Conversation
Notices
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 15-Jul-2025 04:14:07 JST 
Haelwenn /элвэн/ :triskell:
https://github.com/element-hq/dendrite/blob/main/CONTRIBUTING.md
> We follow a simple 'inbound=outbound' model for contributions […] in our case, this is Apache Software License v2 (see LICENSE).
Meanwhile the actual LICENSE: AGPLv3 (+ a proprietary license)
I guess this is the gaslighting-cla model.-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 15-Jul-2025 04:20:57 JST
Haelwenn /элвэн/ :triskell:
Let's see how they react to updating the name: https://github.com/element-hq/dendrite/pull/3611 -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 15-Jul-2025 04:22:13 JST
Haelwenn /элвэн/ :triskell:
@jbowen I mean, if contributions are licensed under AGPLv3 but not their commercial one (since they're not pointing to it in the document)… works for me :) -
Embed this notice
Jason Bowen 🇺🇦 (jbowen@mast.hpc.social)'s status on Tuesday, 15-Jul-2025 04:22:14 JST 
Jason Bowen 🇺🇦
@lanodan
That's gross. I would like to be able to assume oversight with AGPLv2 vs 3, but I can't and so I assume it's intentionally misleading.I feel it should also be mentioned that they sell commercial licenses, so outbound could be 'commercial,' and I wouldn't want a contribution I make to end up being sold to someone under commercial license terms.
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 15-Jul-2025 04:24:39 JST
Haelwenn /элвэн/ :triskell:
@jbowen Also legally speaking… you can't just take Apache-2.0 as if it were AGPLv3, they are compatible and AGPLv3 prevails, but you need to keep the copyright notice and permissions intact. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 15-Jul-2025 04:33:14 JST
Haelwenn /элвэн/ :triskell:
Oh, they have a proper CLA but they're sneaky about it.
https://cla-assistant.io/element-hq/dendrite -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 15-Jul-2025 04:38:46 JST
Haelwenn /элвэн/ :triskell:
@jbowen They can't license AGPLv3 code they don't own under a proprietary licence, it's a very strong copyleft license, not something like a BSD license.
So if one were to say, fork dendrite, Element actually can't take code back without getting rid of their proprietary license or having each author sign a license agreement. -
Embed this notice
Jason Bowen 🇺🇦 (jbowen@mast.hpc.social)'s status on Tuesday, 15-Jul-2025 04:38:47 JST
Jason Bowen 🇺🇦
@lanodan
> if contributions are licensed under AGPLv3 but not their commercial one (since they're not pointing to it in the document)… works for me :)Totally fair, but how would things work in practice? (I'm genuinely ignorant on this.) If I contribute a feature under AGPLv3, I assume they would be able to sell Dendrite + myFeature to a customer under a commercial license, correct?
I really need to go do some more reading.
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 15-Jul-2025 04:46:55 JST
Haelwenn /элвэн/ :triskell:
@diazona @jbowen They do have a CLA but it doesn't seems to be in the repository (git grep intellectual returns nothing), see https://cla-assistant.io/element-hq/dendrite
Also on the relicensing, I would wonder if all the ones at https://github.com/matrix-org/dendrite/graphs/contributors did agree to Apache-2.0 being changed to AGPLv3+proprietary since you can't just strip out copyright notices and permissions without at least some kind of agreement.
-
Embed this notice
David Zaslavsky (diazona@techhub.social)'s status on Tuesday, 15-Jul-2025 04:46:56 JST 
David Zaslavsky
@jbowen @lanodan This piqued my curiosity, so I looked into the history of the project and found that it was relicensed from Apache 2 to AGPL3 last year (https://github.com/matrix-org/dendrite/discussions/3281). So the explanation that seems most likely to me is that whoever updated the license just forgot that it was mentioned in CONTRIBUTING.md. I don't think one can reasonably assume it's intentional, at least not based on what I saw.
If somebody submitted a bug report pointing this out, or a PR fixing it, and that wasn't well received, then that's a different story - it would start to look extremely suspicious.
I do have to wonder what the terms of the commercial licenses they sell are... if the software isn't delivered to commercial customers under AGPL3, that "smells" an awful lot like copyright infringement. (though I'm no lawyer)
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 15-Jul-2025 07:55:55 JST
Haelwenn /элвэн/ :triskell:
@diazona @jbowen Well, they actually should keep the Apache 2 headers at least on code that they don't entirely own the rights for relicensing. You can use Apache 2 pretty much everywhere (it even explicitly allows sublicensing), but you need to comply with it's terms, one of which is: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; (like the vast majority of FOSS licences) -
Embed this notice
David Zaslavsky (diazona@techhub.social)'s status on Tuesday, 15-Jul-2025 07:55:56 JST
David Zaslavsky
@lanodan @jbowen Ah and I just found this: https://github.com/element-hq/dendrite/commit/6bfe946bd2d82db12c1e49918612cc3d7139b8ce
From a brief scan it looks like they are keeping the existing attribution notices, so that particular obligation seems to be fulfilled.
I couldn't help but notice that they missed deleting a few Apache 2 file headers 😛 Dunno if they might have fixed them in later commits.
-
Embed this notice
David Zaslavsky (diazona@techhub.social)'s status on Tuesday, 15-Jul-2025 07:55:57 JST
David Zaslavsky
@lanodan @jbowen Ooh interesting! Yeah that seems odd. I suppose they could be manually refusing to accept pull requests from anyone who doesn't have a signed CLA on file, and we outside observers wouldn't necessarily have any way to know, but that would be an unusual way to operate.
This chart (https://opensource.stackexchange.com/a/3/529) suggests that Apache 2 code can be relicensed as AGPL3, so they wouldn't need the original contributors' assent for that. Although they would have to be complying with the terms of Apache 2, in particular including a copy of the Apache 2 license text with any redistribution... I didn't check but I do have to wonder about that 🤷
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 15-Jul-2025 08:34:28 JST
Haelwenn /элвэн/ :triskell:
@diazona @jbowen Well doesn't have to be the multiline headers, it can be the nice SPDX single-line header instead.
And I don't see a copy of the Apache-2.0 license in their repo either since LICENSE switched from Apache-2.0 to AGPL-3.0. -
Embed this notice
David Zaslavsky (diazona@techhub.social)'s status on Tuesday, 15-Jul-2025 08:34:29 JST
David Zaslavsky
@lanodan @jbowen I would think that just means they're supposed to include the LICENSE file, or some file with the text of the Apache 2 license, in the distribution. I'd be surprised if it means that Apache 2 headers in source code need to be preserved; as far as I know, those headers are not licenses themselves, they're just notices clarifying what license applies to the file.
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Saturday, 16-Aug-2025 01:37:48 JST
Haelwenn /элвэн/ :triskell:
Got merged, with adding a note about CLA but still marking it as inbound=outbound.
Makes no sense but at least it more explicitly makes no sense.
-
Embed this notice
All GNU social JP content and data are available under the