Hacker News new | past | comments | ask | show | jobs | submit login
Facebook React.js License (elcaminolegal.com)
461 points by maxsavin on Oct 12, 2016 | hide | past | favorite | 194 comments



The way I read it, it's not evil.

It's a known and deliberate shortcoming of many licenses (e.g. BSD) not to include patent stuff because it makes everything unnecessarily complex. There was recently an article about why BSD and MIT are so popular, and it's because they're concise and understandable. There is a reason WTFPL exists and some developers resort to it as a way to avoid legalese.

Facebook clearly was aware of this "shortcoming" and being a big player, they might have wanted to be nice and say "we won't sue you for patent infringement if it turns out we have a patent on something React does". Then the managers went "but what if they sue us? Patents are not only for offense but also our defense, we would weaken our defense." And so the clause of "except if you sue us first" came into being.

And now this fuss about the patent part making it not an open source license? Oh come on.

I really don't like Facebook as a company, but this bickering is silly.


> The way I read it, it's not evil.

No, it's evil, full stop.

Facebook's patent policy means, in no uncertain terms: if you have a patent, they have a worldwide, royalty-free right to use it. Don't want to give them that? Well, until you remove all usage of Facebook's "open source" code, that's the situation.

Note: RocksDB also has this problem, which means CockroachDB is also infected. Tread carefully.

-----

Note to downvoters: No one has a problem with Apache 2-style patent-retaliation provisions. Facebook could solve this problem TODAY by switching to that.

They don't because they don't want to retaliate, they want access to unrelated patents from third-parties at zero cost, with a credible threat to damage those third-parties if they want to retain their unrelated patent rights. There's literally no other reason for Facebook to demand terms beyond Apache 2 than to do what I just described.

The Apache 2 license protects Facebook and third-parties and is 100% ethical. Facebook's patent position is not, for the reasons I've stated above. The community, IMO, should shun Facebook LOUDLY until they relent and stop this bullshit.

-----

Update 2: It's actually worse, because Facebook tends to do this bullshit on stuff like RocksDB and React which are incorporated in other software that you use to run your business.

Using a React-based dashboard widget for your ElasticSearch cluster? Good luck suing Facebook for patent-infringement, because guess what? You agreed to let them infringe by using it, even though you didn't intend to.

Facebook's patent policy requires constant policing to avoid. Like I said: EVIL.


> Good luck suing Facebook for patent-infringement

Protecting from patent lawsuits is not evil as SW patents are bullish anyway. No one except maybe some patent trolls or some other big companies will sue Facebook for patent infrigment and if they do then this is a pretty clever defence. If you really really have something really really unique invented (which is really really unlikely) then just don't use anything by Facebook.


> Protecting from patent lawsuits is not evil as SW patents

Facebook makes hardware and runs a business, and their "we get all your patents for free" stance applies to all patents, not just software patents.


Are you permitted to counter-sue if FB trolls _you_?


Yes you are. Facebook's patent grant explicitly allows the entity they're suing to counter-claims without losing the right to use Facebook's code.


To your point:

'The initial public release of React in May 2013 used a standard Apache License 2.0. In October 2014, React 0.12.0 replaced this with a 3-clause BSD license and added a separate PATENTS text file that permits usage of any Facebook patents related to the software.'

https://en.m.wikipedia.org/wiki/React_(JavaScript_library)


Can you explain the additional patent exposure you face by using React?

If I use a clean room clone of React, how does that protect me from Facebook suing me down the line? In fact, by not using React, you are more vulnerable to a hypothetical suit by them given you won't have been granted by them rights to their patents.

Their license gives you everything the BSD license gives you, full stop.

Then it additionally gives you temporary access to all of facebook's patents related to it. The only thing you give up to get the additional patent license is the right to sue them for patent infringement. If that isn't valuable, then just use the software under the BSD license.


It also means that you can infringe on all Facebook patents and instigate them into suing you. Then, because they are the instigator, you can sue them based on your patent portfolio. And not lose your license for using react.


I think you should read the article again. What it argues is that the licence essentially means that you can't initiate a lawsuit against FB for infringing one of your patents (which may have nothing to do with Reaft) without losing your React licence.

Now whether that bothers you or not depends on your individual circumstances and the sanity of your particular legal jurisdiction, but it certainly would be something of interest to any corporate legal team.


A sufficient cross-branching of anti-patent-suit free software licenses would tend to make patent cases very, very difficult to pull off.

If the revocation clause were broader, say, invoked for any patent suit against any contributor or user of the software, even better. That might fall afoul of antitrust or similar type restrictions, a not-uncommon problem with patent pooling type measures from what I've read and been told over the years.


Given that software patents probably shouldn't even be allowed, I'm okay with this. Also, it's not THAT different from the fairly popular Apache License 2.0's patent provisions.


Sorry but I think you are quite mistaken regarding Apache 2.0 - that termination clause is only triggered by patent claims relating to the "work" (i.e. the derivative software) whereas the React licence appears to cover any claims made against FB. It is a big difference!

I agree that software patents should not be allowed and am fortunate to live in a mostly sane jurisdiction where they are mostly not allowed but that's not the case for everyone.


Who said anything about software? Facebook or one of its affiliates could infringe a hardware invention and suing them for it would have the exact same implications.


Patents shouldn't exist, period. Okay? Now the assertion is consistent. (Note: I'm not the earlier poster)


I do think that the VAST majority of patents should never have been, or be granted in the first place... I do feel that there is some place for them, but very little is done that isn't so completely derivative, that it deserves them.


It wouldn't matter in a place like New Zealand. Software patents are banned there.


I agree with you, but I understand the issue being raised. The way I see this, the issue breaks down three ways (not chronologically):

1) Facebook publishes open source software, that everyone is free to use under copyright law. Everyone agrees this is a good thing.

2) The copyrighted software also includes the use of patented inventions, Facebook adds a patent license to assert that there are no submarine patents (that Facebook is not using copyleft as a means to setup future patent trolling). Everyone agrees this is a good thing.

3) The patent license is worded in such a way that it sets up a sort of 'patentleft'. Facebook is asserting not only that it's patents are defensive, but that there's a license which guarantees it. This license works kind of like copyleft does, though maybe with less precision (at the organizational level). It asserts that if your organization is using patentleft inventions, then by definition, all inventions that come from your organization are derivative works. Unlike Apple's open source license, the guarantees provided by patentleft have no bearing on your rights under copyleft. Not everyone agrees this is a good thing.

For patentleft, some people work in organizations that wish to split their efforts into those benefit from patentleft, from those that don't, like they currently can with copyleft. In the case of copyleft, it's a lot easier to detect infringement (does this code use copyrighted code). At the patent level, not only is it more difficult to tell, but the litigation around it is more difficult to settle.

I personally think that patents and copyrights, when done right, add value to society, but that current laws aren't "done right". Further, I think that copyleft and patentleft exist because of flaws in the existing system of patents and copyrights, are made to fix them, and I fully support that.

* Disclaimer * I am currently a Facebook employee, though my views don't necessarily represent those of the company. I wasn't an employee when the license was created, and I have no work involvement either in the license, or in software covered under the license. When the second/third clauses were added, I was a Google employee worried about the effects of these clauses.


I'm not sure I agree that this is analogous to copyleft. Copyleft says that you must license all distributed dirivitives under the same license, but it doesn't affect any other code you produce, you could still sue Facebook for infringing on your copyright in unrelated works. Whereas Facebook's new custom license only grants you permission to use and distribute React if you never sue Facebook for patent infringement, even if the patent is unrelated to React.


Facebook adds a patent license to assert that there are no submarine patents

That there are no submarine patents owned by Facebook. There's no protection against third-party software patents. A true patentleft is not possible. Mutually-assured infringement is still the best possible scenario under the current system.


> It's a known and deliberate shortcoming of many licenses (e.g. BSD) not to include patent stuff because it makes everything unnecessarily complex. There was recently an article about why BSD and MIT are so popular, and it's because they're concise and understandable.

Could you (or anyone confident in their legalese) elaborate on:

* Does the Apache2 license indeed solve this? (I'm asking because I read about it in the LLVM/Clang license change proposal [1])

* Why isn't the less-popular-but-still-well-established Apache2 license more widely used, then? To counter what you are saying about simplicity, don't you think patents are a common concern that should be covered by default in a license, even at some complexity cost?

[1] https://news.ycombinator.com/item?id=12531887

EDIT: precisions, wording.


Apache 2, iirc, has similar patent provisions where you lose patent protection if you bring suit to any contributors.


Important caveat as I understand it from other comments: Apache 2 is limited only to suits about derivative works under that specific license.

Facebook's is much broader because you lose patent protection if you bring suit against Facebook about anything, even patents with nothing to do with React, like hardware, and even if Facebook is intentionally violating one of your patents.


This is correct. In apache2 you only lose the right to that work, and only the patent rights, not copyright rights. So in a work with no patents, i can sue you as much as i want without fear :P


The problem the article points out is that it is not 'what if they sue us on a patent claim regarding this piece of software' that is the problem.

The problem is that if you would bring _any_ patent claim against Facebook or any of its affiliates, the license terminates at that moment.

This is obviously not a problem for everyone, but a problem no less. Using software licenses to gain additional - and completely unrelated - rights is really not something I would like to see become a trend. It sounds like going back to the dark ages, feudalism and all.

Give the bullies free reign, and they will take your money and beat you up. In this case you would also have to take off your underpants and sew yourself a new pair before you can even try to fight back.


I think that if you have the patents to actually have a case against Facebook and decide to sue them, then it is totally reasonable for them to not give you stuff for free any longer.

Not sure how that is not fair, even more for large players who can objectively decide if it is worth it or not.


isn't your concern addressed by the original article?

    True, the BSD License does not explicitly state
    that the licensee receives the right to use the 
    licensed software under the licensor’s patents. But 
    I’ve never heard any lawyer postulate that that 
    document does not grant a license to fully exploit the 
    licensed software under all of the licensor’s 
    intellectual property. Anyone who pushes that view is 
    thinking too hard.


Also, let's say hypothetically that Facebook does sue you for the patents covered by React. When to comes time to establish damages, the fact that Facebook is currently giving away the licenses for free can be used to argue in court that their monetary value is zero. So even if you get hit with treble damages for willful infringement, the actual impact might not be as severe as one might otherwise suspect. (IANAL, don't try this at home, etc.)


Imagine I come up with a really cool middle-out compression algorithm. I also build my online presence using React.js.

If Facebook uses my algorithm without my permission, and I sue them, do I open myself to being sued for using React.js?


Your explicit grant to any patents that Facebook holds that may cover react is terminated.

Your license to use react is not terminated (https://code.facebook.com/pages/850928938376556).

So, what is the practical upshot of not having the explicit grant to the patents? Can you be sued for patent infringement for using open source software that may be covered by patents owned by the majority contributor to the open source software?


IANAL, but:

Your license to React.js patents terminates. Your license to those patents was valid before you sued, so you cannot be sued for past damages. If you continue to use React.js after you sue, you then would become vulnerable.

But your usage of React.js has little to do with that. Any patent that Facebook has that applies to React.js probably also applies to pretty much any other modern web framework. There are tons of Facebook patents that you're violating already, whether you use React.js or not.

Patents are only useful for trolls and big companies. Any little guy trying to assert patents is going to lose big time in the counter-suit.


Version 2 of the Apple Public Source License includes the following termination clause:

12.1 Termination. This License and the rights granted hereunder will terminate:

(c) automatically without notice from Apple if You, at any time during the term of this License, commence an action for patent infringement against Apple; provided that Apple did not first commence an action for patent infringement against You in that instance.

Like the React patent grant, this applies to any patent suit, not just ones that allege that the covered software infringes. The Open Source Initiative considers APSLv2 an Open Source license, and the Free Software Foundation considers it a Free Software license. Note that this clause terminates your copyright license, not merely your patent license - it's significantly stronger than the React rider.

So I think the claim that it's not open source is a bit strong, even though I find this sort of language pretty repugnant.


Microsoft is not necessarily a paragon of open source, but many of their open source projects use unadulterated OS licenses.

Typescript is Apache 2: https://github.com/Microsoft/TypeScript/blob/master/LICENSE....

Visual Studio Code is MIT: https://github.com/Microsoft/vscode/blob/master/LICENSE.txt


Apple and Facebook have "strong" patent retaliation clauses while Microsoft has a "weak" patent retaliation clause.

More on strong vs weak retaliation clauses here: http://www.rosenlaw.com/lj9.htm

Can't believe Microsoft is the good guy here.


Can the unadulterated hate on Microsoft stop ESPECIALLY when you are using an Apple product.

Microsoft has always had "good guys/gals" at the company. They have been in action more the good guys then anything else minus Steve Balmer's anti-Linux bias over the years.


Can't believe you've ever thought of Apple as "the good guy".


You will notice that most new projects all use MIT. Apache 2 hasn't been used for anything new in the last year+.


Have some examples?

The MIT license is problematic with software patents.

I see some projects moving to Apache2 for that reason (one prominent example here is Rust. They moved to an MIT/Apache2 dual licensing model).


Here are some that I found that are all created in that window: - https://github.com/Microsoft/Docker-PowerShell - https://github.com/Microsoft/malmo - https://github.com/Microsoft/projection-grid - https://github.com/Microsoft/HoloToolkit-Unity - https://github.com/Microsoft/pxt - https://github.com/Microsoft/BotBuilder - https://github.com/Microsoft/elfie-arriba - https://github.com/Microsoft/team-explorer-everywhere

I could have found more, but its a big org. Any examples I found that used other licenses where that way because they where related to something else that used a previous license (i.e. all TypeScript stuff is Apache2, hence any new TS is still be Apache2 for consistency).


What is the problem with the MIT license and patents?

The MIT license grants explicit rights to deal in the software without restriction.


A copyright license is not necessarily the same as a patent grant... Apache 2 does contain a patent grant, and an even bigger nuclear deterrent similar to Facebook's separate grant with MIT.


The MIT license is not a copyright license (though, copyright is claimed). It is a license for unrestricted dealings in the software subject to certain conditions (no warranty or fitness, appropriate notices given, etc.).


Not true. In the Android world, Apache 2.0 is on everything.


Example?


Not sure the easiest way to get a list of the top Android libraries on GitHub, but here's a sample of some that are Apache 2.0: https://github.com/ReactiveX/RxJava http://square.github.io/retrofit/ http://jakewharton.github.io/butterknife/

FWIW, my Android app's codebase has 18 Apache 2.0 dependencies, 1 MIT and 2 BSD. Maybe since the large libraries mostly use Apache 2.0, the smaller Android devs just follow suit?


Just about every Puppet module is published as Apache 2, it's the go to license in our ecosystem.


For new projects, my understanding is that Apple is using Apache and not the APSL any longer. Swift for example.

I just looked at XNU and it is still under the APSL. Does anyone know why a company would not want to go back and change the license of a project? Is it that the company doesn't have the copyright but the individual developers? Even if all the developers only worked for the primary company?


It does not apply to any patent suit. A petition for DJ against a demand letter, for instance, would not be included. A PGR at the PTO, even when appealed to courts is not included. An interference proceeding at court against Apple is not included.


This sort of license is definitely open source (and common, in fact), it's just not gpl2 compatible, which is the current reason most licenses avoid it

Basically: Any attempt to terminate both copyright and patent rights will be gplv2 incompatible Attempts to terminate patent rights, written in the right way, will be compatible.


easy enough for the determined to circumvent: construct a new legal entity and transfer the ip rights to it. then the new entity files suit.


If there's money behind the case, lawyers will sue anyways, arguing that the IP shell is a related entity whose actions can be reflected upon the parent.


Hi, Paul from the React team here. There have been lots of questions about the license+patents combo we use. Recently our legal team answered some of those questions.

https://code.facebook.com/license-faq


That FAQ is missing the most important question, which is raised by the article, on whether the license will terminate if you sue (not counter-sue) facebook for patent infringement unrelated to React. That is, does using React give facebook the right to infringe on any of my patents?


> Does using React give Facebook the right to infringe on any of my patents?

Yes, which is why Facebook's lawyers refuse to answer that question directly and instead obfuscate things by talking about "retaliation".

The Apache 2 license covers, in full, every public goal Facebook legal has stated they have and is 100% ethical. That Facebook refuses to use the Apache 2 license indicates they have additional, private, goals they do not want to own up to publicly.


Thanks Paul. None of those answers are addressing the main critique of the article though.


Is there any talk within Facebook on amending this clause or moving React to a standard license? I believe it's stopping a lot of large companies (whom the patent clause could actually affect) from using React, and all other like-licensed Facebook software.


IANAL but my interpretation of the clause based on comments / links is that it aims to protect Facebook by reducing patent lawsuits in general. If that is actually valid, I would expect there would be many people who are for the terms internally. Am i fully misinterpreting here?


Just use Polymer, vue or something else without that problem :-)


Facebook patents that apply to React will also very likely also apply to Vue or any other virtual DOM library. Using Vue makes you more vulnerable, not less, since you no longer have the protection of the React.js patent grant.


You made this assertion before, but it's wrong and dangerous. Without knowing what the patents are, you cannot possibly say whether or not OTHER technology is infringing on it. It is especially bad considering you are not a lawyer, nor have professed any familiarity with the patent process.

It is a moderate, but known, amount of work to look through FB's patents, assess which are likely around React, and read through the claims. Considering it's possible, I certainly think that it's reasonable to ask you to do the work, or stop making the assertions.


But I have been told, by lawyers, never to read patents, because that could triple damages for knowledgeable infringement.

It also doesn't address potential patents that are still within the 18 month filing window and are still secret.


Then don't make the assertion.


Polymer has nearly the same provision. They're sneaky about it as it doesn't appear in the main license. http://polymer.github.io/PATENTS.txt


Not at all:

"If you or your agent or exclusive licensee institute or order or agree to the institution of patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that this implementation of Polymer or any code incorporated within this implementation of Polymer constitutes direct or contributory patent infringement, or inducement of patent infringement, then any patent rights granted to you under this License for this implementation of Polymer shall terminate as of the date such litigation is filed."

I dont see how is that similar to react. It makes way more sense and is closer in spirit to apache I think.


Yes at all:

"If you or your agent or exclusive licensee institute or order or agree to the institution of patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that this implementation of Polymer or any code incorporated within this implementation of Polymer constitutes direct or contributory patent infringement, or inducement of patent infringement, then any patent rights granted to you under this License for this implementation of Polymer shall terminate as of the date such litigation is filed."


Polymer license only concerns itself with itself. FB license concerns all patents you and FB might have in addition to patents/righs concerning the react code itself.

There is a big difference, although it might not look like that.


Read that text again... especially this part:

"against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that THIS IMPLEMENTATION OF POLYMER or OR ANY CODE INCORPORATED WITHIN this implementation of Polymer".

I know I ask much of you but you can do it. BTW. congratulations on copy pasting the text I pasted above...


I disagree.


Then it should stop you from using software from EVERY large company... many choose Apache 2, which has similar provisions which include revoking your copyright license... MS and Google both include similar provisions in most of their permissively licensed software tools/libraries.


Hi Paul, why not address the real issue in the FAQ? As it stands now, using React in a project essentially nullifies any patent protections a company may have against Facebook. If I were to use React to build a successful product that fits into Facebook's business plan, there is nothing I could do to prevent them from stealing my concept wholesale.


Concept cannot be protected anyway. Look at instagram stealing snapchat stories.


"Does the additional patent grant in the Facebook BSD+Patents license terminate if Facebook sues me for patent infringement first, and then I respond with a patent counterclaim against Facebook."

No, unless your patent counterclaim is related to Facebook's software licensed under the Facebook BSD+Patents license.

I think this sums up everything.


> Recently our legal team answered some of those questions.

Except, you know, the one that matters.

If that doesn't prove that Facebook is acting in bad faith, I don't know what could convince you.


What's the 'bad faith' here? That React is a part of a conspiracy to get all their competitors to use and and then engage in some massive patent lawsuit against them all?


Apache 2 (the original React license, BTW) encompasses all of the legal protections and goals Facebook admits to publicly.

The current BSD license plus "additional patent grant", however, grants Facebook additional rights beyond the Apache 2 license that they refuse to admit to in their public communications, including this idiotic "FAQ". That's the "bad faith": Facebook won't publicly own up to why they want a worldwide, royalty free right to use a third-party's patents that have nothing to do with the software Facebook is licensing to them.

They don't own up publicly because it's unethical.


That they won't address the real question everyone is asking, and at this point, staying mum appears intentional and flippant to those asking. All while acting as though they address people's concerns.


Hey Paul, why not get rid of all the legalese and make this bird free? "Do what you want, no warranty"


I think it's understandable that Facebook want to be protected from the possibility that contributer X contributes code, and then sues Facebook for patent infringement, because the code X contributed was patented. This concern is well addressed by Apache license 2, there was no need for this custom license that goes too far.


The same reason Google has BSD + additional rights grants (though not as restrictive):

We deliberately want people to not be able to sue us for patent infringement without us being able to defend ourselves.

One can argue that facebook's method may be harsher than necessary (our rights grant is pretty much a copy of apache's 2), but i think people do not realize how often google/facebook/etc is getting sued for patent infringement.

Given how popular the software is, it deters people who are not NPE's.


though not as restrictive

This is critical though. Nobody is complaining about the Google (which is also used by Microsoft and Mozilla) retaliation clauses.

i think people do not realize how often google is getting sued for patent infringement.

Fair enough. If Facebook wants to make a public commitment to not use First Strike, the patent license would be acceptable. They have not, so it isn't.


I agree. I was working at a somewhat large IT company (~30k employees) this year. I made a plea for React and while our development section agreed, it got bounced by legal because of these points.

If Facebook is really serious about Open Source, they also have to make their licence so that every organisation is free to use it.


Being "serious about Open Source" doesn't mean a commitment to do anything to support people using your software.

It's the opposite, actually: the original copyleft licenses such as the GPL were explicitly designed to promote Open Source by hindering adoption in some cases, namely those where companies want to distribute derivative works commercially.

Then the BSD/MIT-style licenses weakened this restriction. So you're free to use React in a commercial product.

But Facebook, Apple etc. care a lot about patents these days. Not offensively, as far as we can tell, but they have now been burned repeatedly by often trivial patents being used to extract hundreds of million from them.

So they added these 'patentleft' clauses to their licenses to essentially undermine the patent system in regards to software. As it gets more difficult to build anything without some library that includes this clause, fewer and fewer actors will have the freedom to sue without consequences.

Being opposed to patents on intellectual property in the first case, I can only applaud these efforts. In fact, they should probably go further and extend the protection to everyone: If you use IP patents against Jane Doe, you may no longer use React.

The only problem is the rise of entities focused entirely on patent-litigation.


> It's the opposite, actually: the original copyleft licenses such as the GPL were explicitly designed to promote Open Source by hindering adoption in some cases, namely those where companies want to distribute derivative works commercially.

I'm usually not the one to defend GPL but I want to point out that AFAIK distributing derivative works commercially is totally fine for GPL - you just have to follow the rules in the license (provide source code under the same licence).


See my other comment on why this is not analogous to copyleft, and therfore the term 'patentleft' isn't very useful here.


So, assuming you actually have a patent, and Facebook actually decides to infringe on that patent, the worst case scenario is that you lose your license to use React. There are principles of fairness and equity in the law that would allow you to stop using React in a reasonable amount of time. So write your frontend in Elm. It probably needed a rewrite anyways.


> the worst case scenario is that you lose your license to use React.

Not even that; you lose your license to use the patents Facebook has which cover React...

...if they exist. Nobodies ever found one, and a core React dev is on record saying he doesn't know of any either. :)

But you don't ever your license to use React. Bonus: Many people think the BSD license contains an implicit patent grant, which might well cover you even if the explicit patent grant is revoked. Again, if there are any patents to license.


Does this mean that react could be considered "available source" instead of "open source?"


I think it's a great illustration of the difference between "open source" and "free software." In this case the source is still openly published, but under certain circumstances you're no longer free to redistribute.


Personally I think it's a great illustration that even software developers lack reading skills.

Open Source means this, no more, no less: https://opensource.org/osd-annotated


A license (such as Facebook's) that prevents me from redistributing a modified version could still qualify as "open source" so long as simple mirroring wasn't restricted.

> In practice, open source stands for criteria a little looser than those of free software. As far as we know, all existing released free software source code would qualify as open source. Nearly all open source software is free software, but there are exceptions. First, some open source licenses are too restrictive, so they do not qualify as free licenses. For example, “Open Watcom” is nonfree because its license does not allow making a modified version and using it privately. Fortunately, few programs use such licenses.

> Second, and more important in practice, many products containing computers check signatures on their executable programs to block users from installing different executables; only one privileged company can make executables that can run in the device or can access its full capabilities. We call these devices “tyrants”, and the practice is called “tivoization” after the product (Tivo) where we first saw it. Even if the executable is made from free source code, the users cannot run modified versions of it, so the executable is nonfree.

> The criteria for open source do not recognize this issue; they are concerned solely with the licensing of the source code. Thus, these unmodifiable executables, when made from source code such as Linux that is open source and free, are open source but not free. Many Android products contain nonfree tivoized executables of Linux.

http://www.gnu.org/philosophy/open-source-misses-the-point.h...

(Pasted the most relevant portion in case you lack reading skills.)


> even software developers lack reading skills

A little condescending, no? Do you read (or expect everyone to) the EULA in full when you install Windows, and understand the implications of _all_ clauses? Or for that matter, the Privacy and User Agreements of any website you visit, e.g. Spotify, Facebook, HN (this very website), Netflix, Hulu, Google, etc., or software you might install, e.g. WhatsApp, Signal, iTunes, macOS, all the licenses visible and distributed with Android? What about your banks, and the actions they sneak in that give them the most freedom to do with your money/data under the law?

The text written in these agreements is foremost written for other lawyers, not you. Many companies have made them easier to parse, slowly prioritizing the user's ability to understand them.

Most people have fine reading skills. What you are misconstruing is an ability to understand and derive implications of legal agreements.


I think it's more of an illustration that for better or worse, most software developers just want to hack, and are willfully ignorant of what they consider peripheral concerns.


After Alice v. CLS, what patents about React could be enforced?

edit: After Alice there has been a software patent massacre: https://en.wikipedia.org/wiki/Software_patents_under_United_...


IANAL but OTOH I would argue that Alice isn't very relevant here. The chief rationale behind that case was the triviality of the core algorithm being described: if there isn't enough money in an account, you don't withdraw money from the account.


Facebook's license is even weaker than a BSD/MIT license without any PATENTS license attached at all. Because in that case the patents grant can be considered implicit, depending on jurisdiction. By including a PATENTS license in that repository, Facebook nullifies the possibility of such a defense.


I wish he went into more detail on the difference between this and the Apache2 patent grants.

I've been favoring Apache2, and am considering adopting the GPLv2 compatibility clause that is being added to Swift.


Apache 2 is definitely much better.

IANAL, but I've written about the difference in another comment: https://news.ycombinator.com/item?id=12692852


[edit] I'm bad at read. Sorry!


I'm not sure what you disagree with.


I am equally confused; I think they may have misread your comment.


While we are on the subject:

I constantly find the need to read up on licensing. Usually with various blog posts or online information, which never gives me the feeling that I fully understood the legal implications or the context.

Can anyone recommend a book covering software licenses in depth? (ideally not only US centric)


With a new package manager every year, a new framework every six months, and a new build system every month, who has time for that? Just trust the masses: whatever frameworks and libraries have the most stickers on Macbooks has proven its veracity. /s


These conspiracy theories are really getting old.

Do people really think Facebook developed and released React for the sole, or even primary purpose of gaining patent rights? It's preposterous that so many top engineers would be working on such a goal.

It seems obvious that Facebook just has some overly cautious lawyers. I highly doubt that means Facebook is going to use your usage of React as an excuse to steal your patents.


"Do people really think Facebook developed and released React for the sole, or even primary purpose of gaining patent rights? It's preposterous that so many top engineers would be working on such a goal. "

Having met with their legal and open source departments and talked about this before, i can pretty much say "they have a reasonable set of problems, and are trying to do a reasonable set of things about it".

One can argue they don't need to be this harsh about it, etc. But that's about risk tolerance, not about trying to gain more rights.


Perhaps. But what if Oracle buys facebook or Zuckerberg steps down and a litigious CEO takes over. This is a major concern for lawyers in large companies.


I'm happy to recommend that everyone stop using React if Facebook ever sues someone for using React. But it remains a very unlikely possibility, especially since we don't even know if Facebook has React patents.


Right. After you've spent 10+ man/years developing an app based on React / other lib with similar restriction. "stop using React" is fine advise for small projects that can be rewritten in few months by few people. For very large projects the cost of stop using / rewrite could be huge.


But utterly dwarfed by the cost of an offensive patent infringement lawsuit against a $300+ Billion company.


Exactly. If you're actually in a legal dispute with Facebook, the cost of rewriting your frontend to not use React is minimal.

It's not like React is a massive library with a huge surface area. Even a fairly complex application could be migrated to an alternative like Vue.js if the need arose.


> the cost of rewriting your frontend to not use React is minimal

Or a non-issue if you choose a framework that you feel has safer licensing.


If what I gather is correct, the patents in question don't need to be related to React.


Yes they do, because that's the only patent rights this license is granting to you. All that happens if you sue Facebook for patent infringement is that you lose the patent license included with React—since unrelated patents were never included in that in the first place, it makes no difference if it's terminated.


Amen.


If companies fear that if they try to enforce their patents they will lose access to significant commercial opportunities as a result of not being able to use projects such as react...

...basically, I welcome it.

Patents are harmful.

The FSF has, to my knowledge, made no meaningful progress in significant patent reform.

If this helps, then bring it on.


Facebook's patent license doesn't grant you any patents outside the ones used by React.

It does grant them freedom to use any patent you may have (if you use their software).

See the problem? Even if you don't like patents, it makes the playing field totally uneven.


It still lowers the value of IP patents, since that value has most often manifest itself in suing Facebook/Apple etc.

With their value being even marginally reduced, maybe some patents will never be filed, or the value proposition of setting up patent-litigation entities is reduced enough to discourage it.

Basically this is net-positive for anyone who doesn't own or plan to own patents, even if it is even better for Facebook.


Patent litigation against such companies is often carried out by specialized entities, so those have nothing to lose by having their "React" patents revoked.


I would agree with you if it was only software patents. I still think hardware patents have a place, and that it is possible for the patent office to judge novelty and non-obviousness of hardware inventions.


I worked with a development manager headhunted from Microsoft, who was quite worried about simple "Taint" from open source software (i.e. ideas gained from viewing open source code making their way into closed source software). I also worked with a company which wouldn't accept code contributions to their OS project; they would do clean room implementations to avoid the legal hassle of incorporating code which wasn't written for hire. So I can certainly see large companies being leery of utilizing software with licenses which don't include patent grants.

Perhaps it's less of an issue with the BSD style licenses, as explicitly called out in the article.


To me it's the GPL of patents; it's a viral anti-patent license. Once you use React you must disarm in the destructive patent wars. I wish more popular software were released with it.


The problem is that Facebook doesn't need to disarm, and it's removing your options to fight them if they do not [1].

It's like being forced to abide by the GPL but having the other party use your code under BSD.

[1] I originally said "defend against", but the countersuing clause does cover that.


it's not really viral... the viral aspect of GPL is that any derived work you distribute would automatically have to be open.

in the case of the patents, they're not really used to create a derived work. As a result, there is no "infection".


I liken it to a mutually assured destruction aka nuclear deterrent. Which is a pretty close fit. As someone who is opposed to software patents in general, I'm okay with this.


If it becomes a problem, you could drop in a react-compatible library pretty quickly. React native might be tougher but still would probably appear if there was a case with a lot of publicity.


So happy https://preactjs.com/ and others are around


Other frameworks could infringe the hypothetical React-related patent. There is no safety from infringement as long as software patents exist.


Personally, I'm opposed to software patents... that said, there's no safety from any third party wrt patents either.


I think there exist fields of invention where it's reasonable for inventors to know what's in the patent database and thus avoid unintentional infringement. Obviously software isn't one of those fields.


When it's a case where it's not possible to utilize patent research in order to help make something, and in fact ill-advised to do so, then in that space the entire purported purpose of patents in that space invalidates their use.


I wonder what the OSI and Software Freedom Law Center say about this.


"It is unknown to me why Facebook issued an Additional Grant of Patent Rights in the first place."

STOP RIGHT THERE

If you can't be bothered to do the research necessary to see why then your JD didn't teach ya much in the ways of learning about things. Which ideally should be a large portion, those big books of case law, now oft replaced with speculation and internet comments, do at least tell the story of "why". And if you jump the gun on researching the imminently googleable first sentence of your argument, how can I trust, nay, why should I trust, a single sentence thereafter.

Long and short APL has patent clauses, BSD doesn't, their PATENTS file kinda added that back to BSD without some of the apparent downsides of the APL in terms of forcing you to never ever sue about patents.

Small but not hard, I know, I just have a PhD not some fancy JD, but at least I can do the research that would've muted I imagine the entire post.

I still can't seem to write non-confusing sentences though. Oh well. Parse the above at your own peril.


"A. The Additional Grant of Patent Rights in Unnecessary."

This is legally incorrect.

". But I’ve never heard any lawyer postulate that that document does not grant a license to fully exploit the licensed software under all of the licensor’s intellectual property. Anyone who pushes that view is thinking too hard."

Nobody has pushed this view.

However, the author seems to miss that such rights are likely not sublicensable, because they are implied, and implied rights are pretty much never sublicensable.

That is, i may have gotten the rights. That does not mean i can give someone else the same rights.

Now, there are other possible principles, such as exhaustion, that may take care of this (it's a grey area)

But it's definitely not the case that implied patent rights are somehow going to be better than an explicit grant.

They are for people using software. They are not for people distributing software.


Email I just sent the OSI:

Please see here: https://news.ycombinator.com/item?id=12692552

It turns out companies are now "bastardizing" the license terms. I would love for the OSI to re-evaluate if these licences are truly open source. Open source covers freedom, and I should think that these clauses abridge that freedom since it is very well possible for a company to be required to sue Apple or Facebook over patents. If that unrelated lawsuit "strips" your legal right to use software, that is NOT freedom.

Thanks


The OSI are opposed to software patents anyway, so I doubt that they have a problem with them becoming worthless.

"Freedom" is an empty slogan in this regard. Copyleft licenses have long restricted your freedom, the idea being that there are colliding "freedoms" under some circumstances and it's for the greater good of society to restrict some peoples "freedom" (those creating derivative works) for the benefit of of the end-user.


It's not significantly different than the Apache or MSPL licenses in this regard.


I think the change in licence has something to do with mobile phone licence issues, React Native had its first official release on a date that correlates to the licence addendum changes, this is the first official tagged release :

https://github.com/facebook/react-native/releases/tag/v0.14....

As you can see it is dated: "10 Nov 2015" shortly after the licence was changed.


One interesting thing to note is that the actual license makes no specific references to the patents rider, and in fact the patents grant rider is a separate file completely. Does that mean that I have to follow it, if it's not directly in the license? If we look at the license as a contract, shouldn't it be in the license directly, even if it's referencing something outside?


I'm not sure why they didn't just use the MS-PL it sounds like the same thing? I don't understand why use BSD if the MS-PL achieves what they want, and is backed by Microsoft (surely it would be in their best interest to defend their own license).

https://opensource.org/licenses/MS-PL


if a person offers two licenses, and you only need to accept one of them to be licensed, then you should be all set.

If I sue facebook and they countersue, then my defense is simply "i am licensed under BSD". The fact that you offered an additional license (they even call it "additional") does not mean that I am required to accept it when the first license stands alone.

Right?


Yes, but Facebook didn't dual-license this, they licensed it under a modified version of the BSD license. So it's that license or nothing. Edit: good point, gcp.


You misunderstood. He says "I'll take this":

https://github.com/facebook/react/blob/master/LICENSE

which by admission of the blog post this is about, already includes an implicit patent grant on React.

And he'll pass on this:

https://github.com/facebook/react/blob/master/PATENTS

Which is marked as "additional".


This is a reasonable argument, given the headers says " * This source code is licensed under the BSD-style license found in the * LICENSE file in the root directory of this source tree. An additional grant * of patent rights can be found in the PATENTS file in the same directory. *"

However, the problem you have here is there literally can be no implied license when an explicit one is offered. You can't say "i take the bsd and implied patent license".

So if you want to take it without the additional rights grant, you can. But you won't get patent rights, because they have offered them to you explicitly under a different license.


Unrelated to the actual content of the page.. but why does this site require 1.25Mb of javascript to load? It makes up nearly 70% of the entire page, and is responsible for almost 60% of the requests needed to render the page. Do you really need to use that much javascript just to render a blog post. Why?

Those webfonts also took multiple seconds to retrieve leaving the page essentially completely blank to visitors until their browsers finally pulled them down. It paused long enough I was wondering if HN had sent sufficient traffic to bring the site down.

Here's an output to a quick stab at loading the page using pingdom: https://tools.pingdom.com/#!/cpZuGy/http://www.elcaminolegal...


Because it's a basic site with a handful of pages with a blog that is built as a single page app. All the HTML of the page is generated by Javascript and dumped into the lone div inside the body. So, you take the big hit at first load but then it's snappy after that.

Although, I would think the load size and speed for such a basic site would be better with standard HTML for everything but the blog.

Also, the main JS file is 1690 lines long and even though it says it is min in the file name, it doesn't seem to be minified.

The CSS file has some nice stuff going on in there. Some of the selectors are a bit long for my tastes though.


This has been a major issue for me from the get go, it goes against open source culture but that's no surprise because that is what Facebook loves to do (which it has consistently proved).

They pick something upcoming, recreate it injecting their ideals while knocking the original. They then release it to a sea of "pseudo developers" that latch onto it with the "well it's good because Facebook" mentality which aggressively defend it giving them more leverage.

Then they rinse and repeat until they have replaced everything the community has created with their equivalent instead of contributing back to those projects like a true supporter of open source would.

Open source is much more than having code on a repo, it's a culture that Facebook is hell bent on "changing".


interesting article about why startups should never use Reactjs because if it's license

https://medium.com/bits-and-pixels/a-compelling-reason-not-t...


How is this any different than the MPL 1.1 license? Section 8 of the MPL 1.1 has similar language.

/b


It's completely different.

MPL 1.1 talks about "such Participant's Contributor Version directly or indirectly infringes any patent"

Which refers to the software itself. Which means it's a patent retaliation clause similar to the one Microsoft and Google use. If you claim patents on someone for using specific software, you lose any patent licenses for said software that were granted to you. But in Facebook's case, the retaliation extends when you make any patent claim on anything Facebook does, even if it's completely unrelated to the software in question. Meanwhile, the patent license that Facebook gives you does not extend beyond the software in question.

So you're effectively licensing all your patents to Facebook, and Facebook only gives you the ones you need to use the software.


So I checked StackExchange's law site and found this question - thus far unanswered, but those would be my questions exactly:

http://law.stackexchange.com/questions/14337/q-about-consequ...

It comes down to two questions (quoted from the linked question) - note that those are questions, not assertions:

1)

  > ... if we use any of Facebook's open source projects Facebook can violate *our patents* (of any
  > kind) pretty much with impunity: If we try to sue them we lose the right to patents covering their
  > open source projects(?)
2)

  > I have read opinions that other open source projects that don't have such a clause, for example 
  > those from Microsoft or Google, nevertheless have the exact same problem, only that it isn't 
  > explicitly stated. Is that true? Is my situation not any better when I only use open source 
  > projects without such a clause?
I think that is a good point. The many opinions I see are almost all from people who don't have their own patents to think about, but what happens if you are a company and you do? Would you basically allow Facebook to use any of your patents, because for all practical purposes you can't defend them if you rely on their open source projects?


1) Yes, and that's exactly the problem raised here.

2) The patent grants from Microsoft and Google grant a license on software (or a standard), and only give them a (reciprocal) license on the software or standard that is under consideration. If Microsoft had published React, you could still sue them for violating patents that are unrelated to React without losing your license to use it. The Facebook grant doesn't have this, so if you rely on React you can't sue Facebook at all. But they can still sue you.


2) If Microsoft published React without a patent rider, and Microsoft had patents on the tech in React, then you would be in violation in the first place, right? Microsoft can still you sue for violating their React patents, especially if you sue them first.


1) The article points out there are implicit patent grants if they're not expressly spelled out.

2) Microsoft has provided patent grants that are less severe than Facebook.


> 12.1 Termination. This License and the rights granted hereunder will terminate: >… >(c) automatically without notice from Apple if You, at any time during the term of this License, commence an action for patent infringement against Apple; _provided that Apple did not first commence an action for patent infringement against You in that instance._

am I misunderstanding the last part?


In the above scenario, Apple is infringing the rights of another company, who uses Apple's open source code. That company is then in a hard place. They have to allow the infringement by Apple, or stop using the open source software.

Since Apple is the infringer in this scenario, they would not be inclined to 'first commence and action for patent infringement against You'


Frankly multiple developers don't really care about the licenses or clauses. Software veterans and corporations care about it more than anyone else. Even the article is kinda hard to grasp in one go that I had to read a couple of times. To find the nuances in an OSS license and to think and act on it is not easy for a lot non native English speakers. And more posts like these are needed to make many people read and know about these serious issues.


I'm not a lawyer so I can't say with certainty, but I'm sure Facebook could make React's license a bit nicer in some ways.

But I can't buy it as a reason for not using React, that sounds bogus to me. Facebook isn't gonna come sue your beer-ranking app company over a patent beef.


The Facebook competitor that is considering buying out your beer-ranking app making company might reconsider, though.


Similar approach to the patchwork of various patent grants on Opus implementations; it's still open source, it just might not be free for 100% of the purposes you could think of.

I think Robert doesn't understand that open source refers to the source code being open to use, derivation, and study. The BSD license also includes a warranty disclaimer, which is the exact same kind of protective language as the patent grant. The Facebook arrangement meets all of those requirements with the one stipulation that you forfeit the license when you enter patent litigation against Facebook for a counterclaim the granted patents or primary litigation for unrelated patents. I don't consider countersuing Facebook for patents applying to React, while USING REACT, to be a serious fundamental software freedom.


> The Facebook arrangement meets all of those requirements with the one stipulation that you forfeit the license when you enter patent litigation against Facebook for the granted patents. I don't consider suing Facebook for patents applying to React, while USING REACT, to be a serious fundamental software freedom.

Where does it say that the stipulation refers only to patents applying to React?


>Apparently in response to criticism, in April 2015 Facebook issued a second version of the Additional Grant of Patent Rights that softened the termination provision to say that the React software licensee would not lose its right to use the software under Facebook patents in the special case in which the licensee brings a patent lawsuit that is a counterclaim against Facebook or its affiliates that is unrelated to React.js. The second version of the Additional Grant of Patent Rights, in addition to the BSD license, is what governs use of React.js today.

Sorry, seems it only applies to counterclaims.


So this attorney's problem is that rather than ambiguously granting a license to the patent claims necessary to implement this software, they decided to explicitly grant such rights? I see no problems.


No, his problem is with the breadth of the patent assertion Facebook makes. He's not the first to point out it's unusually in favor of Facebook, even compared to patent grants from Microsoft and Google.


For some reason, I have NO idea why, just like Angular. Just something kind of cool about it. React I'm sure is awesome, but Angular just seems to have something special. Just that extra "something."


Other Open Source licenses have patent termination provisions. Apache 2.0 (which React used to use) says "If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.". There are other licenses as well that include more extensive patent termination provisions, such as the APSL.


The author covered this: "Facebook is not saying only that a licensee’s rights to use React will terminate if the licensee claims patent infringement by the React library itself. ... Facebook is using its publication of React source code as leverage to win some protection against patent lawsuits generally."


For Apache 2.0, read again the part that says "alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement". This in other words means that the license termination happens when you sue for patents that are related to the Work or to derivative works. And it applies to all contributors and isn't related to a specific company. Which is quite reasonable.

Now go read: https://github.com/facebook/react/blob/master/PATENTS - you'll notice that this is a license related only to Facebook's patents and that Facebook will terminate your license if you sue them for any patents, even patents that are unrelated to the Work. And even more problematic, I'm not a lawyer, but it doesn't seem to me that this license applies to derivative works.

Big difference.


The AL2 (and MPL2 and GPL3) language is designed to protect the users from the software authors. The Facebook PATENTS language is designed to protect Facebook from the users.


Then Facebook should have stuck with the Apache 2.0 license.


I feel like if React doesn't "count" as open source software, then neither should anything licensed as GPLv3.


How are those things related at all in the context?


The argument that "This is Not Open Source Software" feels unsupported and very sloppy.

> Thus, the licensee pays a price to use the library. It is not a price paid with money. [..] I could be missing something, but I have never seen any other software license use such a condition and also claim to be an open source license.

This just isn't thinking creatively. The GPL also requires a "price to be paid, but not with money" -- you give up your right to keep changes you make secret (if you distribute them). Yet no-one seriously argues that the GPL isn't an open source license.

If there is something about giving up the right to file patent lawsuits that is totally different to giving up the right to keep your changes secret, the article doesn't say what that difference is. Giving up the right to keep your changes secret is surely more stringent than giving up your right to file patent infringement lawsuits against one company. Why, then, should the latter be a dealbreaker for an open source license?


I think the argument is that the grant is asymmetric. GPL is "I open up, you open up". The retaliation clause Facebook uses is "you don't get to sue us, but we may sue you".


That's an interesting argument! (But the article didn't make it..)

Couldn't you argue that the GPL says "you don't get to keep your changes private, but I do", and so is asymmetric too? It seems normal to me for the rightsholder to retain more rights than the grantee.


You can keep GPL changes private if you don't publish it, and the same applies to the original author. If you feed back changes, you're mutually bound.

But the problem with Facebook's license is not the copyright, it's the patent grant.


Mush simpler. Open source != free as in free beer. That's enough to bust this argument.


React.js is basically licensed so that you cannot make anything that can compete with facebook corporation.

Example:

1. You create something similar to Instagram using React.

2. It gets popular

3. Facebook sues you and takes all your reacts and reducers


Actually I see it as

3. You can't sue Facebook because your app is similar to Instagram


Ok, so expanding on that, the problem becomes this:

1) You create a successful app using React

2) Facebook blatantly copies your app.

3) You can't sue Facebook


Is such a clause actually enforceable? Has this been tested in a court of law? Just curious.


Well, the clause isn't "you can't sue", it's "you have to stop using React if you sue".


But what if you don't stop using it?


You can be sued by Facebook for infringing their license.


Which brings us back to my original question ;)


I am not a lawyer, but "not bringing a patent infringement lawsuit against Facebook or its affiliates" suggest that anyone using React can't file a lawsuit against Facebook over patents and NOT vice versa as you suggest.


Can you point which part of the license says what you claim? Thanks


In their PATENTS file: https://github.com/facebook/react/blob/master/PATENTS#L14-L2...

If you read it, it doesn't seem like GP's claim is completely true.


Are you talking about this part?

> if Facebook or any of its subsidiaries or corporate affiliates files a lawsuit alleging patent infringement against you in the first instance, and you respond by filing a patent infringement counterclaim in that lawsuit against that party that is unrelated to the Software, the license granted hereunder will not terminate under section (i) of this paragraph due to such counterclaim

And, please, point in which part of the file you linked where is said that your license is terminated if Facebook sues you


[edit] ugh, meant to put this elsewhere, rough morning.


> 3. Facebook sues you and takes all your reacts and reducers

Perhaps I highlighted that part because the original OP talked about Facebook suing you first. Dude.


No, this is a complete misunderstanding of the license.

Please read Facebook's official FAQ on this matter::

https://code.facebook.com/pages/850928938376556

>Does the additional patent grant in the Facebook BSD+Patents license terminate if I create a competing product?

>No.


Yes it would totally make sense for facebook to effectively kill react (wasting millions of their paid engineering hours) and forever taint their developer community by using that clause to sue another company just because they compete. </sarcasm>

Hypothetically if you ever grow so big and frighten facebook to that degree, migrating off react would be an easy problem to solve.


Hypothetically, when you're found to infringe a patent for a product that was already deployed, then the damage was already done and migrating at that point won't save you ;-)


Right but this clause assumes you are the one suing facebook for patent infringement and unless your patent is along the lines of "we use react.js to do x", then you probably have the flexibility to port it to a different framework.


BILLIONS, TRILLIONS of hours went into react /s Or maybe whole eternity... Why restrict yourself to just millions.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: