Legal folks: Is there someone else I should ping to get an answer on this topic?

I don't want to be too obnoxious, but it'd be great if we could get an official opinion.

I've tried legal-discuss as well ( https://lists.apache.org/thread.html/338b06f8a0570b3a0678dc2a60d2e09a356539ab69adbf2791c6510d@%3Clegal-discuss.apache.org%3E ), but I'm not sure what else to do to draw attention to this issue.

from a quick reading this looks like something that constrains the potential of projects that include this library to be a "universal donor" to downstream projects, and as such introduces limitations surrounding the use of this software. As such to me, this is not a project that I would encourage including in your software.

Thanks for the reply Chris A. Mattmann

The patent retaliation was my concern ( https://lists.apache.org/thread.html/ca81697478388dd11db7e13941f21ecea81e52bb19281f27cd428100@%3Cprivate.cassandra.apache.org%3E ) , so it's unfortunate that you share it - I was HOPING you'd be closer to other opinions in that thread ( especially https://lists.apache.org/thread.html/4b19ceacea7a446eec9926d880dcb8a8979fe7033d25e79d44e86fc0@%3Cprivate.cassandra.apache.org%3E ).

Shipping as a plugin may be an option, but if the ASF as a whole could perhaps clarify, that'd be grand.

Unofficially, I concur. The patent retaliation clause seems to go well beyond our ASL and is thus seems unsuitable for a dependency.
As for a plugin, to be on the safe side it seems like any RocksDB implementation of a Cassandra storage plugin (which presumably would need to include some RocksDB code) should be outside of the Cassandra project.

Facebook's messaging: https://code.facebook.com/posts/1639473982937255/updating-our-open-source-patent-grant/
Some other opinions: https://news.ycombinator.com/item?id=12692552

Of course, if you look at https://github.com/facebook/rocksdb/blob/master/USERS.md
it seems that both Apache Flink and Apache Samza maintain RocksDB storage plugins (and I verified quickly by looking at their code repos).... so this question should probably be cleared up at an ASF level?

Having seen Chris's reply I took another look at the patent grant and I now see the concern. With that in mind it looks like it is a 'no' for RocksDB as a mandatory dependency and a possible 'yes' for RocksDB as an optional dependency depending on circumstances. As V.P. Legal it is Chris's call as to exactly what is permitted and is not permitted.

Based on past experience, I recommend asking explicit "Can we do XYZ?" questions.

I'd definitely like to take back some options to the PMC, so let's dig into what we can and can't do:

Can we rewrite storage engine to use RocksDB as it's only option? Seems like answer here is no

Can we rewrite storage engine to have two options, one RocksDB and another native Cassandra, with both in tree, but requiring the user to opt in to the more restrictive patent?

Can we rewrite the storage engine to have two options, one RocksDB and another native Cassandra, with RocksDB kept in another repo , requiring explicit action to opt in and built as separate binary package? If so, can that repo / binary be hosted on ASF hardware and built by the apache Cassandra team, or must it be completely external?

Jeff Jirsa Thanks a lot for driving this, those are great questions! Let me know if you need any information from me. Thanks!

This specific language from the PATENTS file is troubling, but overall the whole file gives me pause:

For avoidance of doubt, no license is granted under Facebook’s rights in any patent claims that are infringed by modifications to the Software made by you or any third party or (ii) the Software incombination with any software or other technology.

In addition in answer to your questions:

Can we rewrite storage engine to use RocksDB as it's only option? Seems like answer here is no

Correct

Can we rewrite storage engine to have two options, one RocksDB and another native Cassandra, with both in tree, but requiring the user to opt in to the more restrictive patent?

No

Can we rewrite the storage engine to have two options, one RocksDB and another native Cassandra, with RocksDB kept in another repo , requiring explicit action to opt in and built as separate binary package?

Yes, as long as that "other" repo exists somewhere outside the ASF.

If so, can that repo / binary be hosted on ASF hardware and built by the apache Cassandra team, or must it be completely external?

Completely external.

FYI, recently RocksDB provides a second license (GPLv2), does that make any difference? https://github.com/facebook/rocksdb/blob/master/COPYING

Hi Dikang Gu, please read: https://www.apache.org/legal/resolved.html#category-x

GPLv2 is a Category-X license and it may not be included in Apache projects.

Dikang Gu GPL would be worse in this case, from the ASF standpoint. GPL also doesn't remove the PATENT clause they've added.

I'm going to leave this open for 48 hours more, to collect feedback, and then resolve it. Thanks.

This doesn't seem like the ideal time to be starting that timer.

For avoidance of doubt, no license is granted under Facebook’s rights in any patent claims that are infringed by modifications to the Software made by you or any third party or (ii) the Software in combination with any software or other technology.

I don't think there is anything to be concerned with in that particular part of the patent grant. It is the same as discussions the ASF has had several times with various external entities regarding software grants. What I believe it intends to cover is the following:

• Foo Co has patents P1 and P2
• Foo Co owns code C that does infringe P1
• Foo Co owns code C that does not infringe P2
• Foo Co donates C to Apache Bar
• Apache Bar and downstream users now have a patent license for P1 but not P2
• A.N. Other committer modifies C such that is does implement patent P2
• Apache Bar and downstream users still have a patent license for P1 but not P2

i.e. If the code Foo Co donated did not infringe on P2 then there is no way that subsequent modifications to the donated code (by entities other than Foo Co employees) can result in Foo Co licensing P2 to the ASF and all down-stream users.

The language that bothered me was:

The license granted hereunder will terminate, automatically and without notice, if you (or any of your subsidiaries, corporate affiliates or agents) initiate directly or indirectly, or take a direct financial interest in, any Patent Assertion: against Facebook or any of its subsidiaries or corporate affiliates, ...

My reading of that is if you use this code and Facebook infringes a completely unrelated patent that you own, you can't sue them for infringement without giving up this patent license. That is much broader than the language in the ALv2 which is limited to a single work.

Hey Mark:

I don't think there is anything to be concerned with in that particular part of the patent grant. It is the same as discussions the ASF has had several times with various external entities regarding software grants. What I believe it intends to cover is the following: ...

I like your concrete example and agree with it there. I read the above as not granting a patent license (and in effect not allowing the same upstream patent termination that ALv2 does). Either way, the next part:

The language that bothered me was: ...

Also bothers me too, and collectively as a whole, this is not a license I'm prepared to approve for use in our projects.

As for the 48 hour timer comment, it was an effort to move this to a resolution. For example, I've already issued guidance above in response to Jeff & Dikang's specific questions. As such the remainder of leaving the issue open is simply to collect feedback (which can also be provided after the issue is resolved). I'm happy to leave it open a little longer if folks want, but I'd like to move this to a resolution by next week. Thanks.

As for the 48 hour timer comment, it was an effort to move this to a resolution.

I am fine with that and should have been more specific: a Saturday afternoon is not the best day of the week, imho, for a 48 hour timer to start.

The language that bothered me was: The license granted hereunder will terminate...

FWIW I think that is the same clause as used in the React.js license that has been noticed last year, http://react-etc.net/entry/your-license-to-use-react-js-can-be-revoked-if-you-compete-with-facebook has some additional information.

I also think that clause makes the license unacceptable to the ASF as it puts more restrictions on software than our license does.

Update: it looks like the canonical name for that license is "Facebook BSD+Patents license"

I have discussed that license with Facebook's legal counsel. It is not BSD (which relies on implied patent grants) and is intentionally incompatible with the Apache License.

[update: Various people have taken this comment out of context and rephrased it to make it seem like some broader allegation by me or, even weirder, a conspiracy by FB to be incompatible; that's all *nonsense*. To clarify, in October 2016, I discussed with them my interpretation of the BSD+PATENT addition as a revocation of the traditional BSD implied license and I explained why that would be incompatible with the Apache License 2.0 (as its primary author). To the best of my understanding, everyone on the call agreed that my interpretation was both accurate and intended, and the license has not changed since then. That *does not* mean that FB intended their license to be incompatible from the get go!]

FWIW, FB has a FAQ here on their intent: https://code.facebook.com/pages/850928938376556

We use a standard BSD license paired with an additional patent grant for most of our open source projects. For brevity, we call this combination the Facebook BSD+Patents license. We've compiled some answers to common questions about the additional patent grant:

Does the additional patent grant in the Facebook BSD+Patents license terminate if I create a competing product?

No.

Does the additional patent grant in the Facebook BSD+Patents license terminate if I sue Facebook for something other than patent infringement?

No.

Does the additional patent grant in the Facebook BSD+Patents license terminate if Facebook sues me for patent infringement first, and then I respond with a patent counterclaim against Facebook?

No, unless your patent counterclaim is related to Facebook's software licensed under the Facebook BSD+Patents license.

Does termination of the additional patent grant in the Facebook BSD+Patents license cause the copyright license to also terminate?

No.

To Mark Thomas's point above:

My reading of that is if you use this code and Facebook infringes a completely unrelated patent that you own, you can't sue them for infringement without giving up this patent license. That is much broader than the language in the ALv2 which is limited to a single work.

I think FB's clarification is that this is not their intent - only claims involving the BSD+Patents licensed software cancels the patent grant, so it's not as broad as your fear.

Looks like we at least understand what options are - either plugin outside of the ASF repo, or ask FB to change the wording of the patent grant. Given statements here that the wording was intentionally incompatible with the Apache license, I'm not sure if that's likely to have much impact (though Dikang Gu , if you believe otherwise, that'd be good to know).

I'll leave the open question of Apache Flink and Apache Samza using RocksDB to legal.

I think FB's clarification is that this is not their intent

I don't see anything in that FAQ that contradicts Mark's point (which is also my main concern with the patent clause).

Yep, I reread the bottom half of the paragraph and ignored the top. Point stands, we'll close and work around it.

Chris A. Mattmann can we add this to resolved as being Cat-X?

Hi John, yes, I believe Cat-X fits this license. i'm going to resolve as Category-X once I update the website. Thanks everyone.

I've added RocksDB to Category-X in r1014182.

FWIW it seems like there are several ASF projects that were already using RocksDB prior to this decision. eg Samza, Flink, Marmotta, Kafka and Bahir all come up when I do a github search for rocksdb under the apache organization. Possibly others that still use non-git version control may be impacted as well.

Would be good to clarify any grandfathering policy, etc, for those projects (or re-evaluate this decision)

Hi Todd, thanks for the pointer. Let me consider a grandfathering policy, and get back to this issue later in the week. Thanks.

Chris A. Mattmann, I'd like to check that do you have any update about this issue? Given there are already some other Apache projects are using RocksDB as a dependency.

Like Todd mentioned, for Kafka, it uses RocksDB as a direct dependency. https://github.com/apache/kafka/blob/45f2261763eac5caaebf860daab32ef5337c9293/gradle/dependencies.gradle

Thanks.

Kafka appears to be using rocksdbjni, which is a JNI interface for using RocksDB via DLL in Java. I'm not sure it has the same license as RocksDB - https://github.com/facebook/rocksdb/tree/master/java

hi Dikang Gu I will not be revisiting this decision anytime soon - so other projects that are using RocksDB as a dependency should move hastily to remove it as a dependency in their projects.

I think I know the answer to this, but does this by implication put the "Facebook BSD+Patents license" under Category-X as well? Should that be a different issue? Since https://www.apache.org/legal/resolved.html only talks about the RocksDB license specifically

yes it also applies for the Facebook BSD+Patents - it's the same license. I'll update legal/resolved to reflect that.

in r1802027 and r1802028 I updated the legal/resolved.html page to include Facebook BSD+Patents, bringing this to a close.

I sent a notice today to all Apache PMCs with the following contents:

Hi,

As some of you may know, recently the Facebook BSD+patents license has been
moved to Category X (https://www.apache.org/legal/resolved#category-x).
Please see LEGAL-303 [1] for a discussion of this. The license is also referred
to as the ROCKSDB license, even though Facebook BSD+patents is its more
industry standard name.

This has impacted some projects, to date based on LEGAL-303
and the detective work of Todd Lipcon:

Samza, Flink, Marmotta, Kafka and Bahir

(perhaps more)

Please take notice of the following policy:

o No new project, sub-project or codebase, which has not
  used Facebook BSD+patents licensed jars (or similar), are allowed to use
  them. In other words, if you haven't been using them, you
  aren't allowed to start. It is Cat-X.

o If you have been using it, and have done so in a *release*,
  you have a temporary exclusion from the Cat-X classification thru
  August 31, 2017. At that point in time, ANY and ALL usage
  of these Facebook BSD+patents licensed artifacts are DISALLOWED. You must
  either find a suitably licensed replacement, or do without.
  There will be NO exceptions.

o Any situation not covered by the above is an implicit
  DISALLOWAL of usage.

Also please note that in the 2nd situation (where a temporary
exclusion has been granted), you MUST ensure that NOTICE explicitly
notifies the end-user that a Facebook BSD+patents licensed artifact exists. They
may not be aware of it up to now, and that MUST be addressed.

If there are any questions, please ask on the legal-discuss@a.o
list.

Thanks.

Cheers,
Chris Mattmann
VP Legal Affairs

[1] https://issues.apache.org/jira/browse/LEGAL-303

IANAL but as an "additional grant of patent rights" (Facebook's wording) why must the ASF use RocksDB under this grant? Without this additional grant of patent rights the software is licensed with the ASL2-compatible 3-clause BSD. As noted earlier, the availability of a GPLv2 license does not preclude inclusion by an ASF project. If patent rights are not conferred by the 3-clause BSD and required by ASLv2 then would not these licenses be incompatible?

Greg,

The restrictions imposed by FB's BSD + patents license can't be disentangled from the BSD license itself. You don't get to pick and choose terms in a single license. The cases you cite are ones where the authors explicitly allow a choice. FB isn't offering a choice.

Note also Roy's comment that he has discussed the matter with FB's counsel and the word is that the FB license is intentionally incompatible. It is hard to make the argument that it is compatible after hearing that. Pragmatically speaking, regardless of any semantic shaving being done, having a statement like that from the source of the license is very daunting. If they think it is incompatible, we need to not try to wheedle and convince ourselves it is not.

Hi all, wanted to jump in here to let everyone know that the RocksDB team is adjusting the licensing such that it will be dual-licensed under the Apache 2 and GPL 2 (for MySQL compatibility) licenses. This should happen shortly and well ahead of August 31st. I'll leave the history and philosophy around licensing alone since it's generally a complex discussion to have and I'm not sure that it has actually been fully captured in this thread especially vis a vis Facebook's intent.

Hopefully this morning's guidance to PMCs can be adjusted since I don't think any of us see a bunch of extra engineering effort as a desirable thing across the ASF projects which are already making use of RocksDB

Thanks,
--David

Hi David,

Can you point to a link with this discussion/issue/etc? And I'm assuming this will apply to all sources within the rocksdb project?

John

David,

Do you know about the licensing for React?

(not that I think that there is any connection to RocksDB)

On Sat, Jul 15, 2017 at 2:11 PM, David Recordon (JIRA) <jira@apache.org>

Just confirming that, as of right now, React still falls under the same license as RocksDB - BSD+Patent.

https://github.com/facebook/react/blob/master/LICENSE
https://github.com/facebook/react/blob/master/PATENTS
https://en.wikipedia.org/wiki/React_(JavaScript_library)#Licensing

Hi all, wanted to jump in here to let everyone know that the RocksDB team is adjusting the licensing such that it will be dual-licensed under the Apache 2 and GPL 2 (for MySQL compatibility) licenses

David Recordon - that sounds like a fantastic change, and I'm excited to see it land.

Ted Dunning David Recordon I've just asked the same of React: https://github.com/facebook/react/issues/10191

If you are able to assist in any way, it would be most graciously appreciated.

It may be easier to follow the equivalent React discussion at LEGAL-319.

I’ve committed a change to RocksDB such that it is now dual licensed under the Apache 2 and GPL 2 licenses: https://github.com/facebook/rocksdb/commit/3c327ac2d0fd50bbd82fe1f1af5de909dad769e6.

The headers say that the files are licensed under both Apache 2 and GPL2. What exactly does that mean? Are users free to choose which license they want or are both licenses supposed to somehow apply at the same time?

That conventionally means that they are licensed under either license.

I've reviewed the change in license for rocksdb in this pull request:

https://github.com/facebook/rocksdb/commit/3c327ac2d0fd50bbd82fe1f1af5de909dad769e6

If I read this correctly they have made significant changes:

0. Rocksdb is no longer licensed under BSD with an accompanying patent grant.

1. Rocksdb is now dual-licensed under GPL 2.0 and Apache 2.0. Users can choose which license under which they use rocksdb. This change makes it suitable (as a dependency and/or distribution) for use in both GPL-licensed works and Apache-licensed works.

2. The patent grant/restriction has been removed entirely. There is no longer a file PATENTS in the repository.

This changes everything.

One piece of information that may be helpful is that at some institutions any dual licensed software the licenses are interpreted as an AND instead of EXCLUSIVE OR. I'm not a lawyer and I can't say I understand this policy. Just pointed out that I've seen it that way at more than one institution. So sometimes dual licensing can have unintended consequences.

> That conventionally means that they are licensed under either license.

Umm, no worries ... a licensor's AND is the same as a recipient's XOR.

A copyright owner has the right to non-exclusively license the same work as many times and in as many ways as they like. When we pick up a work that is dual-licensed and redistribute it, we are choosing to be bound by one of those licenses — we are not changing the license in any way, since the copyright owner is doing the licensing and their licensing remains the same no matter how many copies we give out downstream. The problem with dual licensing is figuring out the implied license coming back in any contributions, but most projects fix that by making the dual license explicit in the contribution process.

In any case, this certainly clears the issue for RocksDB, and we should all thank David Recordon for that.

What concrete actions do projects that use RocksDB need to do?
Simply update to the latest version, which has the license update?

Hi,

First off, thanks to David Recordon and others for their work to relicense ROCKSDB to be compatible with our Legal policy.

I believe ROCKSDB ought to make a release under the new license before our ASF projects can use it (I don’t want to depend on a commit, I’d rather tell our projects to pin to a ROCKSDB $release that includes the commit).

That would be the first step in using ROCKSDB in an ASF project. Once that happens let's revisit the discussion / decision here.

Thanks,
Chris

Chris A. Mattmann +1
once RocksDB makes a release we can revisit.

We can keep this issue closed and clarify that it refers to the current shipping release that is cat-x. Looks like 5.5.3 is the current release.

We can create a new issue for a future release that removes RocksDB from cat-x. Perhaps 5.7.0

Should we keep this issue (resolved) (fixed) or re-open it pending a release?

One question I have for MARMOTTA-669: If we're using an old version with the old license, then this issue does not apply unless we upgrade the dependency, right?

FYI, they released 5.5.4 and 5.5.5 respectively which only address license issue.
https://github.com/facebook/rocksdb/releases

Sergio Fernández answered on MARMOTTA-669.

FB is very close to finishing the work on RocksDB storage engine for Apache Cassandra.
Considering the new release of RocksDB 5.5.5 resolves the license and patent issues, can you please revisit the decision. Should I Open another ticket for this?
Cc Chris A. Mattmann

No need to open a new issue. Based on review of versions 5.5.4 and 5.5.5 of RocksDB, I will update the legal/resolved.html page to reflect that versions of RocksDB including these versions, and future versions that maintain the same licensing will be allowed for inclusion in Apache products. Thanks. Stay tuned for me to update the legal/resolved.html page in the next few days. I'll note that here.

Roy T. Fielding can you clarify your statement in https://issues.apache.org/jira/browse/LEGAL-303?focusedCommentId=16046579&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16046579 ?

Specifically, are you saying that the two licenses (Apache License, v2 & Facebook BSD+Patents License) are not compatible, or that the Facebook BSD+Patents License is not compatible with the foundation's policies, or both?