On the one hand, I think this is an OK license, and I am very happy that the European Commission distributes its own software under a FOSS license. Public money, public code, as it were. Since I live in an EU country, I am also very happy that the EUPL has been designed to actually comply with the relevant laws across EU member states (avoiding tricky US/EU discrepancies that I, a non-lawyer, don't really fully appreciate).
But as is being discussed elsewhere: What is the point now, given that LLMs can effectively make licenses go away?
The cost of making a license go away is non-zero and for open source projects to be killed by a company offering a proprietary AI copy, they'd have to actually provide an upside people are willing to pay for. And this goes both ways, so any new features introduced by the company can be trivially cleanroom'd back into the open project. I think people really forget that if cleanroom works, you can just point the AI at a binary/proprietary documentation and give it ghidra access and get an open source copy.
The EUPL as far as licenses go is an improvement over the MPL in my opinion, it provides the guaranteed of the LGPL without the downsides of GPL, it's versatile and protects you from hostile forks.
The cost of making a license go away is non-zero and for open source projects to be killed by a company offering a proprietary AI copy, they'd have to actually provide an upside people are willing to pay for.
It goes the other way around.
Let's say you're a FOSS developer; you've made a library for something, and you want to share it freely, but also don't want large corporations to leech off your work. One way to go about this is to license your work under the AGPL (or such), and then sell commercial licenses to said corporations that don't want to share back. As far as I know, this has been a decently viable business model.
However, what if said corporations were able to cheaply launder away the license with an LLM? They would be able to benefit from your AGPL software without buying a license nor opening up their own source code. This fucks up that business model.
Obviously this also applies to regular GPL libraries that don't sell commercial licenses; this basically strips away all protections of GPL.
this goes both ways, so any new features introduced by the company can be trivially cleanroom'd back into the open project
I also want to point out the giant asymmetry between typical proprietary shops (who are "proper" companies with stable sources of revenue), and your typical FOSS maintainers (who do it for free in their spare time). This would kill any leverage the latter have over the former.
I think the "evil corporations" angle is a bit of a straw man. I work in a large enterprise and the reality is, most companies will bend over backwards to avoid even the lightest whiff of legal troubles, especially over software licensing. From the top to the bottom, everyone is looking to cover their ass first and get actual work done second.
Example: my team just dropped everything we were working on for a solid week to manually downgrade almost 2,000 hosts that were accidentally upgraded to a minor version of the software that it turns out our contract did not cover.
Those few companies that do not care about copyright law are not going to bother with LLM-washing, they will just pirate the thing.
Most corporations will also bend over backwards to not pay anything to the authors of the libraries they use. libxml2 comes to mind, among a sea of others deep enough to drown in.
The cost of cleanrooming isn't as high as you might think. If the project is large enough that a corporation bothers with an expensive cleanroom reimplementation, it surely will be able to sustain the funding for a subcription to port back any new features to the other code base (or people simply read the changelog).
I don't think this is the problem here, companies have disrespected the AGPL before and they will continue to do so without LLMs, the LLM adds nothing a company seems to value really (if it was legal security they wanted, there wouldn't be as many violations).
So backporting any cleanroom hostile forks should be fine.
One thing that occurs to me - no matter what the LLM crowd gets up to - is that the EU CRA has explicit exemptions for FOSS, but not for public domain code (and definitely not for proprietary code). The public domain concept doesn't apply evenly across the EU - IIRC France considers an author's moral rights to their work inalienable, so an author can sign away their economic rights to a work, but not their moral rights.
So, if you're a human being (as opposed to a corporation or other "legal person") making a non-commercial FOSS work, you're not under the CRA - and you can be absolutely certain that every EU jurisdiction will consider the EUPL a FOSS license.
IIRC France considers an author's moral rights to their work inalienable, so an author can sign away their economic rights to a work, but not their moral rights.
Germany definitely. It's a fun point in contract negotiations.
IIRC France considers an author's moral rights to their work inalienable, so an author can sign away their economic rights to a work, but not their moral rights.
Indeed. And in overall, complicated American licenses like the GLP don’t work very well in France.
I'm here to routinely call out the pesky inevitability argument:
given that LLMs can effectively make licenses go away
We don't know that. The issue is, like, two days old, there was no legal analysis. It may turn the opposite way with courts finding that any LLM implementation can't be considered clean room, and so can't drop copyleft.
Sure, all the money is on the LLM side, but we don't know for sure.
Oh, I missed that discussion as it was filtered out for me. Thanks for pointing it out. For those like me who have vibecoding filtered out but are interested in the aforementioned discussion:
https://lobste.rs/s/jr3zym/relicensing_with_ai_assisted_rewrite
I'm not a lawyer, but from the discussion around that recent thing with chardet it seems like it.
(In reality, I believe this will work out such that projects maintained by people like you and me are free for the taking and laundering, whereas projects by deep-pocketed corporations are protected.)
Litigating license infringement is already extraordinarily difficult. You can do anything you want if the copyright holder is too exhausted/insufficiently-funded to stop you, or if you have expensive enough lawyers.
My personal projects have no chance of powering silicon valley, but I've always been a big fan of closing the SaaS loophole with AGPL. I learned about the EUPL a few months ago and immediately relicensed my personal projects from AGPL to EUPL.
I really like their FAQ. For example, they clarify that linking does not cause a derivative work:
Reasonably copyleft
The licence is reasonably (or moderately/weakly) "copyleft" meaning that copies and derivatives works must stay covered by the same licence in case they are distributed to third parties. Applied to the source code of these derivatives, the term "copyleft" itself combines reciprocity (modifications of improvements are published and shared with everybody) and "share alike licensing” (the use of the same - or very similar - license ensures the persistence of granted rights).
The definition of derivative works depends on the applicable law. If a covered work is modified, it becomes a derivative. Depending on the case, this gives rise to interpretation: if the normal purpose of the work is to help producing other works (it is a library or a work tool) it would be abusive to consider everything that is produced with the tool as "derivative". Moreover, European law considers that linking two independent works for ensuring their interoperability is authorised regardless of their licence and therefore without changing it. Since the EUPL is provided under the European law, this ensures no "viral" effect in the case of linking.
Regarding @boramalper's concern that your work might be modified and re-licensed under a weaker license without as strong copyleft protections; This is possible, but not trivial:
Is the use of a compatible licence a "re-licensing"?
The original code will stay covered by the EUPL. It is the combined work only that could be, when needed, covered by the compatible licence. In this framework, a combined work results from merging functional codes covered by two (or more) different licenses. The simple action of "linking" does not merge functional codes and in such case the various linked parts will keep their primary licences. This is resulting from the European law, since Directive 2009/24/EC states that interfaces (APIs, data structures etc.) needed for making two programs interoperable can be freely reproduced/used in the various source codes, as an exception to strict copyright rules.
To be legitimate, the use of the compatibility clause must result from necessity: using it for the sole purpose of relicensing a copy of the original work would be a copyright infringement.
I am not a lawyer as I wrote in my previous comment and I am arguing against lawyers' answers here so I am well out of my depth, but reading GNU's comments about EUPL and the license itself by myself, I am personally not convinced that EUPL is as good as AGPL in being a strong (i.e. network use is distribution) copyleft license—assuming that's what the people are looking for.
Their lawyers might be right, but as far as I know EUPL hasn't been tested in courts yet so we don't really know. Plus, its ambiguity around re-licensing seems more favourable to large corporations with deep pockets than individual developers and non-profits with limited funding. I'd prefer my license of choice to deter others from even trying such shenanigans as fighting them in court is simply inaccessible to me practically speaking.
The AGPL doesn't consider network use to be distribution (in the actual license text, as opposed to what's in the FAQ or preamble), and the mechanism doesn't even make sense for most network protocols.
The EUPL actually considers it a form of distribution, and rather than specifying a mechanism, it simply imposes the same requirement as for any other form of distribution.
I don't think that the AGPL has been tested it court either. I'm aware of a couple of court cases, but they only concerned the clauses that are identical to the GPLv3, not the networking related verbiage.
IANAL but I have worries that the "compatible licenses" can be used to reduce the reciprocity (i.e. copyleft protections) of the EUPL. They actually address this in their FAQ too:
Could the use of a compatible licence reduce the reciprocity of the EUPL?
Some of the listed compatible licences, like the MPL or the EPL are known to be "less copyleft" or "less reciprocal" than the EUPL. Is there a risk to reduce the EUPL reciprocity (obligation to provide the source code) or the EUPL coverage (since "communication to the public" covers the remote performance of software through a network, also known as SaaS)?
The EUPL states that in case the compatibility clause is used legitimately, “Should the Licensee’s obligations under the Compatible Licence conflict with their obligations under this (EUPL) Licence, the obligations of the Compatible Licence shall prevail.” Yes, but other obligations, in particular resulting from the definition of Distribution (Article 1 of the EUPL related to the coverage of Communication to the public or SaaS, like the AGPL) and the obligation to provide access to the source code will persist in addition to those of the Compatible Licence, because none of the compatible licenses are in conflict with the EUPL on these specific points: for example, the GPL does not mandate to provide access to the source code in case the software is performed remotely, but it does not prohibit it.
So the reciprocal/copyleft effect of the EUPL, even if it is not viral in the case of linking and permits reuse in projects licensed under compatible licences, is stronger than it may appear at first reading when the compatibility clause is legitimately used.
All other non-permissive additional terms are considered “further restrictions” within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying.
TL;DR: You can license your work under EUPL for its (seemingly) strong copyleft protections including networked software (like AGPL), but because of its "compatibility clause", your work might be modified and re-licensed under a weaker license (like GPL) without as strong copyleft protections.
The EUPL seems to have all the same provisions as the AGPL, but with several advantages. I see no reason to prefer the AGPL over the EUPL; the biggest issue is the GPL-compatibility copyleft circumvention but I’ve worked around that by just removing the GPL, MPL and some other licenses from the “Compatible licenses” appendix and adding a note at the top that this list appendix was modified.
Yep, I came to the same conclusion the last time this came up. It's an even more annoying situation because people have asked lawyers about whether this would actually "work" as a way to defang the EUPL and sometimes they get responses that boil down to the self-contradictory "no; but it's still GPL compatible". I suspect that they just don't know how the GPL works.
The full compatiblity clause (EUPL 1.2, Section 5):
If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done under the terms of this Compatible Licence. For the sake of this clause, ‘Compatible Licence’ refers to the licences listed in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
There's tons of nuance in there, that really needs lawyers to work out:
The "distribution or communication" can be done under the terms of the compatible license. Is that "sticky" or does the compatible license's coverage of EUPL'd code end after the act of distribution?
"the obligations of the Compatible Licence shall prevail." There's no obligation in the GPLv3 to remove "further restrictions", so does the permission to do so prevail?
From how I understand it, this is a hack to enable distribution of such a combined work, only.
Once distributed, it's the same as if the recipient had combined the GPL'd and EUPL'd code locally - that doesn't forfeit the obligations under EUPL to plug SaaS-loopholes, while the GPL has no obligations regarding execution.
Any attempt to broaden the scope of the compatibility clause would meet a similar fate to all the attempts to work around the GPL: the EUPL-licensed code is either EUPL licensed or not at all (with some carve-out for the act of distribution).
But in the end, it doesn't really matter: In companies that listen to their lawyers, EUPL tends to end up in the same bucket as the AGPL ("don't touch it with a 10 foot pole"), e.g. at Google, so they won't even start to attempt to work around the license. And at companies that don't listen to their lawyers they won't bother reading your license in the first place, no matter which one it is.
My one issue with this license is section 15 - Applicable Law, which states "this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside a European Union Member State" - which is quite a hiccup for those licensors outside the EU! I imagine it was an issue for people in the UK when Brexit happened too.
All 3 people in the UK who used the EUPL at that point? ;-)
It's nicer to say "Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction" as the MPL2.0 does, but I can understand that the EU is interested in keeping things within their realm - for which the license was written, after all: How do provisions in the EUPL interact with (US|Somalian|North Korean|Niuean) copyright law?
I don't see the relevance. This website is owned by a private party, but the license is indeed the license created by the EU Commission for the purpose of having copyleft more aligned to EU law.
datarama | 15 hours ago
On the one hand, I think this is an OK license, and I am very happy that the European Commission distributes its own software under a FOSS license. Public money, public code, as it were. Since I live in an EU country, I am also very happy that the EUPL has been designed to actually comply with the relevant laws across EU member states (avoiding tricky US/EU discrepancies that I, a non-lawyer, don't really fully appreciate).
But as is being discussed elsewhere: What is the point now, given that LLMs can effectively make licenses go away?
cultpony | 14 hours ago
The cost of making a license go away is non-zero and for open source projects to be killed by a company offering a proprietary AI copy, they'd have to actually provide an upside people are willing to pay for. And this goes both ways, so any new features introduced by the company can be trivially cleanroom'd back into the open project. I think people really forget that if cleanroom works, you can just point the AI at a binary/proprietary documentation and give it ghidra access and get an open source copy.
The EUPL as far as licenses go is an improvement over the MPL in my opinion, it provides the guaranteed of the LGPL without the downsides of GPL, it's versatile and protects you from hostile forks.
dzwdz | 13 hours ago
It goes the other way around.
Let's say you're a FOSS developer; you've made a library for something, and you want to share it freely, but also don't want large corporations to leech off your work. One way to go about this is to license your work under the AGPL (or such), and then sell commercial licenses to said corporations that don't want to share back. As far as I know, this has been a decently viable business model.
However, what if said corporations were able to cheaply launder away the license with an LLM? They would be able to benefit from your AGPL software without buying a license nor opening up their own source code. This fucks up that business model.
Obviously this also applies to regular GPL libraries that don't sell commercial licenses; this basically strips away all protections of GPL.
I also want to point out the giant asymmetry between typical proprietary shops (who are "proper" companies with stable sources of revenue), and your typical FOSS maintainers (who do it for free in their spare time). This would kill any leverage the latter have over the former.
bityard | 9 hours ago
I think the "evil corporations" angle is a bit of a straw man. I work in a large enterprise and the reality is, most companies will bend over backwards to avoid even the lightest whiff of legal troubles, especially over software licensing. From the top to the bottom, everyone is looking to cover their ass first and get actual work done second.
Example: my team just dropped everything we were working on for a solid week to manually downgrade almost 2,000 hosts that were accidentally upgraded to a minor version of the software that it turns out our contract did not cover.
Those few companies that do not care about copyright law are not going to bother with LLM-washing, they will just pirate the thing.
dzwdz | 7 hours ago
Most corporations will also bend over backwards to not pay anything to the authors of the libraries they use. libxml2 comes to mind, among a sea of others deep enough to drown in.
cultpony | 2 hours ago
The cost of cleanrooming isn't as high as you might think. If the project is large enough that a corporation bothers with an expensive cleanroom reimplementation, it surely will be able to sustain the funding for a subcription to port back any new features to the other code base (or people simply read the changelog).
I don't think this is the problem here, companies have disrespected the AGPL before and they will continue to do so without LLMs, the LLM adds nothing a company seems to value really (if it was legal security they wanted, there wouldn't be as many violations).
So backporting any cleanroom hostile forks should be fine.
datarama | 14 hours ago
One thing that occurs to me - no matter what the LLM crowd gets up to - is that the EU CRA has explicit exemptions for FOSS, but not for public domain code (and definitely not for proprietary code). The public domain concept doesn't apply evenly across the EU - IIRC France considers an author's moral rights to their work inalienable, so an author can sign away their economic rights to a work, but not their moral rights.
So, if you're a human being (as opposed to a corporation or other "legal person") making a non-commercial FOSS work, you're not under the CRA - and you can be absolutely certain that every EU jurisdiction will consider the EUPL a FOSS license.
[OP] mhm | 14 hours ago
I was not aware of CRA [1]. Attaching a link for others in the same boat.
1: https://www.cyberresilienceact.eu/the-cra-explained/
skade | 10 hours ago
Germany definitely. It's a fun point in contract negotiations.
motet-a | 8 hours ago
Indeed. And in overall, complicated American licenses like the GLP don’t work very well in France.
isagalaev | 6 hours ago
I'm here to routinely call out the pesky inevitability argument:
We don't know that. The issue is, like, two days old, there was no legal analysis. It may turn the opposite way with courts finding that any LLM implementation can't be considered clean room, and so can't drop copyleft.
Sure, all the money is on the LLM side, but we don't know for sure.
[OP] mhm | 14 hours ago
Oh, I missed that discussion as it was filtered out for me. Thanks for pointing it out. For those like me who have vibecoding filtered out but are interested in the aforementioned discussion: https://lobste.rs/s/jr3zym/relicensing_with_ai_assisted_rewrite
datarama | 14 hours ago
I have that tag filtered too because it does terrible things to my mental health, but it was referenced elsewhere.
crmsnbleyd | 15 hours ago
Can they make licenses go away?
datarama | 15 hours ago
I'm not a lawyer, but from the discussion around that recent thing with chardet it seems like it.
(In reality, I believe this will work out such that projects maintained by people like you and me are free for the taking and laundering, whereas projects by deep-pocketed corporations are protected.)
technomancy | 12 hours ago
Litigating license infringement is already extraordinarily difficult. You can do anything you want if the copyright holder is too exhausted/insufficiently-funded to stop you, or if you have expensive enough lawyers.
pgeorgi | 15 hours ago
That project started in 2005, the license became official in 2008, so…
datarama | 15 hours ago
Sure. My point is that there doesn't seem to be much point in using a license such as this anymore.
Though it is possible that there is something I've missed.
caspervk | 10 hours ago
My personal projects have no chance of powering silicon valley, but I've always been a big fan of closing the SaaS loophole with AGPL. I learned about the EUPL a few months ago and immediately relicensed my personal projects from AGPL to EUPL.
I really like their FAQ. For example, they clarify that linking does not cause a derivative work:
Regarding @boramalper's concern that your work might be modified and re-licensed under a weaker license without as strong copyleft protections; This is possible, but not trivial:
boramalper | 10 hours ago
I am not a lawyer as I wrote in my previous comment and I am arguing against lawyers' answers here so I am well out of my depth, but reading GNU's comments about EUPL and the license itself by myself, I am personally not convinced that EUPL is as good as AGPL in being a strong (i.e. network use is distribution) copyleft license—assuming that's what the people are looking for.
Their lawyers might be right, but as far as I know EUPL hasn't been tested in courts yet so we don't really know. Plus, its ambiguity around re-licensing seems more favourable to large corporations with deep pockets than individual developers and non-profits with limited funding. I'd prefer my license of choice to deter others from even trying such shenanigans as fighting them in court is simply inaccessible to me practically speaking.
lonjil | 5 hours ago
The AGPL doesn't consider network use to be distribution (in the actual license text, as opposed to what's in the FAQ or preamble), and the mechanism doesn't even make sense for most network protocols.
The EUPL actually considers it a form of distribution, and rather than specifying a mechanism, it simply imposes the same requirement as for any other form of distribution.
I don't think that the AGPL has been tested it court either. I'm aware of a couple of court cases, but they only concerned the clauses that are identical to the GPLv3, not the networking related verbiage.
boramalper | 11 hours ago
IANAL but I have worries that the "compatible licenses" can be used to reduce the reciprocity (i.e. copyleft protections) of the EUPL. They actually address this in their FAQ too:
However, Article 7 "Additional Terms" of GPLv3 clearly states:
TL;DR: You can license your work under EUPL for its (seemingly) strong copyleft protections including networked software (like AGPL), but because of its "compatibility clause", your work might be modified and re-licensed under a weaker license (like GPL) without as strong copyleft protections.
Martin Tournoij (@arp242) wrote about it too: Choosing a license for GoatCounter (2020)
WilhelmVonWeiner | 5 hours ago
I'm trying to find a better-written source but the EUPL's author doesn't consider this to work as a loophole: link.
wareya | 11 hours ago
Yep, I came to the same conclusion the last time this came up. It's an even more annoying situation because people have asked lawyers about whether this would actually "work" as a way to defang the EUPL and sometimes they get responses that boil down to the self-contradictory "no; but it's still GPL compatible". I suspect that they just don't know how the GPL works.
pgeorgi | 9 hours ago
The full compatiblity clause (EUPL 1.2, Section 5):
There's tons of nuance in there, that really needs lawyers to work out:
The "distribution or communication" can be done under the terms of the compatible license. Is that "sticky" or does the compatible license's coverage of EUPL'd code end after the act of distribution?
"the obligations of the Compatible Licence shall prevail." There's no obligation in the GPLv3 to remove "further restrictions", so does the permission to do so prevail?
From how I understand it, this is a hack to enable distribution of such a combined work, only.
Once distributed, it's the same as if the recipient had combined the GPL'd and EUPL'd code locally - that doesn't forfeit the obligations under EUPL to plug SaaS-loopholes, while the GPL has no obligations regarding execution.
Any attempt to broaden the scope of the compatibility clause would meet a similar fate to all the attempts to work around the GPL: the EUPL-licensed code is either EUPL licensed or not at all (with some carve-out for the act of distribution).
But in the end, it doesn't really matter: In companies that listen to their lawyers, EUPL tends to end up in the same bucket as the AGPL ("don't touch it with a 10 foot pole"), e.g. at Google, so they won't even start to attempt to work around the license. And at companies that don't listen to their lawyers they won't bother reading your license in the first place, no matter which one it is.
JadedBlueEyes | 14 hours ago
My one issue with this license is section 15 - Applicable Law, which states "this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside a European Union Member State" - which is quite a hiccup for those licensors outside the EU! I imagine it was an issue for people in the UK when Brexit happened too.
pgeorgi | 13 hours ago
All 3 people in the UK who used the EUPL at that point? ;-)
It's nicer to say "Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction" as the MPL2.0 does, but I can understand that the EU is interested in keeping things within their realm - for which the license was written, after all: How do provisions in the EUPL interact with (US|Somalian|North Korean|Niuean) copyright law?
tomekw | 7 hours ago
All my new projects are EUPL.
st3fan | 5 hours ago
lonjil | 5 hours ago
I don't see the relevance. This website is owned by a private party, but the license is indeed the license created by the EU Commission for the purpose of having copyleft more aligned to EU law.
pgeorgi | 4 hours ago
The commission's site: https://interoperable-europe.ec.europa.eu/collection/eupl/eupl-text-eupl-12