Apache and the JSON license

By Jake Edge
November 30, 2016

The JSON license is a slightly modified variant of the MIT license, but that variation has led it to be rejected as a free-software or open-source license by several organizations. The change is a simple—rather innocuous at some level—addition of one line: "The Software shall be used for Good, not Evil.". Up until recently, code using the JSON license was acceptable for Apache projects, but that line and the ambiguity it engenders was enough for Apache to put it on the list of disallowed licenses.

At the end of October, Ted Dunning brought up the license on the Apache legal-discuss mailing list. He suggested that classifying the JSON license as acceptable (i.e. on the list of Category A licenses) was an "erroneous decision". That decision was made, he said, "apparently based on a determination that the no-evil clause was 'clearly a joke'". He pointed to a thread from 2008 where a "lazy consensus" formed that the "not evil" condition did not preclude Apache projects from using the license.

But Dunning pointed out that some of his customers' legal teams are not getting the "joke". As a license term, "good not evil" leaves quite a bit to be desired:

To me, all of this clearly shows that the json license is substantially hindering downstream adoption due to a perception by those downstream consumers that you can't put a joke into a license. I, frankly, agree with those folks. Not doing evil is a good thing and I try to do that myself, but having to get a legal opinion that everything I do is not evil would make it impossible to get anything done.

Dunning suggested that the license be moved to Category X, which contains licenses that cannot be used by Apache projects. Multiple replies in the thread made it clear there is no real support for the license and plenty of interest in seeing it be banned. In fact, Apache's vice president of legal affairs, Jim Jagielski, decided to ban the license on November 3. He explained his reasoning in a post two days earlier:

It is not a valid FSF nor OSI license. As such, it is not a true "open source" license and has no place as CatA [Category A].

But, simply removing the license from the approved list doesn't magically fix the projects that depend on code using it. Dunning had a list of around a dozen Apache projects that may depend on JSON-licensed code; there may well be others. He also pointed to a Debian web page listing alternative JSON implementations. But work needs to be done to switch projects to acceptable alternatives—and that will take time.

Apache projects cannot make releases using code that is covered by a Category X license, so any that depend on JSON-licensed code need to fix that. Alan Gates wondered if there could be some kind of grace period for projects to come into compliance. He noted that the Apache Hive data warehousing project is in the middle of trying to get out a maintenance release, which would be blocked by the change; others may be similarly affected. Furthermore:

The amount of time to fix this will not be trivial. Based on a little bit of digging I've done the alternatives are not 100% identical in their behavior which will mean projects will need to thoroughly test the replacements and change their code to deal with the differences.

He and Jagielski had spoken about the matter and the latter had suggested perhaps adding a "grandfather clause" that would allow projects that already use JSON-licensed code to continue to make releases for some period of time. Gates proposed six months as that time frame. In general, that idea was popular, but there were some wrinkles.

Dunning would like to see a much shorter deadline for resolving the license problem. He has done some work to make it easier for projects to switch to a properly licensed alternative, but there is still a lot of testing that needs to be done to ensure everything works correctly. Gates asked if a six-month period would really matter given that the license has been present in Apache products for years, but Dunning is concerned that Apache projects are losing users over it:

We are already seeing users reject Apache software because of this issue. So yes, it will matter. The question is how much and how do we trade that off against the pain involved.

There are other considerations, though. Andrew Wang said that the Apache Hadoop framework for big data processing relies on third-party libraries that use JSON-licensed code. "We can't simply swap it out." In addition, enterprise software is expected to only make bug fixes for multiple years, he said, so switching libraries will be problematic from that perspective:

I'll add that typical EOLs [end of life] for enterprise software is measured in multiple years. If I had my druthers, we'd grandfather in existing release lines where bumping json.org would affect compatibility and thus EOL expectations. Failing that, giving us at least until June would be significant.

There was a fair amount of discussion of how various projects could proceed to remove the dependency on JSON-licensed code, but no clear consensus emerged on how disruptive the change would be. Enough of a consensus on having a grace period of some length did emerge, however, to the point that Jagielski issued a statement that prohibited projects from adding JSON license dependencies, but allowed others some time to make the change:

If you have been using it, and have done so in a *release*, AND there has been NO pushback from your community/eco-system, you have a temporary exclusion from the Cat-X classification thru April 30, 2017. At that point in time, ANY and ALL usage of these JSON licensed artifacts are DISALLOWED. You must either find a suitably licensed replacement, or do without. There will be NO exceptions.

It is, in some ways, surprising that it has taken this long for Apache to tackle this particular license problem. Other organizations have banned the license for years and Apache is rather notoriously picky about licenses. The "determination" that it was a joke clause back in 2008 seems a bit strange, in truth. But "there has been no real 'outcry' over our usage of it, especially from end-users and other consumers of our projects which use it", Jagielski said, which may explain why it hadn't been addressed until now.

It is likely that few would admit to using the JSON-licensed code for "evil" (however that is defined), but that isn't really the crux of the matter. Legal departments are understandably leery of how others (and courts, in particular) might interpret the clause. It is quite ambiguous and corporate legal teams go to great lengths to avoid that kind of thing when they can. Given that Apache projects are used at lots of large companies, it is perhaps also surprising that the outcry wasn't louder than it is even today.

Several in the thread wondered about getting the license's author, Douglas Crockford, to change it. That was deemed unlikely by Jagielski and Sam Ruby, who have both discussed it with him multiple times. Crockford has given at least one license exception in the past ("I give permission for IBM, its customers, partners, and minions, to use JSLint for evil."), though no one suggested pursuing that path for Apache projects.

But letting the issue linger certainly had a cost for the projects that depended on that code. It would, it seems, have been far better to grasp the nettle some time ago. In the end, though, by mid-2017 the problem should be resolved, hopefully with minimal disruption.

Apache and the JSON license

Posted Dec 1, 2016 0:42 UTC (Thu) by josh (subscriber, #17465) [Link] (13 responses)

For some of the code affected by the JSON license, people have tracked down a version derived from one that includes an exception to the clause, and built their code upon that version. See https://github.com/jshint/jshint/issues/1234 , and jshint's "master-free" branch.

Apache and the JSON license

Posted Dec 1, 2016 3:35 UTC (Thu) by elw (guest, #86388) [Link] (12 responses)

While I appreciate and respect Crockford's position on "The Software shall be used for Good, not Evil", such ambiguous language has no place in a software license, or any license for that matter. Good and Evil are inherently subjective words. Employees at NSA would tell you that what they were doing by spying on American citizens was good. Their intentions were good. They watched over the citizenry. They investigated illegal activity by monitoring computer networks. They strategically withheld security vulnerabilities to aid in fighting the enemy. Many people, however, consider their actions evil. They spied on U.S. citizens. They hacked personal and corporate computer systems. They withheld 0day exploits for offensive purposes instead of disclosing them responsibly.

There are always at least two sides to everything. What is good and what is evil is simply a matter of perspective. The JSON license fails to acknowledge reality preferring, naively, to believe that everything is black or white, good or evil.

Apache and the JSON license

Posted Dec 1, 2016 8:27 UTC (Thu) by marcH (subscriber, #57642) [Link] (5 responses)

> What is good and what is evil is simply a matter of perspective.

Yeah, everything's relative. For instance rape feels good to rapists whereas saving lives feels evil to... sorry; I forgot to whom exactly.

Apache and the JSON license

Posted Dec 1, 2016 9:42 UTC (Thu) by farnz (subscriber, #17727) [Link]

Intent matters - saving an unrepentant murderer's (e.g. a professional hitman for the KKK) life specifically so that they can kill again is "saving lives", but could be considered evil.

Apache and the JSON license

Posted Dec 1, 2016 11:23 UTC (Thu) by NAR (subscriber, #1313) [Link] (3 responses)

saving lives feels evil to... sorry; I forgot to whom exactly

My guess is millions of people. Not just those who refuse possibly life saving medical intervention due to religious reasons (i.e. saving life is evil), but those who think saving refugees from drowning is a bad idea.

Apache and the JSON license

Posted Dec 1, 2016 18:18 UTC (Thu) by marcH (subscriber, #57642) [Link] (2 responses)

Wow, serious efforts to miss the point. Let me try again: how many people find it evil to catch and rescue someone accidentally falling off a cliff?

The point is: yes of course the concepts of Good and Evil aren't identical for everyone. This doesn't mean the concepts are completely void and useless; they do have a lot of universality. Pretending the concepts of Good and Evil are meaningless is just as extreme and stupid than pretending they mean the exact same for everyone. The real world is complex but that doesn't mean we can't say anything about it.

Apache and the JSON license

Posted Dec 1, 2016 18:34 UTC (Thu) by tartley (subscriber, #96301) [Link] (1 responses)

Hey marcH. It is true that some (not most) actions can be universally classified as either good or evil. But that's not remotely sufficient. It is necessary that *all* (or the vast majority) of actions can be so classified, unambiguously and trivially, before the action is taken. Otherwise, any one abiding by the terms doesn't know which actions they can or cannot take. If they make a classification error even once, in any of the hundreds of actions they might perform every day, then they are wide open to anybody with a different classification accusing them of breaching the terms.

Apache and the JSON license

Posted Dec 1, 2016 21:31 UTC (Thu) by marcH (subscriber, #57642) [Link]

I totally agree that such a clause has absolutely nothing to do in a software licence. Sorry for straying off the licence discussion.

Apache and the JSON license

Posted Dec 1, 2016 10:39 UTC (Thu) by stevan (guest, #4342) [Link] (2 responses)

> version derived from one that includes an exception to the clause

It seems a pity that this discussion seems limited to legal issues rather than what would seem on the face of it to be the intent behind the smiling face of the clause, which is to bear in mind an ethical aspect to software and its use. One can understand why the issue is reduced to a legal one above others, but as in other areas of life, surely software development can bear a bit of ethical self-scrutiny without it becoming a binary legal outcome.

Apache and the JSON license

Posted Dec 1, 2016 19:38 UTC (Thu) by david.a.wheeler (subscriber, #72896) [Link] (1 responses)

A license is a legal document that determines what you're allowed to do or not do. Grossly ambiguous text like this has no place in a legal document. It's unethical - and possibly evil - to release such grossly ambiguous text in a license.

Apache and the JSON license

Posted Dec 1, 2016 23:52 UTC (Thu) by JanC_ (guest, #34940) [Link]

But as the copyright owner, the license doesn't apply to the person who releases such a text in a license, so that being evil is not an issue… ;-)

Apache and the JSON license

Posted Dec 2, 2016 6:23 UTC (Fri) by gdt (subscriber, #6284) [Link] (2 responses)

such ambiguous language has no place in a software license, or any license for that matter

I can't agree. It's Douglas's code. He can license it how he sees fit. There's no obligation on him that a license be convenient for lawyers or that a license be a free software license. The license isn't pretending to be something it isn't, so there's no misrepresentation. If clarity is your requirement then no one forces use of this code.

I'm not even convinced that this is poor legal procedure. For example, summary judgment against this license seems unlikely, since the nature of evil and a licensee's compliance with non-evil are matters of fact.

Apache and the JSON license

Posted Dec 2, 2016 18:20 UTC (Fri) by nybble41 (subscriber, #55106) [Link] (1 responses)

> It's Douglas's code. He can license it how he sees fit.

Allow me to rephrase. While the law does indeed say that it is Douglas's code and he can license it however he sees fit, such ambiguous language has no place in a license for software you actually want other people to *use*. Perhaps Douglas does not intend for the code to be used by anyone other than himself, and that is perfectly fine. However, the ambiguous license language makes the software toxic to anyone else, legally speaking: it is impossible to know whether one will later be found to have complied with the license or held liable for copyright infringement. If he wants the software to be adopted by others (and why else would he release it with an almost-open license?) then his purpose would be best served by leaving out the ambiguous language.

Apache and the JSON license

Posted Dec 2, 2016 21:26 UTC (Fri) by bronson (subscriber, #4806) [Link]

Well, it's not toxic to evildoers. They don't care about licenses -- they'll use whatever they want.

It's only toxic to the good guys.

Apache and the JSON license

Posted Dec 1, 2016 6:55 UTC (Thu) by xtifr (guest, #143) [Link]

As someone who is unabashedly evil (or so the preachers tell me), this comes as a great relief!

Now I don't have to choose between dancing on Sundays and using Apache software. :D

Apache and the JSON license

Posted Dec 1, 2016 13:00 UTC (Thu) by ber (subscriber, #2142) [Link]

It is good that the Apache Software Foundation is picking this up. To me the license is clearly non-free, which is known for a while (by FSF and OSI).

I think the lesson to be learned here is similar to what is known about software defects: Fixing licensing problems early is less expensive.

However sometimes legal issues are put forward for other reasons and should be ignored for practical reasons, so it cannot easily be detected if a licensing issue at hand is a real problem.

For the jslint license it has become clear a while ago that Mr Crockford does not are much about real Free Software down stream usage. Most products use the javascript parsing part. An alternative javascript parser linker is http://eslint.org .

Apache and the JSON license

Posted Dec 1, 2016 16:39 UTC (Thu) by gwolf (subscriber, #14632) [Link]

I see this as a politically difficult, but most welcome, movement.

This joke-in-a-license (or joke-of-a-license? Am I doing evil here?) has been already disapproved for Debian. Debian is well known for its uncompromising attitude towards licenses, and several projects have been convinced to choose a saner or less controversial licensing scheme because of Debian's arguments.

In this case, this was not enough (at least for most projects still carrying it). the Apache Foundation is another very well known name in this regard, and very well recognized as a top player when it comes to the Web world (although clearly it does not stop with that alone).

Yes, many projects won't change, and we are likely to be stuck with the JSON license for good. However, this position statement might push many other projects to choose a sane licensing. Probably it will help push other important projects to a similar decision.

Slowly, at least, this will push the JSON license to fringe, unimportant projects. And the world will be a better, saner place. Yay!

Apache, OK

Posted Dec 1, 2016 16:56 UTC (Thu) by ncm (guest, #165) [Link] (3 responses)

It is fortunate that these problems principally affect Apache Project packages. Since "Apache is where projects go to die", it affects mainly moribund projects. Among those I include Ooo and everything Java, which seem to land at Apache almost by default, and which often have not yet formally noticed they are dead -- even those that started out that way.

It is good to the degree that it hastens those deaths, but bad when actually dealing with it, instead, consumes effort better spent on projects that have a future.

Apache, OK

Posted Dec 1, 2016 18:23 UTC (Thu) by marcH (subscriber, #57642) [Link]

> everything Java, which seem to land at Apache almost by default,

Not 100% sure what you meant here but J2EE is one of Java's top successes and it's strongly and obviously related to Apache the web server.

Apache, OK

Posted Dec 5, 2016 16:30 UTC (Mon) by ssmith32 (subscriber, #72404) [Link] (1 responses)

,>Among those I include Ooo and everything Java, which seem to land at Apache almost by default,

I don't see how any rational enginneer can consider Apache Hadoop or Cassandra dead (A rather large mass of Apache & Java, with a considerable ecosystem both free & commercial - > 1 billion$ - around both). There are even products I've personally recommended against using (Tomcat and any J2EE stuff) that I can't see how you would think are "dead".

Must be wishful thinking? I suppose some of my wishes and your beliefs could find common ground, but the facts are against the both of us...

Apache, OK

Posted Dec 6, 2016 0:51 UTC (Tue) by ncm (guest, #165) [Link]

I mean "dead" as used in the expression, "You are dead to me". (No, dear reader, not you. Java.)

Apache and the JSON license

Posted Dec 2, 2016 4:21 UTC (Fri) by branden (guest, #7029) [Link] (1 responses)

With any luck, ASF can get Rob Weir on the job, and everybody will be hugging it out in no time.

Apache and the JSON license

Posted Dec 2, 2016 18:32 UTC (Fri) by flussence (guest, #85566) [Link]

Wouldn't that mean they're sublicensed under IBM's exception anyway?

Apache and the JSON license

Posted Dec 5, 2016 14:36 UTC (Mon) by mirabilos (subscriber, #84359) [Link] (2 responses)

http://stackoverflow.com/a/34418410/2171120

Mostly compatible replacement we use:

<dependency>
<groupId>com.vaadin.external.google</groupId>
<artifactId>android-json</artifactId>
<version>0.0.20131108.vaadin1</version>
</dependency>

I got this comment:

I have also packaged this onto Maven and made a number of changes to make it easier to port to. Notably, JSONException is now unchecked. See github.com/tdunning/open-json (also available via maven) – Ted Dunning yesterday

This should make adoption even easier.

Now JSHint/JSLint are harder to replace, but I’d say throw them into Crackford’s face and just remove them from the face of the world.

Apache and the JSON license

Posted Dec 5, 2016 17:11 UTC (Mon) by keis (guest, #87838) [Link] (1 responses)

eslint does a really good job of replacing both jshint and jslint

Apache and the JSON license

Posted Dec 5, 2016 22:46 UTC (Mon) by bronson (subscriber, #4806) [Link]

eslint really is great. I haven't used jshint in a year, and jslint for many years.

Apache and the JSON license

Posted Dec 8, 2016 18:57 UTC (Thu) by sombragris (guest, #65430) [Link]

While I believe in objective good and evil, this is awful. Especially when we leave it to the courts to ascertain what is good and what is evil. This reminds me of something Theo de Raadt said back in 2001 in the context of the IPFilter controversy:

But software which OpenBSD uses and redistributes must be free to all (be they people or companies), for any purpose they wish to use it, including modification, use, peeing on, or even integration into baby mulching machines or atomic bombs to be dropped on Australia.