It sucks to have to agree with someone that you don't fundamentally agree with but I think the author of the PR is correct. This is a modification of the Apache license and while I appreciate and support their stance, it does seem to mean that the license is non compliant. I support anyone's desire to protest things (no matter which side I'm on) but you can't just make up your own rules.
As much as I hate what Russia is doing, I’d hate even more for software to come under political purviews.
If an author of a library chooses to apply political condition(however justified they may be), then the software is simply not free by definition.
I’m neither Russian nor Ukrainian. I cannot turn a blind eye simply because it doesn’t apply to me. What if another library that I use apply a license that says “those that look like this cannot use my software from now on”?
Stallman has discussed this years ago: https://www.gnu.org/philosophy/programs-must-not-limit-freed...
The most pertinent part is:
> A condition against torture would not work, because enforcement of any free software license is done through the state. A state that wants to carry out torture will ignore the license. When victims of US torture try suing the US government, courts dismiss the cases on the grounds that their treatment is a national security secret. If a software developer tried to sue the US government for using a program for torture against the conditions of its license, that suit would be dismissed too. In general, states are clever at making legal excuses for whatever terrible things they want to do. Businesses with powerful lobbies can do it too.
Okay, so while this title is technically true, it is phrased in a way to incite panic.
Just to be clear, AWS/Hashicorp is NOT beginning to charge people for the use of Terraform modules.
I’m ethically torn here.
On one hand, I ask myself what I would have done if I worked at IBM in the 1930s[0]
On the other hand, as an LGBT person, I firmly believe that maximal freedom of speech protects vulnerable people from erasure.
What this means for free software is a tough question.
I hate this presidence things like these set. I would hate code being split into left/right, and that's kinda the presidence set here
As much as I think the war is wrong, having it seep into other things which are "non-political", is incredibly annoying.
I'm not sure what the title here should be, but this one seems incomplete
Edit: maybe this?
> Terraform-AWS-modules/Terraform-AWS-eks restricts license for Russian/Belarussian users
It is astonishing to me how poor our literacy of software licenses is as a community. Also, reading the comments here, there are two wholly independent things happening that most people are conflating as the same thing.
Software licenses are LEGAL DOCUMENTS. If you are not a lawyer, who has a specialty in this specific area of law, don’t go fucking with them.
1. Fuck Russia. This is the only right answer to the question.
Entirely separately is #2.
2. If you change the terms of a license, it’s a different license. The changed license was not the Apache 2.0 license, and was additionally a breaking change in every sense of the phrase.
I appreciate that @antonbabenko recognized this and fixed it, but these two issues are entirely separate. What Russia is doing is terrible. That is an absolute fact. But the new Terraform variables that were added in that commit have absolutely nothing to do with making the software work in the way that it was intended to, therefore, they do not belong.
This has nothing to do with being anti-politics. I’m very heavily political, and I fully support Ukraine in this case. I also have strong opinions on both “free software“ and also “open source software“, and I apply them at the license level by selecting a pre-existing license without making custom modifications to it.
But things like `var.putin_khuylo` simply don’t belong in the software itself. Nor does it belong in an OSI-approved software license.
It is fine for people to reuse/derive from the Apache license but it is _not_ fine to continue to use the name "Apache" in the license name as "Apache" is trademarked. I believe this is a changed license as it does not matter whether the change is in another file or not.
Edit: https://www.apache.org/foundation/license-faq.html#mod-licen...
The only appropriate response here is for a corporate owner (Hashicorp preferably) to fork the repo just before the license change and to assert that their version is the default, and drive future development there.
The original author is entitled to their opinion and can restrict their own development to a repo with license conditions they define, but it is not reasonable to expect companies to accept non-standard and politically charged license terms. Getting shit done is hard enough and this change will not move the needle on Ukraine/Russia sentiment one iota.
Ugh. As much as I am against the invasion, I absolutely do not want to have to start examining software licenses for obscure political litmus tests. Especially pointless ones like "I believe Putin is a bad dude".
I mean, if we're going to go down this road, then let's actually effect real change and slip some clauses in there with teeth like "no click-through license agreements" or "no pop-up cookie prompts" or "no ad trackers"...
This license change appears to affect not just the EKS module, but all the modules in the terraform-aws-modules organization.
For example, here is the same change in their VPC module: https://github.com/terraform-aws-modules/terraform-aws-vpc/c...
While I completely abhor the invasion, I can't help but feeling that the licence (and equally important) accompanying code change - https://github.com/terraform-aws-modules/terraform-aws-eks/b... - feels like a weaponisation of open source, and I think this is a dangerous thing to do. I do think that with change of "additional terms & conditions" to "additional information", it still feels an ethically dangerous place to be.
I would not be happy if a library codifies political statements. What could be next? Conditions that state you agree to vote for/against Trump, that you disagree with homosexuality or are against transphobia. Note, I'm not accusing anyone of having those views neither am I commenting on them, they merely serve as an example of the dangers of discriminating.
Dependencies and supply chain attacks are the big thing - and while dependency scanning and pinning are an important component, but I don't think it is possible to use open source libs at scale without a certain amount of trust. I work on a platform where there are hundreds of teams and thousands of microservices. I'm now trying to think how we can assess the risk of thousands of dependencies and millions of lines of code. Without trust, the only way that's possible is to fork all libs, prevent open source and generally kill off any agility and velocity. My problem is that this weaponisation is killing off trust. It's not about sitting on the fence or taking sides in a war. It's about what open source has achieved over the last 30 years and I think that's now more at risk than before…
FWIW anyone I don't think apache 2's definition is set in stone. Think of this as derivative of apache 2, without the author saying it's apache 2.
Have you found more open-source projects that follow a similar approach to spreading information about the Ukraine-Russia conflict?
Would be nice to compile a list of them!
I'm in favor of a license hack for humanity.
The International Science Council [1] has a Committee for Freedom and Responsibility in Science that "promotes freedom for scientists to pursue knowledge and to freely exchange ideas, at the same time as advocating the responsibility of scientists to maintain scientifically defensible conclusions, and of scientific institutions to apply high standards." [2] They have published a list of Freedoms and Responsibilities of Scientists[3], the main principle of which is "the free and responsible practice of science is fundamental to scientific advancement and human and environmental well-being."
Reading the list in full, it seems evident that there is intellectual dissonance between the aims of scientific freedom and the aims of the Universal Declaration of Human Rights[4] (which it references). It opposes blocking access to science based on discrimination, which is laudable. However, it also doesn't explicitly oppose science done that supports discrimination, or science done by organizations that support discrimination.
This makes sense when you consider that advances in science like GPS can be used to help you drive to a birthday party, or to guide a missile towards one. Clearly you can't condemn scientific research by itself, as it has too many potential applications for both good and harm, often unknown at the time the research is done.
Similarly, discriminating against research on the basis of "ethnic origin, religion, citizenship, language, political or other opinion, sex, gender identity, sexual orientation, disability, or age" also prevents the free and responsible practice of science, so the list of Freedoms and Responsibilities of course opposes this discrimination. But what if the end result of that science research is used to discriminate against those same people for the same reasons? What does a responsible, ethical scientist do then?
What we can do is oppose the use of science by people with those discriminatory goals, or goals that violate universal human rights. If you know someone is researching genetics in order to popularize Eugenics, there should be no responsibility to continue supporting that research. Similarly, if you believe that not supporting scientific research may help put pressure on a nation that is waging an unjust and unprovoked war which is killing thousands of innocent civilians [in violation of universal human rights], you should have no responsibility to continue supporting said nation's scientific research. In other words, it should be okay to discriminate if you are discriminating against violations of universal human rights.
Considering this, I would propose that one major tenant of any new Open Source license is to discriminate against organizations or nations that want to research, use, or produce science or technology, if that organization or nation is widely considered to be violating universal human rights. This goal has the effect of communicating an ethical red line you must not cross if you want to participate in a global human community, and will be a discouraging factor when nations again consider the potential ramifications of their actions.
Basically, we should use access to collaboration in science and technology as a lever to improve human rights.
edit Ethical minds think alike! Somebody already created a version of the MIT license with this exact restriction! The Hippocratic License[5]: "an Ethical Source license that specifically prohibits the use of software to violate universal standards of human rights, and embodying the Ethical Source Principles." It appears there are many[6] other such licenses.
[1] https://council.science [2] https://council.science/about-us/governance/committees/commi... [3] https://council.science/what-we-do/freedoms-and-responsibili... [4] https://en.wikipedia.org/wiki/Universal_Declaration_of_Human... [5] https://firstdonoharm.dev/ [6] https://ethicalsource.dev/licenses/
Ugh. Lookit: it sucks to be forced to say anything at all, whether you agree with it or not. One thing I can say for certain is that my employer (and probably yours) is only into virtue signalling when it's 100% safe, everyone else is doing it and it has zero negative repercussions. I don't get to decide what my employer's stance is on licenses. I guarantee you that many people will end up moving away from these modules, not because they agree with Putin, but because they have to. Nobody wants the hassle or risk of auditing a million different licenses.
I'm an environmentalist. Should I update all my licenses to ban meat eaters, frequent flyers and drivers? Where does this shit end?
edited: I see the addition now.
Hi. I am Anton Babenko, maintainer (ukrainian by heart) here. I have updated the wording in README to state the facts about Russia (facts with links to wikipedia) - https://github.com/terraform-aws-modules/terraform-aws-eks#a...
It was never my intention to make changes in a license in any way. It would be just wrong to drop 5+ years of my life working on all terraform-aws-modules and betray everyone who have been participating as contributors and users.
If there are questions, please ask here or twitter (@antonbabenko).