I enforced the AGPL on my code, here's how it went
Published: 20-10-2020 | Author: Remy van Elst | Text only version of this article
Table of Contents
Five years ago I made a website that allowed you to put in a few domains and get an email when the SSL certificate was about to expire. No ads, no fuss, just an easy way for people to keep tabs on their sites without setting up their own monitoring like Nagios. As with all of my software, I released it under the GPL, specificaly the AGPL due to it being web based software. The AGPL differs from the GPL on one point, simplified, you have to release the source of any modifications you make under the same license, even when you host the software (not distribute) online. With the regular GPL, you don't have to release the source if you provide a modified version online, only if you distribute it.
Recently I found a company that hosted certificatemonitor, with some modifications (branding and a dutch tanslation), without any reference to its origin, no source code provided and no mention of the license. I'm not going to link to the company, you can see the screenshots, but I don't want to give them any extra exposure.
In this article I'll talk about what I did to enforce the license and how it went.
TL;DR, not as expected. The company responded timely and friendly, but did a half assed
attempt (added a link to my site with
Inspired By Remy as the text), then after my
complaints, took down the entire site.
I was a member of the Free Software Foundation Europe back in 2010 and have donated many times to the Software Freedom Law Center / Software Freedom Conservancy (the thing Bradley always talked about on the Linux Outlaws Podcast) and at work I'm the goto guy whenever we get a GPL request for our coffee machines, so you might say I have a heart for open source. If anyone from the SFC or FSF or GPL violations.org is reading this and wants to do more with it, please send me an email.
I license all my personall stuff under the GPL and AGPL (where applicable) and dislike the permissive licenses (MIT, 3 clause BSD, X11, Apache) because they allow people to take your stuff and never contribute back. I prefer strong copyleft licenses that force you to contribute. Here is a good article going into permissive vs copyleft licensing.
The following two paragraphs are taken from the Plausible.io article explaining their license switch. I found them to explain the AGPL so well, that I cited them here. Please go read their article, I found out that Google has a anti AGPL policy by reading their article.
What are the benefits of the AGPLv3?
The AGPL license is identical to the original GPL license with the only additional term being to allow users who interact with the licensed software over a network to receive the source for that program.
AGPL is designed to ensure corporations contribute back to the open source community even when running the software as a service in the cloud.
If you used AGPL-licensed code in your web service in the cloud, you are required to open source it. It basically prevents corporations that never had any intention to contribute to open source from profiting from the open source work.
It explicitly prohibits corporations from parasitically competing with an open source project. They won't be able to take the code, make changes to it and sell it as a competing product without contributing those changes back to the original project.
Here's that extra paragraph:
If you run a modified program on a server and let other users communicate with it there, your server must also allow them to download the source code corresponding to the modified version running there
What are the restrictions with the AGPLv3?
A corporation needs to be clear and provide a prominent mention and link to the original project so people that are considering to use their version of software can be aware of the original source
If a corporation modifies the original software, they need to open source and publish their modifications by for instance contributing back to the original project
Hey, that looks a lot like my code
I sadly only took a few screenshots on my phone, so I cannot show more than this, but the similarities will be more than clear. In the email conversation we had, they ackowledged that it was my code, so there's no doubt on that.
Here are the pictures, including the statement that triggered my enforcement action (their copyright).
First the FAQ items on my original code and next to it their translated version:
- Their headings are collapsed, but match mine, translated in dutch.
- Their cert check times are exactly the same as mine.
- They claim full copyright as authors (which is wrong, they're not authors and its not their copyright)
Here's the confirmation page after you've signed up.
- The blue
Email:is exactly the same (twitter bootstrap styling).
- The green
Confirmationis exactly the same.
- They've added call a to action "Buy Now" button
Last but not least, here is the confirmation email you get after signing up.
- The confirmation link has the same UUID format
- The date time format matches
- It lists the IP you signed up from
They however forgot to remove the
Unsubscribe link from the first email,
To receive no more emails, click this link and then, no link to click.
Our email conversation
It was pretty hard to find an actual email address for this company. Nothing listed on their website, just a contact form. Hidden on their jobs page I found a job listing which included an address and on their General Terms and Conditions page their was a support address.
Maybe thats just me, but every major support ticket system supports emailing, next to web portals. Please let me just send an email instead of forcing me to use a webpage.
So I decided to go for the Jobs email, not a large organisation so probably no dedicated HR, big change that jobs go right to the founders.
Our email conversation was polite and they responded in a timely fashion, within days, other GPL requests I did never got any response or took at least two weeks for an initial reply, they did score some points there.
I'll summarize the emails for those who do not speak dutch.
My first email stated that their tool looks a lot like one I wrote a few years ago and that they probably should provide the source code. I stated that they did provice the source/links on another tool they host (ssl decoder) and that they should do that here as well. I also noted the dificulty in finding an email address.
Their first response, three days later, says some companyspeak thank you for your service, we looked into it and indeed, we are using your code for 3 years, without providing any attribution. We've added something to the footer, if you want textual changes, please let us know.
I sadly did not take a screenshot of the new footer text, but it said
Inspired by Remy, and linked to this site. That's not how it works guys,
my first email was clear enough, full source code and license, not this crap.
It really is not that hard to create a new github/gitlab repo, do one initial
commit and never touch it again.
My response said, in a more civil way, that they should provide source code under the same license.
Four days later, they responded, stating that they had discussed internally and decided to take the site offline.
That concludes our conversation, they took down their site and never complied with the license. I think they're not violating it now, but have done for a few years.
How should they have acted?
They should have provided the source code to anyone asking, preferably online, right from the start when they set up their service. Even if they would not have named me, but had provided source code, it would be fine by me.
I'm not sure how long their site was online (they state 3 years in the email), but they have been violating the license all that time, and the half-assed attempt ended badly. I suspect their service was not used that much, because they just took it down without notice. I hope all their subscribers know of it, since they will never be notified if their certificate is about to expire.
When I still hosted this code myself, I had about 20,000 (twenty thousand) domains being checked. When I cancelled the service, each and every one of those domains got a message notifying them that their service would be cancelled after 30 days with a few alternative services they could use.
And you know what the strange thing is? They have also hosted the SSL decoder, another piece of software I wrote in the same vein, with a link to the source code. Here's an image where you can see the URL and at the bottom, the license and source code link:
So why do it there but not on the other site? I suspect it's because they changed the source code to translate it, and the ssl decoder site doesn't seem to be changed.
A good example (sig-i/o)
A friend and fellow revspace member Mark Janssen has also hosted these services. Read his post here, where he states that he has forked the repositories, links to the source code and has used the same license for the forks.
If you want to use the software I made, please use Mark's versions here:
- https://ssldecoder.eu -- Print information about site-certificates or CSR's
- https://sslmonitor.eu -- Get mail notifications about expiring certificates
- https://cipherlist.eu -- Recommended TLS/SSL configurations for populair services
It's not that hard to provide the source and use the same license. "Just do it".Tags: agpl , blog , gpl , legal , license , php , security , ssl