(Today we’re interviewing Shane Curcuru about the recent issues reported with Facebook’s React.js software’s BSD + PATENTS file license, and what the Apache Software Foundation (ASF) has to do with it all. Shane serves in a leadership position at the ASF, but he wants you to know he’s speaking only as an individual here; this does not represent an official position of the ASF.)
UPDATE: Facebook has relicensed React.js as well as some other software under the MIT license, without the FB+PATENTS file. That’s good news, in general!
Hello and welcome to our interview about the recent licensing kerfuffle around Facebook’s React.js software, and the custom license including a custom PATENTS file that Facebook uses for the software.
You’ve probably seen discussions recently, either decrying the downfall of your startup if you use React, or noting that this is an old issue that’s just a paper tiger. Let’s try to bring some clarity to the issue, and get you some easy-to-understand information to make your own decision. To start with, Shane, can you briefly describe what the current news hype is all about? Is this a new issue, or an old one?
Well, like many things around licensing, the details are complicated, but the big picture is fairly simple. Big picture, the current news hype is only about policy at the ASF, and does not directly affect anyone else. The only recent change was made for projects already at Apache, and even that change will take a while to implement.
I’m confused — isn’t this a new change in the licensing for the React.js project?
No, actually — Facebook’s React.js project has used this license (often called BSD + PATENTS, but it’s really a Facebook-specific file) for several years, so the underlying issue with this specific PATENTS file is old. It’s just getting attention now because the ASF has made a change in their licensing policy. The current change last month was to declare that for Apache projects, the custom PATENTS clause that Facebook uses on React.JS software is now officially on the “Category-X” list of licenses that may not be shipped in Apache projects.
So the news is about the fact that Apache projects will no longer include React.js in their source or releases. This is a policy change, and only affects Apache projects, but obviously it’s gotten some news coverage and has gotten a lot of developers to really go back and pay attention to the licensing deails around React.
Many of our readers probably don’t understand what “Category X” means, unless it’s an X-Files reference. Can you explain more how the ASF determines which kinds of software licenses are acceptable in Apache projects?
Great question, yes, Category X is the ASF’s term for software licenses that, by ASF policy, may not appear in Apache software source repositories or software releases. This is an operational decision by the ASF, and doesn’t mean that various licenses are incompatible with the Apache 2.0 license — just that the ASF doesn’t want it’s projects shipping code using these licenses.
The rationale is this: the ASF wants to attract the maximum number of inbound contributions. Thus, we use the permissive and as some say “business-friendly” Apache license for all ASF software. This allows maximum freedom for people who use Apache software to do as they please, including making proprietary software. Part of the Apache brand is this expectation: when you get a software product from the ASF, you know what to expect from the license. Besides not suing us and not using Apache trademarks, the only real restriction is including the license if you redistribute something based on Apache 2.0 licensed software.
Licenses that the ASF lists as Category X add additional restrictions on use to end users of the software, above and beyond what Apache 2.0 requires. The most obvious example are GPL* copyleft licenses, that require redistributors to provide any changes made publicly, under the GPL.
OK — So Category X isn’t a legal determination of incompatibility, it’s just a policy choice the ASF is making? Is that right?
Exactly right. Others are free to mix licenses in various ways — but the ASF chooses to not redistribute software with more restrictive licenses than Apache 2.0. So when you download an Apache product, it won’t have Category X software like React in it — but you’re free to mix Apache products with React yourself, if you like.
Aren’t there some Apache projects shipping with React today, like CouchDB?
Yes — CouchDB currently includes React in their tree and past releases, as do a few other projects. These projects will warn their users (by a NOTICE file or blog post) that their releases contain more restrictive licensed software, and are working on plans to re-design things to remove React and replace it with other, less restrictively licensed libraries.
And before you ask, yes, this is extra work for the volunteer projects at Apache, and it’s not something the ASF does lightly. But ensuring that Apache projects have clean IP that never includes any licensing restrictions beyond what the well-known Apache 2.0 license requires is critical to the broad acceptance of Apache software everywhere.
So if this recent change in ASF policy only affects Apache projects, why is it getting so much attention in tech circles these days?
Because the ASF policy announcement has made some people go back and really look at Facebook’s custom BSD + PATENTS file license used in React. This is a good thing — you should always understand the licenses of software you’re using so you follow them — and so you don’t have surprises later, like now. People using React are already bound by this license, it’s just that many people didn’t look into the details until now.
There are two conceptual issues here in terms of how open source participants decide if they want to accept Facebook’s license here. First is the addition of Facebook’s custom-written PATENTS file. Very briefly, it states that if you sue Facebook over (almost any) patent issues, you loose your license to Facebook patents. The first issue is that this patent termination clause — which is in a fair number of licenses — is a strict and exclusionary clause. The balance of rights granted (or taken away, if you sue) is strongly tilted to Facebook as a specific entity. It’s not the more even and generic balance of patent termination rights that are in the Apache 2.0 license.
That asymmetry in patent rights is the problem: it directly puts Facebook’s interests above everyone else’s interests when patent lawsuits around React happen. Of course, there are a lot more details to the matter, but for those questions you need to ask your own attorney — all I can say is that it’s an issue that will happen incredibly rarely, if ever, for open source projects.
So the Facebook BSD + PATENTS file license favors Facebook, even though they’re an open source project that wants your contributions. We kind of get that; patents are always tricky, but the asymmetry in rights there does seem a little odd compared to other licenses. You said there were two conceptual issues?
The second conceptual issue is simpler to explain. The Facebook BSD + PATENTS file license is not on the OSI list of open source licenses.
(pause) Um, is that it? What’s the real issue here about OSI approval?
Yup, that’s the core of the issue. Being on the OSI list is huge. The generally accepted definition of “open source” is that your software’s license is listed by OSI.
The reason OSI listing is key is because enough lawyers in many, many companies have vetted the OSI list licenses that the ecosystem knows what to expect. The OSI has a strong reputation, so to start with people know basically what to expect in terms of overall license to OSI listed licenses. More importantly, these licenses have been vetted over and over by counsel from a wide variety of companies.
A lot of law work is risk management: ensuring your rights are preserved when doing business or using licenses. OSI-listed licenses are well known, so lawyers can quickly and confidently express the level of risk in using them. Non-OSI licenses mean the lawyers have to read them in detail, and do a new and comprehensive review of risks. It’s not just the work, it’s the uncertainty with something new that typically translates into saying “This new license has more risks than those well-used ones.”
Now I get it — OSI licenses are popular and frequently reviewed, so people are comfortable with them. A new license — like the Facebook PATENTS file — might not be bad, but might be — people don’t know it well enough yet.
Exactly right. I can’t think of any good reason for companies that want to work with open source groups to ever use a non-OSI listed license. People keep thinking so, but license proliferation is not worth it. Successful open source projects need new contributors from a variety of places. Keeping barriers to entry low — like unusual licenses — is one of the easiest ways to turn users into potential contributors.
If the Facebook PATENTS license is unusual enough to turn off other projects from using it, like Apache, why won’t Facebook consider changing the license to an OSI-approved one?
That’s a question you’ll need to ask Facebook. The ASF already asked Facebook to consider changing the license, and they said no. Facebook also wrote an explainer for their license that’s been widely shared.
We have one listener asking: Is the Facebook PATENTS license viral? That is, if you use React.js in your software, must you use the same Facebook PATENTS license?
No, the PATENTS clause is not “viral”, or rather, it’s not copyleft. So you are free to use whatever license you want on any software you write that uses or incorporates React.js.
Note that the actual patent grant from Facebook to anyone using React.js software — even if it’s inside of your software project — is still there. The PATENTS terms apply to anyone who’s running the React.js software, and are between Facebook and all the end users. So that patent licensing issue doesn’t affect you as an application builder directly, but it might affect your users.
Great, well we’ve covered a lot of ground in this interview. What else should readers know about, so they can make up their own mind about the licensing risks around React — that were always there, but they might not have understood.
TL;DR: the only short-term question is if you’re thinking about donating your project to Apache. If so, start planning now to migrate away from React, because you won’t be able to bring it with you.
For everyone else, this is a non-issue in the short term. Longer term, it’s something you should make your own mind up about, by considering all the aspects of any change: legal risk (probably low, but it’s patents so who knows), technology (several replacements out there, but none yet as strong as React), and community (what development capacity do you have, and does your community of contributors care?)
I wrote a brief guide about the legal, technical, and community aspects of deciding to use or not use React earlier.
Also — if you have strong opinions about this, let people — and Facebook — know! I have to say a some open source types were quite surprised when Facebook refused the ASF’s request to relicense. Facebook has some great open source projects, including some open governance ones. I’m personally a little surprised they aren’t using an OSI license for this kind of stuff.
Thanks for reading along with Shane’s interview of Shane on the React licensing issue! Good luck to your project whichever licenses you choose.
For More Information About React Licensing
The ASF’s publishes their Licensing policies, including the Category X list, and some rationale for policy decisions on licenses at Apache.
UPDATE! Automattic, the company behind WordPress, will be moving away from React:
“We’ll look for something with most of the benefits of React, but without the baggage of a patents clause that’s confusing and threatening to many people
Simon Phipps’ timeline and discussion about how Apache moved the PATENTS license to the Category X list:
A popular post here on Medium focused on CTOs, with a balanced view, including a discussion on one patent lawsuit between Facebook and Yahoo!:
Detailed (long)discussion of “what does this mean for my project” from an engineer’s perspective:
This is a living document and I will keep updating it as necessarymedium.com
An Apache CouchDB developer’s take on React and the license:
Translation: French by @gnieh_ Disclaimers: I am not a lawyer. I’m not speaking for Facebook, the ASF, or CouchDB. This…writing.jan.io
If you’re a startup, you should not use React (community/startup aspects):
That is, if you ever hope to be acquired by a larger companymedium.com
Don’t over-REACT to the Facebook Patents License (legal aspects)
Recently, Apache re-classified code under Facebook’s “BSD+ Patents” license to “Category X,” effectively banning it…blog.fossa.io
Why the Facebook Patents License Is A Paper Tiger (legal aspects)
Update: More about Preact/Vue/Inferno useage at the bottommedium.com
Why Facebook Patents License Was A Mistake — an early explanation from Simon Phipps on why the PATENTS license is bad for the open source ecosystem