comment at the top of the client bundle, with a URL for the notices files?
[+] [-] torstenvl|5 years ago|reply
[+] [-] alexchamberlain|5 years ago|reply
[+] [-] sbergot|5 years ago|reply
[+] [-] smlckz|5 years ago|reply
Does the phrase ''this permission notice'' cover the following disclaimer?
Also, what is the shortest possible license that is functionally equivalent to the MIT license?
The shortest ''license'' I've ever seen is this: https://git.suckless.org/dmenu/file/arg.h.html
Is this really a license? What about the SQLite blessing?[+] [-] torstenvl|5 years ago|reply
- I don't know of anything in the Berne Convention or Title 17, U.S. Code, that would require the phrase "with or without fee" so I remove it.
- I use "work" instead of "software." There's no reason to be over-specific.
- I treat the entire text as one notice, rather than specifying each paragraph separately.
[+] [-] kemitchell|5 years ago|reply
It's a stupid lawyer thing. A lot of us still write like this. I'm sorry.
> Does the phrase ''this permission notice'' cover the following disclaimer?
Arguable, but why would anyone bother chopping off the disclaimer?
> Also, what is the shortest possible license that is functionally equivalent to the MIT license?
Form and function aren't so neatly separated in natural language.
> Is this really a license?
It's a cute suckless thing. They're edgy like that, among other ways.
> What about the SQLite blessing?
SQLite holds their work out as in the public domain. But you can buy a license (and some commercial guarantees) to make your company's lawyers happy: https://sqlite.org/purchase/license
[+] [-] TwoPizza9612536|5 years ago|reply
The phrase "this permission notice" also cover the "NO WARRANTY" disclaimer for the software because you will have to include the license if you use it in another software but you can provide warranty under a close source license or your license states you will provide warranties. The "copyright notice" and "this permission notice" means the license.
The shortest possible license that is functionally equivalent to the MIT license is the ISC license, it was created to remove language that is not needed. Read the Wikipedia article here https://en.wikipedia.org/wiki/ISC_license. I do not know other licenses than this.
Technically it is a license but do not use it and it is just probably a joke. The SQL Blessing is technically probably a Public Domain waver.
This is not legal advice and I am not a lawyer.
[+] [-] lytedev|5 years ago|reply
[+] [-] grae_euler|5 years ago|reply
[+] [-] qwertygnu|5 years ago|reply
https://writing.kemitchell.com/series/line-by-line.html
[+] [-] ignoramous|5 years ago|reply
[+] [-] stephen82|5 years ago|reply
It's called "A Practical Guide to WordPress and the GPL" and I must admit, it's easy to understand.
[+] [-] tacitusarc|5 years ago|reply
So, all goods have an implied warranty requiring they must be of at least average quality? How does that work? Does average have a different meeting in a legal context?
[+] [-] martincmartin|5 years ago|reply
You call me up and I say "I never said it would work in a car, I just said it was an oil filter (true) which would fit into a 2019 Mazda (true)."
The law says "nice try, you can't be that pedantic. The ordinary purpose of oil filters it to actually filter oil in a car, so when you sold it, there was an understanding that it would work for that purpose."
[+] [-] throwaway8581|5 years ago|reply
(2) Goods to be merchantable must be at least such as: (a) Pass without objection in the trade under the contract description; and (b) In the case of fungible goods, are of fair average quality within the description; and (c) Are fit for the ordinary purposes for which such goods are used; and (d) Run, within the variations permitted by the agreement, of even kind, quality and quantity within each unit and among all units involved; and (e) Are adequately contained, packaged and labeled as the agreement may require; and (f) Conform to the promises or affirmations of fact made on the container or label if any.
Here is what the official comments to the UCC say:
Paragraphs (a) and (b) of subsection (2) are to be read together. Both refer, as indicated above, to the standards of that line of the trade which fits the transaction and the seller's business. “Fair average” is a term directly appropriate to agricultural bulk products and means goods centering around the middle belt of quality, not the least or the worst that can be understood in the particular trade by the designation, but such as can pass “without objection.” Of course a fair percentage of the least is permissible but the goods are not “fair average” if they are all of the least or worst quality possible under the description. In cases of doubt as to what quality is intended, the price at which a merchant closes a contract is an excellent index of the nature and scope of his obligation under the present section.
So if you understand (a) and (b) in unison, it means that you can't sell someone a lot of goods but then send them all below-average quality units. But, of course, a truck load of apples can still have a "fair percentage" of low-quality apples. Where you're selling a single item, like a computer, then (a) is the better lens of looking at it.
None of this is legal advice. I'm not your lawyer.
[+] [-] danaliv|5 years ago|reply
[+] [-] torstenvl|5 years ago|reply
[+] [-] systemvoltage|5 years ago|reply
What’s the reasoning behind asking users to carry around a notice? Why not just let users go without it? Is it for legal reasons or for crediting the authors? I’ve released MIT licensed software before and frankly when someone is using my code, I really don’t care about credit or leaving behind a legacy or such things.
[+] [-] torstenvl|5 years ago|reply
Additionally, the Berne Convention recognizes a "moral right" to claim authorship.
https://wipolex.wipo.int/en/text/283698
[+] [-] xeeeeeeeeeeenu|5 years ago|reply
Then use a different license. In 1-clause BSD and Boost licenses the requirement of preserving copyright notices applies only to source code, while 0BSD and CC0 don't require that at all.
[+] [-] cbhl|5 years ago|reply
It was typical for software to be distributed in physical media (floppy disks, and, later, CD-ROMs) through brick-and-mortar retail stores. It was not uncommon for someone to sell physical media with otherwise-free software, and so it was desirable to make end-users aware that the software was available for free. The GPL's "accompany it with a written offer... of the corresponding source code" is also an interesting holdover from this era (nowadays everyone just distributes source over the Internet, instead of sending checks and CDs through the mail).
Copyright notices were also typically visible when you first started a program in the 80s and 90s. These were relegated to "about" menus when it became the norm to "design a launch screen that’s nearly identical to the first screen of your app" to make apps feel faster.
[+] [-] ghaff|5 years ago|reply
[+] [-] NewJazz|5 years ago|reply
[+] [-] kemitchell|5 years ago|reply
[+] [-] alkonaut|5 years ago|reply
In commercial desktop software I have shipped, it has been a section in help>about with a long list of third party libs each showing a text document.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] shawnz|5 years ago|reply
[+] [-] sidpatil|5 years ago|reply
[+] [-] torstenvl|5 years ago|reply
This is a minor nitpick and shouldn't be read as an overall criticism of the author or this post, which is better than the one I did. However, I will note that non-infringement and title are, in fact, implied warranties in the UCC. I'm not sure why the author missed it.
https://www.law.cornell.edu/ucc/2/2-312
[+] [-] dctoedt|5 years ago|reply
The implied warranty of noninfringement can be disclaimed under § 2-316, and vendors almost universally do so (preferring to make specific express warranties instead when they perceive a market need).
https://www.law.cornell.edu/ucc/2/2-316
[+] [-] eeZah7Ux|5 years ago|reply
[+] [-] SeanLuke|5 years ago|reply
I think this is a very carefully couched way of saying "the MIT license doesn't protect the licensee from being sued by the licensor for patent violation." If person A has a patent on algorithm X, and he wrote open source code which implements X, and he licenses this code to person B under the MIT (or BSD) license, and B uses the code, it's feasible for A to sue B for patent violation.
For this reason alone, I think MIT and BSD are awful, archaic licenses that should be avoided at all costs. The Apache 2.0 license is a great substitute.
[+] [-] kemitchell|5 years ago|reply
I'm with you on this, though. It doesn't have to be broke. We can fix it.
Blue Oak Council, a nonprofit I'm a part of, published a tier-ranked list of permissive licenses. All of those at the top handle patent explicitly: https://blueoakcouncil.org/list
We also published a model permissive license, which comes with a very explicit, very broad patent grant: https://blueoakcouncil.org/license/1.0.0
[+] [-] tomcam|5 years ago|reply
Turns out I'm still a tyro.
[+] [-] rdpintqogeogsaa|5 years ago|reply
[+] [-] derefr|5 years ago|reply
† From Wikipedia, WIPO non-members: Kosovo, Federated States of Micronesia, Palau, South Sudan, and the states with limited recognition. Palestine has observer status.
[+] [-] paxys|5 years ago|reply
Except there really isn't any agreement on some of the finer details of the license, no matter how much you want to study and understand it. Does the license text have to be included in only the source code or the compiled software? What if the source code of the derived software isn't made public? What is "substantial portions" of the software? Can a MIT project be relicensed? What is the point of any of these clauses then?
While it is a great license, I wish something closer to just public domain would have become the OSS default, since that is what 99% of developers want anyways.
[+] [-] rectang|5 years ago|reply
Among more sophisticated users I don't think there's disagreement on this point. The answer is "no", if by "relicense" you mean "remove the MIT license and put in something else". You can never legitimately remove the MIT license from a file unless you're the copyright holder or their authorized agent.
Where there's less than total agreement is whether the MIT license may be subsumed by another license — e.g. the Apache License 2.0 — when an MIT licensed work is bundled within a package. Can you claim that the complete package is available "under the Apache License 2.0", omitting the fact that the licenses are actually polyglot?
The answer to that question seems to be "everybody does that" and "in practice, the legal risk seems to approach zero", but in theory should two licenses ever prove to have incompatible provisions then things could get sticky in a court case.
[+] [-] kemitchell|5 years ago|reply
It's not everything anyone ever wanted, but we think it's a lot closer.
[+] [-] lanius|5 years ago|reply
[1] https://fedoraproject.org/wiki/Licensing:MIT
[2] http://www.apache.org/licenses/LICENSE-2.0
[+] [-] xixixao|5 years ago|reply
[+] [-] torstenvl|5 years ago|reply
[+] [-] notRobot|5 years ago|reply
[+] [-] lekevicius|5 years ago|reply
[+] [-] ChrisMarshallNY|5 years ago|reply
I am glad to see an actual IP lawyer's view on this thing.