(Today weâ€™re interviewing Shane Curcuru about the recent issues reported with Facebookâ€™s React.js softwareâ€™s BSD + PATENTS file license, and what the Apache Software Foundation (ASF) has to do with it all. Shane serves in a leadership position at the ASF, but he wants you to know heâ€™s speaking only as an individual here; this does not represent an official position of the ASF.)
UPDATE: Facebook has relicensed React.js as well as some other software under the MIT license, without the FB+PATENTS file. Thatâ€™s good news, in general!
Hello and welcome to our interview about the recent licensing kerfuffle around Facebookâ€™s React.js software, and the custom license including a custom PATENTS file that Facebook uses for the software.
Youâ€™ve probably seen discussions recently, either decrying the downfall of your startup if you use React, or noting that this is an old issue thatâ€™s just a paper tiger. Letâ€™s try to bring some clarity to the issue, and get you some easy-to-understand information to make your own decision. To start with, Shane, can you briefly describe what the current news hype is all about? Is this a new issue, or an old one?
Well, like many things around licensing, the details are complicated, but the big picture is fairly simple. Big picture, the current news hype is only about policy at the ASF, and does not directly affect anyone else. The only recent change was made for projects already at Apache, and even that change will take a while to implement.
Iâ€™m confused â€” isnâ€™t this a new change in the licensing for the React.js project?
No, actually â€” Facebookâ€™s React.js project has used this license (often called BSD + PATENTS, but itâ€™s really a Facebook-specific file) for several years, so the underlying issue with this specific PATENTS file is old. Itâ€™s just getting attention now because the ASF has made a change in their licensing policy. The current change last month was to declare that for Apache projects, the custom PATENTS clause that Facebook uses on React.JS software is now officially on the â€œCategory-Xâ€ list of licenses that may not be shipped in Apache projects.
So the news is about the fact that Apache projects will no longer include React.js in their source or releases. This is a policy change, and only affects Apache projects, but obviously itâ€™s gotten some news coverage and has gotten a lot of developers to really go back and pay attention to the licensing deails around React.
Many of our readers probably donâ€™t understand what â€œCategory Xâ€ means, unless itâ€™s an X-Files reference. Can you explain more how the ASF determines which kinds of software licenses are acceptable in Apache projects?
Great question, yes, Category X is the ASFâ€™s term for software licenses that, by ASF policy, may not appear in Apache software source repositories or software releases. This is an operational decision by the ASF, and doesnâ€™t mean that various licenses are incompatible with the Apache 2.0 license â€” just that the ASF doesnâ€™t want itâ€™s projects shipping code using these licenses.
The rationale is this: the ASF wants to attract the maximum number of inbound contributions. Thus, we use the permissive and as some say â€œbusiness-friendlyâ€ Apache license for all ASF software. This allows maximum freedom for people who use Apache software to do as they please, including making proprietary software. Part of the Apache brand is this expectation: when you get a software product from the ASF, you know what to expect from the license. Besides not suing us and not using Apache trademarks, the only real restriction is including the license if you redistribute something based on Apache 2.0 licensed software.
Licenses that the ASF lists as Category X add additional restrictions on use to end users of the software, above and beyond what Apache 2.0 requires. The most obvious example are GPL* copyleft licenses, that require redistributors to provide any changes made publicly, under the GPL.
OK â€” So Category X isnâ€™t a legal determination of incompatibility, itâ€™s just a policy choice the ASF is making? Is that right?
Exactly right. Others are free to mix licenses in various ways â€” but the ASF chooses to not redistribute software with more restrictive licenses than Apache 2.0. So when you download an Apache product, it wonâ€™t have Category X software like React in it â€” but youâ€™re free to mix Apache products with React yourself, if you like.
Arenâ€™t there some Apache projects shipping with React today, like CouchDB?
Yes â€” CouchDB currently includes React in their tree and past releases, as do a few other projects. These projects will warn their users (by a NOTICE file or blog post) that their releases contain more restrictive licensed software, and are working on plans to re-design things to remove React and replace it with other, less restrictively licensed libraries.
And before you ask, yes, this is extra work for the volunteer projects at Apache, and itâ€™s not something the ASF does lightly. But ensuring that Apache projects have clean IP that never includes any licensing restrictions beyond what the well-known Apache 2.0 license requires is critical to the broad acceptance of Apache software everywhere.
So if this recent change in ASF policy only affects Apache projects, why is it getting so much attention in tech circles these days?
Because the ASF policy announcement has made some people go back and really look at Facebookâ€™s custom BSD + PATENTS file license used in React. This is a good thing â€” you should always understand the licenses of software youâ€™re using so you follow them â€” and so you donâ€™t have surprises later, like now. People using React are already bound by this license, itâ€™s just that many people didnâ€™t look into the details until now.
There are two conceptual issues here in terms of how open source participants decide if they want to accept Facebookâ€™s license here. First is the addition of Facebookâ€™s custom-written PATENTS file. Very briefly, it states that if you sue Facebook over (almost any) patent issues, you loose your license to Facebook patents. The first issue is that this patent termination clause â€” which is in a fair number of licenses â€” is a strict and exclusionary clause. The balance of rights granted (or taken away, if you sue) is strongly tilted to Facebook as a specific entity. Itâ€™s not the more even and generic balance of patent termination rights that are in the Apache 2.0 license.
That asymmetry in patent rights is the problem: it directly puts Facebookâ€™s interests above everyone elseâ€™s interests when patent lawsuits around React happen. Of course, there are a lot more details to the matter, but for those questions you need to ask your own attorney â€” all I can say is that itâ€™s an issue that will happen incredibly rarely, if ever, for open source projects.
So the Facebook BSD + PATENTS file license favors Facebook, even though theyâ€™re an open source project that wants your contributions. We kind of get that; patents are always tricky, but the asymmetry in rights there does seem a little odd compared to other licenses. You said there were two conceptual issues?
The second conceptual issue is simpler to explain. The Facebook BSD + PATENTS file license is not on the OSI list of open source licenses.
(pause) Um, is that it? Whatâ€™s the real issue here about OSI approval?
Yup, thatâ€™s the core of the issue. Being on the OSI list is huge. The generally accepted definition of â€œopen sourceâ€ is that your softwareâ€™s license is listed by OSI.
The reason OSI listing is key is because enough lawyers in many, many companies have vetted the OSI list licenses that the ecosystem knows what to expect. The OSI has a strong reputation, so to start with people know basically what to expect in terms of overall license to OSI listed licenses. More importantly, these licenses have been vetted over and over by counsel from a wide variety of companies.
A lot of law work is risk management: ensuring your rights are preserved when doing business or using licenses. OSI-listed licenses are well known, so lawyers can quickly and confidently express the level of risk in using them. Non-OSI licenses mean the lawyers have to read them in detail, and do a new and comprehensive review of risks. Itâ€™s not just the work, itâ€™s the uncertainty with something new that typically translates into saying â€œThis new license has more risks than those well-used ones.â€
Now I get it â€” OSI licenses are popular and frequently reviewed, so people are comfortable with them. A new license â€” like the Facebook PATENTS file â€” might not be bad, but might be â€” people donâ€™t know it well enough yet.
Exactly right. I canâ€™t think of any good reason for companies that want to work with open source groups to ever use a non-OSI listed license. People keep thinking so, but license proliferation is not worth it. Successful open source projects need new contributors from a variety of places. Keeping barriers to entry low â€” like unusual licenses â€” is one of the easiest ways to turn users into potential contributors.
If the Facebook PATENTS license is unusual enough to turn off other projects from using it, like Apache, why wonâ€™t Facebook consider changing the license to an OSI-approved one?
Thatâ€™s a question youâ€™ll need to ask Facebook. The ASF already asked Facebook to consider changing the license, and they said no. Facebook also wrote an explainer for their license thatâ€™s been widely shared.
We have one listener asking: Is the Facebook PATENTS license viral? That is, if you use React.js in your software, must you use the same Facebook PATENTS license?
No, the PATENTS clause is not â€œviralâ€, or rather, itâ€™s not copyleft. So you are free to use whatever license you want on any software you write that uses or incorporates React.js.
Note that the actual patent grant from Facebook to anyone using React.js software â€” even if itâ€™s inside of your software project â€” is still there. The PATENTS terms apply to anyone whoâ€™s running the React.js software, and are between Facebook and all the end users. So that patent licensing issue doesnâ€™t affect you as an application builder directly, but it might affect your users.
Great, well weâ€™ve covered a lot of ground in this interview. What else should readers know about, so they can make up their own mind about the licensing risks around React â€” that were always there, but they might not have understood.
TL;DR: the only short-term question is if youâ€™re thinking about donating your project to Apache. If so, start planning now to migrate away from React, because you wonâ€™t be able to bring it with you.
For everyone else, this is a non-issue in the short term. Longer term, itâ€™s something you should make your own mind up about, by considering all the aspects of any change: legal risk (probably low, but itâ€™s patents so who knows), technology (several replacements out there, but none yet as strong as React), and community (what development capacity do you have, and does your community of contributors care?)
I wrote a brief guide about the legal, technical, and community aspects of deciding to use or not use React earlier.
Also â€” if you have strong opinions about this, let people â€” and Facebook â€” know! I have to say a some open source types were quite surprised when Facebook refused the ASFâ€™s request to relicense. Facebook has some great open source projects, including some open governance ones. Iâ€™m personally a little surprised they arenâ€™t using an OSI license for this kind of stuff.
Thanks for reading along with Shaneâ€™s interview of Shane on the React licensing issue! Good luck to your project whichever licenses you choose.
For More Information About React Licensing
The ASFâ€™s publishes their Licensing policies, including the Category X list, and some rationale for policy decisions on licenses at Apache.
UPDATE! Automattic, the company behind WordPress, will be moving away from React:
â€œWeâ€™ll look for something with most of the benefits of React, but without the baggage of a patents clause thatâ€™s confusing and threatening to many people
Simon Phippsâ€™ timeline and discussion about how Apache moved the PATENTS license to the Category X list:
A popular post here on Medium focused on CTOs, with a balanced view, including a discussion on one patent lawsuit between Facebook and Yahoo!:
Detailed (long)discussion of â€œwhat does this mean for my projectâ€ from an engineerâ€™s perspective:
This is a living document and I will keep updating it as necessarymedium.com
An Apache CouchDB developerâ€™s take on React and the license:
Translation: French by @gnieh_ Disclaimers: I am not a lawyer. I’m not speaking for Facebook, the ASF, or CouchDB. Thisâ€¦writing.jan.io
If youâ€™re a startup, you should not use React (community/startup aspects):
That is, if you ever hope to be acquired by a larger companymedium.com
Donâ€™t over-REACT to the Facebook Patents License (legal aspects)
Recently, Apache re-classified code under Facebookâ€™s â€œBSD+ Patentsâ€ license to â€œCategory X,â€ effectively banning itâ€¦blog.fossa.io
Why the Facebook Patents License Is A Paper Tiger (legal aspects)
Update: More about Preact/Vue/Inferno useage at the bottommedium.com
Why Facebook Patents License Was A Mistake â€” an early explanation from Simon Phipps on why the PATENTS license is bad for the open source ecosystem