ModSecurity Licensing Exception Draft Is Ready
As you may know, ModSecurity is licensed under GPL version 2. This licence has served us reasonably well, but there’s been one problem that has been following us for a long time. I chose to use the GPLv2 for ModSecurity, back in day, mostly in order to prevent the use of ModSecurity in proprietary derivative works. This strategy worked, but it had an unfortunate side effect of also preventing creation of open source derivative works due to the incompatibility between the Apache Software License version 2 and the GPLv2. The problem eventually caused the removal of ModSecurity from Debian.
After the GPLv3 was introduced we had an option to switch to it (the incompatibility with the ASLv2 was fixed), but doing that would require a significant investment to fully understand the new licence and the consequences of its use. (Decisions were easier to make when I was the only person making them; now there are quite a few people involved.) The fact that GPLv3 hasn’t been proven in practice does not help. At some point we realised that the path to fixing the problem was not through the licence change, but through an exception that would grant additional rights to qualifying open source projects. The exception creates additional rights for those who choose to accept it, but it does not change the licence of ModSecurity itself, which remains licensed under GPLv2. Changes and improvements to ModSecurity must still comply with the GPLv2.
Anyway, the final draft of the exception is ready: ModSecurity_Licensing_Exception_1.0-draft5.pdf . Here’s a brief overview:
- You want to package a web server distribution based on Apache and you want to include ModSecurity in it. The Exception allows you to do this for as long as all the components use the approved open source licences.
- If you make changes or improvements to ModSecurity, or write code that links with it—either directly or indirectly (e.g. through a third component)—such code must be released under GPLv2; it cannot be covered by the Exception.
- If you build a user interface to control the derivative work (and thus ModSecurity too) you can choose any approved open source licence for it.
The plan for now is to give you some time to send us feedback, if you wish. If everything goes well, the next stable version of ModSecurity will include the Exception too.
Great news. Not that it's a huge drag to compile from source or anything, it's just the ability to stay inside the pkg manager is a *good* thing. thank you for the effort of sorting it out and explaining it.
robt.
A Debian/Ubu user.
Posted by: Robert Lount | 19 June 2008 at 12:14 AM
Uh ... a problem. "approved" is not adequately defined. I doubt Debian would consider this exception, since their possibly patched version is a derived work, and cannot transmit the exception. Bleah.
Posted by: C Filorux | 03 July 2008 at 03:22 AM
Have you read the text of the exception? The approved licences are those listed in the document. As for your second point, I don't see a problem with a derivative work continuing to use this exception.
Posted by: Ivan Ristic | 03 July 2008 at 04:29 AM
This is great news!
Thanks for taking the time to do this!!! It would be great to have such an important software for all of us back again.
Greetings
Posted by: Dererk | 17 September 2008 at 11:50 PM
Has this licence change been officially approved by the debian-legal folks? Was it run by them before being announced??
There seems to be a packager waiting to package this for Debian ... see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487431
Thanks for working to make this code useful to Debian and Ubuntu Linux -- I really hope the legal stuff is "good enough" so this can once again be included.
Jonathan
Posted by: Jonathan Marsden | 15 November 2008 at 12:55 AM
Jonathan,
Yes, debian-legal had a chance to review the exception long before it was used in ModSecurity. We haven't heard from them much, but my understanding is that they are fine with it.
Posted by: Ivan Ristic | 17 November 2008 at 07:34 AM