[Libwebsockets] License obligations

Andy Green andy at warmcat.com
Wed May 5 08:02:50 CEST 2021



On 5/4/21 10:56 PM, Bruce Perens wrote:
> I am an intellectual property consultant, with an extensive history 
> regarding Open Source licensing, but not an attorney and not _your_ 
> attorney. If you had a lawyer, I'd suggest you show this to them. But 
> obviously you don't. :-)

Bruce is indeed the expert on this topic, and has the scars to prove it. 
  We're lucky to get his comment.

> I could go down the list of which license requires that you carry a copy 
> along with the binary, and which doesn't, but it would make things more 
> complex and potentially lead to mistakes. I am going to suggest a 
> simpler strategy.
> 
> You (and Andy) are using and redistributing the contributed software 
> under the licenses granted to you. Andy has total rights to the part 
> that he wrote, but that is not the entire libwebsockets library. Neither 

Right, that is why I wrote

 >> but from my side for my code, it's OK for me...

As you say, I acquired the other licensed pieces only on their terms and 
I have no more say about their disposition outside their license than 
anyone else, but it follows that I have no standing to make trouble on 
their behalf; in terms of my personally getting upset and making 
trouble, users only have to worry about my reading of the license 
relating to my code which as I explain there.

> you nor Andy have any right to use and redistribute the software that he 
> didn't write in any way other than specified by the license.
> 
> Andy should always distribute the software with a copy of _ALL_ licenses 
> in a directory where that is easy to find, along with a note regarding 
> what licenses apply to what pieces.

Currently LICENSE is performing that role, it has the breakdown of what 
is licensed where in the tree for a long while, the files themselves 
have links back to the original and the original license headers; after 
yesterday's patch it has full license copies for everything except 
apache2, which has a link to the full license in the shortform that is 
there.

I guess it can do with a refactor into LICENSE.md and a dir to contain 
the pieces but it seems close enough it can happen later.

> You are probably integrating more than one Open Source component into 
> your product. Most people are. All licenses for all of the pieces, and a 
> file showing where you can get the original versions you used, should be 
> in a directory distributed along with your binary. The presence of this 
> should be indicated in some way to the user. They need to know it's 
> there and to be able to read it.
> 
> The point of this is that you don't make decisions about which license 
> requires what, which you are likely to get wrong. You just treat all of 
> them the same.

Yes thinking about eg, zlib, you may avoid it at lws, but if lws is in a 
generic linux rootfs, you very likely anyway have zlib elsewhere in your 
firmware like openssl, even if not bound directly to lws.  The 
distributed binary might be an app, or rtos + lws, where you could 
wholly avoid it.

But since you're going to have at least MIT license to tell, is it ever 
going to every repay the effort to not just stick the other licenses in 
there and done?  You might refer to a license that doesn't really apply 
in your build, but no harm done AFAIK.  The main point is ticking the 
box in a way that won't make trouble later.

-Andy

> It doesn't sound like you are using any licenses that require you to 
> distribute source code. If you were, the instructions would be more 
> complicated.
> 
>      Thanks
> 
>      Bruce
> 
> On Tue, May 4, 2021 at 10:40 AM Andy Green <andy at warmcat.com 
> <mailto:andy at warmcat.com>> wrote:
> 
> 
> 
>     On 5/4/21 6:13 PM, krushith rao wrote:
>      > Hello Andy Green
>      >
>      > Thank you so much for the information.
>      > I have found LGPL 2.1 components at
>      >
>     *libwebsockets-4.1-stable/lib/abstract/protocols/smtp/smtp-sequencer.c*
>      > & *libwebsockets-4.1-stable/include/libwebsockets/lws-mqtt.h*,
>     which was
>      > not included in the license folder of your repository. If you have
> 
>     Ugh... these are accidents that did not get updated when the rest of
>     lws
>     changed license to MIT.  Thanks for pointing them out.
> 
>     I pushed a patch on main, v4.2-stable, and v4.1-stable changing them to
>     MIT (that they were already intended to be).
> 
>     -Andy
> 
>      > linked those specific components statically, please let me know.
>      > Thanks in advance.
>      >
>      > Regards,
>      > Sandy
>      >
>      > On Tue, May 4, 2021 at 5:07 PM Andy Green <andy at warmcat.com
>     <mailto:andy at warmcat.com>
>      > <mailto:andy at warmcat.com <mailto:andy at warmcat.com>>> wrote:
>      >
>      >
>      >
>      >     On 5/4/21 2:29 PM, krushith rao wrote:
>      >      > Hello,
>      >      >
>      >      > I am using libwebsockets to build a commercial
>     application. Since
>      >      > libwebsockets is under MIT license, I need to provide
>     attribution
>      >     and
>      >      > copyright notice in the redistribution of my application.
>      >      > Unfortunately, I have found that in the license folder that
>      >
>      >     ...
>      >
>      >      > libwebsockets also includes other programms which are under
>      >     different
>      >      > permissive licenses like BSD clause 2, Apache 2.0 and
>     Public domain
>      >      > license. So, to comply with license of the other components
>      >     included in
>      >      > the libwebsockets, do i need to provide a copy of BSD
>     clause -2,
>      >     apache
>      >      > 2.0 and public domain license in the redistribution of my
>      >     application.
>      >
>      >     I Am Not A Lawyer, but from my side for my code, it's OK for
>     me if you
>      >     point to ./LICENSE in the version of lws gitweb you built,
>     something
>      >     like
>      >
>      >
>     https://libwebsockets.org/git/libwebsockets/tree/LICENSE?h=v4.2-stable
>     <https://libwebsockets.org/git/libwebsockets/tree/LICENSE?h=v4.2-stable>
>      >   
>       <https://libwebsockets.org/git/libwebsockets/tree/LICENSE?h=v4.2-stable <https://libwebsockets.org/git/libwebsockets/tree/LICENSE?h=v4.2-stable>>
>      >
>      >     since that file describes the main license and the gnarly
>     details.
>      >
>      >     To help with that, I bolstered what's in LICENSE on main with
>     copies of
>      >     the mentioned licenses from the sources elsewhere in lws. 
>     There is no
>      >     change to the license, it's just copying the unchanged
>     license text
>      >     from
>      >     some lws files into one place as an additional convenience
>     after the
>      >     license stuff that was already there.
>      >
>      >     Apart from MIT, and CC0 which has no requirements on you, the
>     imported
>      >     pieces are only built into binaries under specific circumstances.
>      >
>      >        - BSD3: the related SHA-1 implementation for ws is only
>     built if you
>      >     a) use we protocol with lws, and b) don't build with
>      >     `-DLWS_WITHOUT_BUILTIN_SHA1=1` ... that disables the code in
>     question
>      >     and uses the tls library sha-1 instead.
>      >
>      >        - ZLIB: zlib... this is not built into your binary by
>     default, you
>      >     have to enable `-DLWS_WITH_ZLIB=1` and then be building for
>     windows
>      >     before it gets built into lws.  So unless you did that, the
>     license
>      >     won't apply to the binary since no zlib code is built.
>      >
>      >        - APACHE2: this is for the mbedtls wrapper, if you build
>     against
>      >     anything except mbedtls (openssl, wolfssl, libressl,
>     boringssl etc) it
>      >     will not apply to your binary since it's not built in there.
>      >
>      >     So AIUI you have a way to avoid having to deal with the
>     requirements of
>      >     those additional licenses **for binary distribution** by
>     ensuring the
>      >     related code was not built into your binary.  For source
>     distribution,
>      >     you have to observe them, but AFAIK just serving someone the
>     unchanged
>      >     tarball is compliant for that.
>      >
>      >     You can also send patches with MIT-licensed alternatives I
>     can swap
>      >     these things out for.  But I think you will find, if you have to
>      >     consider that, it's not really so "unfortunate" we got some free
>      >     implementations we can use or base off without rewriting
>     them.  It'd be
>      >     ideal if everyone agreed on one liberal license so no impedance
>      >     mismatch
>      >     (some of the composed code was already MIT, so it does
>     happen), but
>      >     that's not how it is out there at the moment.
>      >
>      >     -Andy
>      >
>      >
>      >      > If so, please let me know.
>      >      >
>      >      > Thanks in advance
>      >      >
>      >      > Regards,
>      >      > sand
>      >      >
>      >      > _______________________________________________
>      >      > Libwebsockets mailing list
>      >      > Libwebsockets at ml.libwebsockets.org
>     <mailto:Libwebsockets at ml.libwebsockets.org>
>      >     <mailto:Libwebsockets at ml.libwebsockets.org
>     <mailto:Libwebsockets at ml.libwebsockets.org>>
>      >      > https://libwebsockets.org/mailman/listinfo/libwebsockets
>     <https://libwebsockets.org/mailman/listinfo/libwebsockets>
>      >     <https://libwebsockets.org/mailman/listinfo/libwebsockets
>     <https://libwebsockets.org/mailman/listinfo/libwebsockets>>
>      >      >
>      >
>     _______________________________________________
>     Libwebsockets mailing list
>     Libwebsockets at ml.libwebsockets.org
>     <mailto:Libwebsockets at ml.libwebsockets.org>
>     https://libwebsockets.org/mailman/listinfo/libwebsockets
>     <https://libwebsockets.org/mailman/listinfo/libwebsockets>
> 
> 
> 
> -- 
> Bruce Perens K6BP
> - Board Partner, OSS Capital LLC Venture Capital
> - CEO, undisclosed startup


More information about the Libwebsockets mailing list