1
3
Entering edit mode
@matthias-doering-22813
Last seen 7 weeks ago
Belgium

I was just checking the software licenses of Bioconductor packages and I think I spotted an inconsistency:

• scran depends on dqrng but is licensed under GPL-3 and not AGPL-3.

From my understanding of open-source licenses, since scran is a modified version of dqrng (it depends on it), such that scran should be released under the same license, i.e. AGPL. The same would then hold for all packages that depend on scran, meaning that the current licenses of all packages depending on scran in Bioconductor should be set to AGPL.

To resolve the scran licensing issue, there are two paths. Either change all licenses of reverse dependencies to AGPL or remove the dependency on dqrng in scran, which may make more sense since the AGPL is known to be a very restrictive license which limits use of the libraries for web-based services as source code will need to be published.

Also, this finding poses the question how the bioconductor community ensures that packages are released under the appropriate license. If there isn't an automated mechanism for checking that packages are released under a compatible license, I would strongly recommend this to prevent breaching licenses without intending to do so.

It would be great if one of the core devs could provide some feedback and take the matter into their hands to resolve these problems.

agpl license gpl scran • 312 views
0
Entering edit mode

Dear Matthias, after review of the AGPL-3 section of https://www.gnu.org/licenses/license-list.en.html#GPLCompatibleLicenses I believe that scran’s current GPL-3 licensing is explicitly allowed under section 13 of the AGPL-3 license:

Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the work with which it is combined will remain governed by version 3 of the GNU General Public License.

0
Entering edit mode

Dear Levi, Thanks for you observation. For completeness, let's consider what both GPL and AGPL say in Section 13.

GPL-3, excerpt from Section 13

Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such.

AGPL-3, excerpt from Section 13

Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the work with which it is combined will remain governed by version 3 of the GNU General Public License.

My interpretation of those passages:

• If you link a modified GPL program with an AGPL program, the terms of the GPL will apply to the modified program but will not overwrite the AGPL conditions about network interactions.
• If you link a modified AGPL program with a GPL program, the AGPL will remain in place for the modified program and the GPL program will remain under GPL.

For this concrete case, we have scran (GPL) linking to dqrng (AGPL), which means that scran can be released under GPL but that the network interaction condition from the AGPL license of dqrng still needs to be respected. As far as I'm aware, that is the main (and only?) difference between GPL and AGPL, thus while scran is licensed under GPL, in all practical terms it should be treated like AGPL software because the network transmission limitation comes into effect as it links to dqrng.

TLDR: it seems that it's fine to have scran licensed under the GPL. However, the network transmission limitations from the AGPL will apply to scran, effectively putting it under AGPL as well. So, if you want to transmit an R package over network without open sourcing your work, you must check not only the package's license itself but also the licenses of all its dependencies. If there's a single dependency of your program licensed under AGPL (also among the recursive dependencies, e.g. a dependency of a dependency of a dependency ...), the network transmission terms of the AGPL will apply.

0
Entering edit mode
@vincent-j-carey-jr-4
Last seen 22 days ago
United States

Thanks for this observation. We are discussing it and will get back to you.