The Arch community: we like to live dangerously

I think the easiest way would be to require licensing every new PKGBUILD going forward as well as asking every maintainer to change the license of their current PKGBUILDs, then after the 4 months are over make all of the packages that did not get responses from maintainers public so that someone else in the community can create a new PKGBUILD without copying the original. It'd probably be good to see which maintainers have gone inactive or died in the meantime anyway, so having an overall picture of the maintainership should be useful in any case.

We talked about copyright, now let's talk about copywrong

Glue code (generally anything that makes two other things compatible) like this is not considered under copyright in the EU, just like the viral piece of the GPL is not enforceable in the EU. This is been discussed a lot on the EUPL blog, but the basis is Directive EC 2009/24.

I think that the automated emails can be sent and awaited for response. You apply the license for those that respond or any new project. And those old that keep will be slowly replaced anyway. Its far better then a consent by no reply. Its not that they have a problem right now about this.

Consent by silence, is actually a thing in germanny. Here it is mostly used in business contracts where someone offers you someting, you give them money and take the offered goods. This is scalable to fairly large transactions but is used by businesses less often since it can be quite ambigous.

The "implicit consent" sounds like a big enough problem to make this approach infeasible IMO. It shouldn't be too difficult to script automated consent emails to all contributors, and only apply 0BSD to those files that are fully in the clear. Then the regular contributors can over time rewrite the PKGBUILDs or their parts that didn't get full relicensing consent.

Germnan here: In Germany, "public domain" translates to "no copyright protection applies". I'm commenting because I was confused about the way you explained it xD

The problem is not the license itself, but licensing it after the upload without the consent of the original author. I would much prefer that every author updates the packages with accepting the new license. The is the only correct way.

Hi Brodie. This is also why the Linux kernel _cannot_ be relicenced from GPLv2 to GPLv3+. As far as i understand, they had an internal discussion about it just for the sake of the argument, and they found that because several of the developers are _dead,_ they cannot ask everyone for permission to relicense. Torvalds personally _strongly disagrees_ with teh changes in the GPLv3, so even if he could relicense, he _will_ not. The Arch build script issue has the same legal problem. Not everyone can be contacted anymore for various reasons. They are therefore bound by the current legal terms, which as the lawyer explained is that the individual contributor retain _All Rights Reserved._

The quickest way to get started is to require new entries to have a license (basically you're not allowed to post a script without selecting a license). For existing ones: 1. Ask contributors to specify a license of their choosing (while providing the preference for 0BSD, MIT-0, or another "good" license). 2. If the maintainer does not respond within timeframe X, mark the build script as "unlicensed" / "all rights reserved" and maybe even "deprecated". I think for that reason, any online platform as a clause in their ToS that grants them a license to the content you post there.

Not specifically Brodie: Most legal systems actually have laws about the "it's common sense" part. Like if Google were to suddenly try and Trademark the phrase "to google something", it is commonly understood that this does not associate with Google and thus they'd fail to establish that. If something has always worked in a certain way there is a general expectation that it will continue to do so, at least in a lot of legal systems across the world. This is a point that has been argued many times over too.

It should be clear that any update that is done to the pkgbuild from now on means that you agree to use BSD-0, when uploading to the AUR it should prompt you this message that you need to agree to. That way, any new/updated/used package would have a proper agreement over it. And I guess that should give Arch more legal ground.

"On the flip side" if you use the phrase twice you'll end up where you started from.

Thanks for the subtitles!

US public domain dedication is a gray area in the sense that it is covered in fog and heavily mined. The 1976 copyright act allowed authors to dedicate their work to the public domain, but 1988 Berne Convention Implementation Act superseded it and did not leave that option, also the current statute allows an author to cancel a transfer of ownership, and by extension also a PD dedication (if you can convince a judge that the 1988 act didn't supersede that part of the 1976 act) - so you cannot rely on PD dedication to be in effect forever, OTOH there's case law about software that was made available through a public free exchange to be automatically considered PD - so the AUR has that going for it. But as I said - it's a set of hidden legal land mines and the best IANAL advice I can give - if it says "public domain", run away as fast as you can.

I actually had a discussion with the legal people in my organisation regarding close topics, it was for configurations, simple scripts and dockerfiles etc, and i would put buildscripts here too - here is what they said: A) Configurations and alike is not considered reacing "Verkshöjd" översätts "threshold of originality", "level of originality", "creative work of authorship". "modicum of creativity" eller "the author's own intellectual creation". (you also touch this in this video). B) We dont have public domain-concept in law in Europe , but we can use the CC0 (creative commons zero) to achieve roughly the same thing.

This is a super valuable video. I had no idea the Unlicense was so problematic.

Copyright, The legal framework that destroys everything we like, allows lawyers to fight needlessly to get big Corps money and ultimately creates soooo much admin you wish big Corps were not so damn greedy in the first place to make this an issue.

If one of the original contributors of an existing pgkbuild isn't reachable for relicensing and they need to re-write it "from scratch"... in like 99% of cases the resulting package source will just be exactly the same as it was before since that's just how you build the thing. This seems very silly.

Was wondering when you were gonna cover this, saw it pop up in my email inbox and immediately thought "Brody is going to make a video on this..." 😂

The notable exception. Arch Linux, my beloved.

I would like to inform everyone that the operating system I use is the one discussed in the video

if they solve it now, then they can avoid a pressing issue later. Its like a land mine under their feet. I think its a good idea to get it over with now, since there are no issue yet and most people will be positive to it. The only thing that feels weird is the 4 month timeframe. They coud make it mandatory for all package updates and new packages. Within a years most, if not all of them, would have switched organically.

In Germany you could even make the argument that a license in English may not be legally binding. But I don’t know the answer to that question.

code copyright _generally_ works like it does for spreadsheets, the raw data/functionality of a program is not copyrightable, but the formatting and non-functional structuring of the code is, US and EU are generally pretty clear on this, it's elsewhere you run into issues.

If public domain is in trouble, we all are! Sqlite is public domain!

In sweden recipes are not copyrightable. This could be the same over here. We also dont really have public domain.

Disclaimer: I'm not a lawyer and this is not legal advise. IMO I think it makes sense to take care of this now rather than to wait for this to potentially become an issue. The earlier you can clear up legal ambiguities like this the better.

I figured the build files would fall under the same copyright as the project itself. but then if it's not created and maintained by the project creator then it complicates things. in that case it would be copyright owned by whoever wrote it and whatever license they give it. same as any other project, the build files themselves are copyrightable.

The public domain doesn't even exist in software. The closest that we have is the Unlicense license, which, I think, is better for international enforcement because it doesn't rely on individual jurisdictions' interpretation of public domain, but rather has explicitly written out what is and isn't allowed by the license itself.

I'm actually pretty surprised that no one asked Rankin/he didn't look at it before this got merged, since he is a very prominent and active person on the arch mailing list. It kinda seems like an obvious thing to do before sending out that change notice.

What about copyleft or the licenses of Elastic, MongoDB or more recently Redis? Wouldn’t they force things like pkgbuilds to be in their license? That’s probably the interpretation that lead to OpenSUSE licensing each in the packages license

If things like PKGBUILD are copyrightable, we are very lost.

Legal gray areas are there for lawyers to get gain

I don't personally like the entire concept of build scripts needing licensed. There has to be some commonsense line where we don't bother licensing code. If I share a line or two of Bash with someone to help them accomplish something, should it now be licensed? Of course not, but the same logic stands. At some point we need to just use commonsense. I never even considered "licensing" my build files: they are essentially just instructions on how to use the licensed code.

Can't have opensource without long discussions of software licenses where nobody involved is a lawyer

Not grandfathering in the old packages seems like a no brainer in this case tbh, this gets rid of 'consent by lack of objection' issue, and eventually all packages will get migrated or deprecated over time

As has been said before doing it on future packages makes more sense. I also think it might be more interesting to just define package build.

I suspect SteamOS is the one most at risk from unlicensed PKGBUILDs. The other Arch based distro mostly aren't that important. But Valve is a target. At the least, Arch should specify going forward that contributions need to be BSD0. The "implied consent" argument might fail for someone saying "i contributed to Arch, not SteamOS".

0BSD seems to be about as close to public domain as you can get without actually being public domain. I like it. I think it should be on new build scripts going forward, but too much work to do for all existing build scripts.

I think the issue also depends on where the org register. If it is registered in US and no official branch in other country, then it is not a "real", but a "technical" legal issue. And for the future, add the requirement that all contributed build script must be under certain license, and after a few years, as build scripts get updated along with the packages, the issue will auto phase out itself.

Zero-clause BSD may not be a good choice. IIRC, in some places a license can be retracted by the authors, so a license that wants to simulate public domain would need to be more elaborate to ensure the receivers of the copies continue having rights if the author decides to take things back and leave the open source world.

I am surprised the Un-license doesn't poly-fill the license with legalese for _the closest you can get to what public domain does_

This is why CC and GNU EULAs exist. They are very permissive license. Public domain in the US means anyone can now pick it up and use it. They can even re-copyright it. See also: Carol Highsmith and Getty Images. A CC/GNU/OSI or other permissive license means the end user is given a number of rights but that the "ownership" of the material is still that of the author or the assigns or inheritors.

The problem is that there isn't just one way to make/build a program, at least for programs that have complex build instructions. There is no PEMDAS for building software. That being said, arch has long since been on the edge when it comes to copyright. There's a reason companis like RedHat stick well away from Nvidia, while compsnies like davinci don't use work arounds for viseo decoding and most distros wint tuch ZFS with a 10 foot pole.

There are a couple of countries with no concept of copyright.

I suspect that a good number of countries would have stricter law that at least has the possibility of counting this as intellectual property if it ever gets settled, so it is good to tie it down just in case. In the U.S., intellectual property requires a minimal "spark of creativity". It doesn't matter if there are multiple ways to do it if there isn't a real idea behind doing it one way or the other. A build script is also so derivative of the software it builds that it could probably only count as IP if it counted as part of the software. Most of how to use and set up a piece of software is inherent to how it's made, so I'm not sure that it's really adding much information beyond the package.

Im sure some sort of automated process could be built to reduce the man hours needed for obtaining explicit concent. Honestly, the best time to have required licenses with these build scripts would have been when the AUR was first created... that being said, the second best time to do so would be now. If it were me making the decision, I'd make some sort of automated system to collect the needed approvals to relicense the scripts, and give a deadline to approve or reject. And any build scripts that dont get approval just get removed and remade by contributors. I cant imagine they'd get that many rejections. These programmers already submitted this code for free use. The potential issue comes in what percentage of the the contact information for these contributors is still good or not. This could be a lot of built scripts, or it could be only a few. Either way, many of these are so simple that they could be rewritten quickly by active contributors. But leaving them as having no license is not a great solution because it could put the Arch project in legal jeopardy. This really should have been a thing a long time ago...

The need for licencies might have to do something with a private entity wanting to use and distribute the content of the repositories in some way (most likely valve)

Would it not have been possible to add a pop-up box to agree to add this license when the maintainer uploads an update their packages? That would force every maintainer to acknowledge and agreed to the new license without having to rely maintainers keeping up-to-date on their emails.

In Germanys defense: public domain does exist, it’s just not for software. Also there is a difference between your rights as a creator (which are always with the creator, at least until death, i think it’s also inheritable to some extend) and the usage rights. A creator has an exclusive usage right that the creator can transfer to anyone they choose to (with or without the exclusivity). This is effectively handing over all rights just with the distinction that whenever the license expires, gets declared invalid etc all rights fall back to the person creating the work, not a company or anybody else. And nobody - besides the creator - can claim to be the creator.

I always go the easy route when licensing my content. If it’s code, it’s MIT, if it’s media it’s CC0.

I reckon the license for a PKGBUILD script should be/is the LICENSE of the original project you are building for Because the build script is just a wrapper that automates the building process defines the project maintainer/developer/owner

I would guess requiring further packagers to either pick a license 0-BSD or some other is a sound procedure. It´s unlikely someone claims copyright infringement from AUR / Arch, but it pays to be on the safe side. Consent by default is not a thing in most jurisdictions, afaik, NOT A LAWYER here. If some parts do get contentious -- they do need be rewritten tho. Imagine someone with a *patent troll ethics* coming to Arch seeing a goldmine in there.

Why didn't they just send an email to every aur author with a link to a form confirming that their packages will be licensed under BSD-0, MIT or whatever and all packages by people who did not respond within a month get taken down, just as abandoned packages already are being taken down regularly. Once the form is done (a few hours of work at most) the rest can be automated.

In Germany this issue could be one of the very rare silence as consent between commercial actors. But too be sure you would have to sue a non answering Dev and present that to a court in a couple of years. in about 5 years or so a Dev that didn't respond and desides to might run int limit of claim issues. As always, only after atleast one judge saw this on their desk everything is speculation.

I wonder if this could theoretically spell trouble for Valve if they're using Arch packages for the Deck

"Legally, common sense isn't a thing." It kinda is - all sorts of obvious absurdities aren't spelled out, like banning dogs from playing basketball

Why not just require new additions/updates to have a free licence like the mentioned BSD 0. Send out monthly emails to those that havn't added a license to their existing scripts. After a predetermined time, hide/deactivate them on AUR until someone creates a new one or the original author notices it's inactive. Ofc this will end up being a purge of the AUR. But is that really a bad thing to make sure the script have an active maintainer and for those applications that users find missing, they or someone nice they know can prob whip one together :)

12:56 You can't legally change the software license of someone else's project. This is akin to someone saying, "I can take Apple's Mac OSX and change the license to MIT and publish the OS on GitHub." Or a video game from Nintendo. Or a movie from Disney. (Three of the most litigious companies on Earth.) How long do you think it will be before such a repo gets DMCA'ed? You can't just assign a license of your choosing when someone else holds the copyright to the software. That's the whole point of a default "All rights reserved." All rights. That includes changing the license!

I didn't know about Zero BSD. I'd probably use that over Unlicense.

INAL - I would suggest adding a script-license option to PGKBUILD and make it a requirement going forward. after four month, make any script without it auto assume BSD-0. and state, any author can opt-out at anytime by adding the script-license option. This still has the implied consent, but if someone brings up a legal challenge, it might give a better leg to stand on, by saying if you don't like then you can opt-out by tell us what you want to use. edit:note while I'm think of it: It may also stand that, BSD-0 most closely reflects the de facto understanding within the community for how the scripts are license.

Sounds like the obvious solution would be that the license of the software being built with that script is to be applied.

Wait for SCO #2 or patent troll and they'll do something stupid eventually. IMO idea of opensuse (reuse the license) maybe good as on one hand you don't need to dance around CYA licenses like GPL/AGPL which go like "you can't use or link this software anyway except under our license" and installer steps away for couple of minutes. But otoh installer copy-pastes code with other packages, and some licenses are really contagious, so if something was done under GPL for GPL package first and then reused for apache project, apache project should be relicensed too.

How does 0BSD compare to Blue Oak Model License 1.0.0?

i would think a build script would be considered code now that you've mentioned it. (never really thought about it before). from this point on maybe ppl should put a little #//note with the license they want to use at the end of their scripts.

They in fact aren't. Lists of instructions are not copyrightable. This is why recipes posted on websites always have a fricking 12.5 page TED talk before the fricking recipe: They're trying to prevent lazy people from cloning their site wholesale and deriving profit. They can't copyright the recipe, but they *_can_* copyright the TED talk. TL;DR: ingredients and steps _AREN'T_ copyrightable, unique style and artistic expression _IS._

There is a legal concept of tradition though. If something gets done for years by a vast majority of people and a silently accepted norm or expectation, that can have very real implications on how cases like this can get handled. Because I can hardly imagine a lawsuit that is exploiting this situation without explicit malicious intent. And that's why we've got humans judging this and the concept of reasonable person and their expectations.

I agree with Tuchman's view. Focusing on who legally own build scripts simply profits nobody except greedy law firm shareholders.

Subtle dig at nix, nice. I kind of like how the nix derivations are like the arch pkgbuild system.

Automatically relicensing shouldn't be a problem IMO. Basically, you take ownership of the build scripts and relicense them as BSD. If the author objects he might sue for damages, but it'd be really difficult to quantify any damages for a script that was released to the public unlicensed and practically unattributed. So long as the script was withdrawn immediately I don't see how Arch could be held liable for anything.

For some corporate and governmental users, these scripts being used without an explicit license have been an accidental policy violation and, in at least one case I can think of, technically criminal violation, unless they caught this and clean roomed new build scripts, which I doubt.

I'm only one year into Arch, still learning the basics... is this important?

So we're talking about the PKGBUILD format the AUR uses? Why not start requiring a license when updating a PKGBUILD, emailing the author asking to add a license, and officially add a warning header for abandonware or ambiguous licenses? I can also see the argument being made that since the maintainer contributed the PKGBUILD script in the first place to the AUR, the maintainer gave the AUR a non exclusive license to redistribute the work almost like uploading to YT. I also don't really see any reason why the AUR can't also integrate ebuilds, since they are extremely similar in concept to each other anyways.

I wander, can't the places where the pkgbuilds are stored just have a clause in the T&C that every unlicensed piece of code automatically falls under the US's definition of "pubilc domain"? Then it would get the other countries actually comply with this definition and the majority of the loopholes would be broken

Public domain is why the CC0 license is ridiculously long and complicated

I wouldn't underestimate how petty someone can be, I can see someone going after them as retaliation to arch doing something they don't like. Whether a court would take them seriously is another matter for the lawyers to argue about.

WHY AM I GETTING ADS ON BRAVE

How is i t hard to jut give a consent form when someone submits a pkgbuild script to the AUR in the first place ? Do you agree to submit this script under the BSD-0 licence, tick or not.

I don't really think that these build scripts need to be super "public domain"-like, more than other software, so I don't really see the value in this discussion. It would make a lot more sense to just ask the script authors to put it under MIT. This would make it a) easier to integrate with repos in MIT or GPL (which would be good, if the original source authors want to see that it works) and b) reduce possible legal issues, as licenses like MIT, GPL or CC actually have stood the test of time, but 0-BSD, afaik, is not really much used, and could have possibly issues later.

“They’re not readily available” Laughs in gentoo

Im not sure it leaves licebse of sources up for interpretation someone created them therefore they own copyright, and if there is nothing saying otherwise they didnt grant anyone any rights. Im not a lawyer so what i say is not legal advice please consult your lawyer for that

Nixpkgs mentioned. Let's gooooo!

You advertised for the big green video site but you didn't provide your username there. I searched your name and your channel didn't snow up.

Gentoo has build scripts as well - Portage, modelled after BSD Ports. Edit: ah, he mentioned it at 10:20

Do people writing these scripts really expect others to sell the script for profit or to file off their names? The more extream designed to be as if public domain licenses give away more than I think people are semi implicitly giving away by making/publishing such a script, at the minimum I would think most would be thinking more along the lines of creative commons attribution.

Everyone else: “reeeeeeeeee this needs a license!” Arch Users: “dude, chill…..…. ……….. ………. Arch btw.” What a time to be alive.

isn't the pkgbuild part of the package?

2nd comment. The issue isn't the 'use' or 'intended use', it is the enforcement of a license without consent of the creator. (assuming it's even able to be copyrighted, and my opinion is the only copyright there is that of the build script language in use by the OS). Here is the thing... an all rights reserved license can be included, and even allow modification of the scripting as the point is to build the program & not claim credit, nor bei taken away from the source files its meant to build from. I've a feeling that a few someones will get into legally hot water for stripping the implied All rights reserved, and applying a 0BSD one which they had no idea existed.

Hmm zero clause bsd might be good solution for arch if the unlicence becomes problem.

Probably a terrible idea, but what about setting a cut-off date, and if the package is updated after that, it's given the new license dealie. No retroactive licensing, and only maintained packages are part of the is change. If people disagree, have them pull packaging-scripts or something. Come to think of it, some idiot with a bunch of really core packages is probably going to go Super Sayan, pull build-scripts, and cripple Arch for a while until they can implement a fix themselves... This will be an interesting time no matter what. We already know that there is plenty of drama in the Linux-world (b2cache, Pottering, "just use distro X, it's so much better", etc...

Arch always has been living in my life, can't get rid of it.

Once again, Arch is playing catch-up with Gentoo

Well then legally my usage of the pc should be licensed as well, since all I'm doing by touching rhe keyboard and mouse is writing and executing a one-time used script, like in a repl.

"Legally, common sense isn't a thing." Having been a practicing lawyer before I was an engineer, I can attest that Brodie is absolutely correct that common sense is not a thing.

Copyright law is so broken in most places of the world...

Just going to say this now, the automatic license change part is *not* legal, it is a direct and literal violation of copyright in all countries that have automatic attribution, e.g. Europe, the Americas, Australia, Japan, Korea, etc. They should know this is the reason license changes are such a pain.

bro mispelled in the description lol

"Consent by no-answer or no-response isn't thing" Not a lawyer, but I am wary of lawyer speaking in absolute rather than in generalities. Many jurisdiction have things that can look a lot like a form of "consent by no-answer". Like a substituted service or a default judgment, neither are consent per say, but they are in the same ballpark.