This is a text-only version of the following page on https://raymii.org: --- Title : I enforced the AGPL on my code, here's how it went Author : Remy van Elst Date : 20-10-2020 Last update : 28-02-2022 URL : https://raymii.org/s/blog/I_enforced_the_AGPL_on_my_code_heres_how_it_went.html Format : Markdown/HTML --- Five years ago I made [a website][1] that allowed you to put in a few domains and get an email when the SSL certificate was about to expire. No ads, no fuss, just an easy way for people to keep tabs on their sites without setting up their own monitoring like Nagios. As with all of my software, I released it under the GPL, specificaly the AGPL due to it being web based software. The AGPL differs from the GPL on one point, simplified, you have to release the source of any modifications you make under the same license, even when you host the software (not distribute) online. With the regular GPL, you don't have to release the source if you provide a modified version online, only if you distribute it. Recently I found a company that hosted certificatemonitor, with some modifications (branding and a dutch tanslation), without any reference to its origin, no source code provided and no mention of the license. I'm not going to link to the company, you can see the screenshots, but I don't want to give them any extra exposure. In this article I'll talk about what I did to enforce the license and how it went. TL;DR, not as expected. The company responded timely and friendly, but did a half assed attempt (added a link to my site with `Inspired By Remy` as the text), then after my complaints, took down the entire site. I was a member of the [Free Software Foundation Europe][18] back in [2010][19] and have [donated many times][20] to the Software Freedom Law Center / Software Freedom Conservancy (the thing Bradley always talked about on the Linux Outlaws Podcast) and at work I'm the goto guy whenever we [get][21] a [GPL request][22] for our coffee machines, so you might say I have a heart for open source. If anyone from the SFC or FSF or GPL violations.org is reading this and wants to do more with it, please send me an email. I license all my personall stuff under the GPL and AGPL (where applicable) and dislike the permissive licenses (MIT, 3 clause BSD, X11, Apache) because they allow people to take your stuff and never contribute back. I prefer strong copyleft licenses that force you to contribute. [Here is a good article][23] going into permissive vs copyleft licensing.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!

The following two paragraphs are taken from the [Plausible.io article][9] explaining their license switch. I found them to explain the AGPL so well, that I cited them here. Please [go read their article][9], I found out that Google has a [anti AGPL policy][10] by reading their article. Update 28-02-2022: Added actual AGPL text and backlink to FSF site due to [comments on a HN thread][26] ### What are the benefits of the AGPLv3? The AGPL license is identical to the original GPL license with the only additional term being to allow users who interact with the licensed software over a network to receive the source for that program. AGPL is designed to ensure corporations contribute back to the open source community even when running the software as a service in the cloud. If you used AGPL-licensed code in your web service in the cloud, you are required to open source it. It basically prevents corporations that never had any intention to contribute to open source from profiting from the open source work. It explicitly prohibits corporations from parasitically competing with an open source project. They won't be able to take the code, make changes to it and sell it as a competing product without contributing those changes back to the original project. Here's that [extra paragraph][24], summarized from the FSF site: > If you run a modified program on a server and let other users communicate with it there, your server must also allow them to download the source code corresponding to the modified version running there The actual difference is in section `13. Remote Network Interaction; Use with the GNU General Public License.`: > Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph. [Here][25] is the full diff between the licenses, using this command minus the `--suppress-common-lines`: # https://www.gnu.org/licenses/gpl-3.0.txt # https://www.gnu.org/licenses/agpl-3.0.txt diff --side-by-side --suppress-common-lines agpl-3.0.txt gpl-3.0.txt #### What are the restrictions with the AGPLv3? A corporation needs to be clear and provide a prominent mention and link to the original project so people that are considering to use their version of software can be aware of the original source If a corporation modifies the original software, they need to open source and publish their modifications by for instance contributing back to the original project ### Hey, that looks a lot like my code I sadly only took a few screenshots on my phone, so I cannot show more than this, but the similarities will be more than clear. In the email conversation we had, they ackowledged that it was my code, so there's no doubt on that. Here are the pictures, including the statement that triggered my enforcement action (their copyright). First the FAQ items on my original code and next to it their translated version: ![hoasted gpl][6] - Their headings are collapsed, but match mine, translated in dutch. - Their cert check times are exactly the same as mine. - They claim full copyright as authors (which is wrong, they're not authors and its not their copyright) Here's the confirmation page after you've signed up. ![hoasted gpl][7] - The blue `Email: ` is exactly the same (twitter bootstrap styling). - The green `Confirmation` is exactly the same. - They've added call a to action "Buy Now" button Last but not least, here is the confirmation email you get after signing up. ![hoasted gpl][8] - The confirmation link has the same UUID format - The date time format matches - It lists the IP you signed up from They however forgot to remove the `Unsubscribe` link from the first email, it says, `To receive no more emails, click this link` and then, no link to click. ### Our email conversation It was pretty hard to find an actual email address for this company. Nothing listed on their website, just a contact form. Hidden on their [jobs page][11] I found a [job listing][12] which included an address and on their [General Terms and Conditions][13] page their was a support address. Maybe thats just me, but every major support ticket system supports emailing, next to web portals. Please let me just send an email instead of forcing me to use a webpage. So I decided to go for the Jobs email, not a large organisation so probably no dedicated HR, big change that jobs go right to the founders. Our email conversation was polite and they responded in a timely fashion, within days, other GPL requests I did never got any response or took at least two weeks for an initial reply, they did score some points there. I'll summarize the emails for those who do not speak dutch. [My first email][14] stated that their tool looks a lot like one I wrote a few years ago and that they probably should provide the source code. I stated that they did provice the source/links on another tool they host (ssl decoder) and that they should do that here as well. I also noted the dificulty in finding an email address. [Their first response][15], three days later, says some companyspeak thank you for your service, we looked into it and indeed, we are using your code for 3 years, without providing any attribution. We've added something to the footer, if you want textual changes, please let us know. I sadly did not take a screenshot of the new footer text, but it said `Inspired by Remy`, and linked to this site. That's not how it works guys, my first email was clear enough, full source code and license, not this crap. It really is not that hard to create a new github/gitlab repo, do one initial commit and never touch it again. [My response][16] said, in a more civil way, that they should provide source code under the same license. Four days later, [they responded][17], stating that they had discussed internally and decided to take the site offline. That concludes our conversation, they took down their site and never complied with the license. I think they're not violating it now, but have done for a few years. ### How should they have acted? They should have provided the source code to anyone asking, preferably online, right from the start when they set up their service. Even if they would not have named me, but had provided source code, it would be fine by me. I'm not sure how long their site was online (they state 3 years in the email), but they have been violating the license all that time, and the half-assed attempt ended badly. I suspect their service was not used that much, because they just took it down without notice. I hope all their subscribers know of it, since they will never be notified if their certificate is about to expire. When I still hosted this code myself, I had about 20,000 (twenty thousand) domains being checked. When I cancelled the service, each and every one of those domains got a message notifying them that their service would be cancelled after 30 days with a few alternative services they could use. And you know what the strange thing is? They have also hosted the [SSL decoder][4], another piece of software I wrote in the same vein, with a link to the source code. Here's an image where you can see the URL and at the bottom, the license and source code link: ![hoasted gpl][5] So why do it there but not on the other site? I suspect it's because they changed the source code to translate it, and the ssl decoder site doesn't seem to be changed. ### A good example (sig-i/o) A friend and fellow [revspace][2] member Mark Janssen has also hosted these services. [Read his post here][3], where he states that he has forked the repositories, links to the source code and has used the same license for the forks. If you want to use the software I made, please use Mark's versions here: - [https://ssldecoder.eu](https://ssldecoder.eu) -- Print information about site-certificates or CSR's - [https://sslmonitor.eu](https://sslmonitor.eu) -- Get mail notifications about expiring certificates - [https://cipherlist.eu](https://cipherlist.eu) -- Recommended TLS/SSL configurations for populair services It's not that hard to provide the source and use the same license. "Just do it". [1]: https://github.com/RaymiiOrg/certificate-expiry-monitor [2]: https://revspace.nl [3]: http://web.archive.org/web/20201020071305/https://sig-io.nl/posts/ssl-services/ [4]: https://github.com/RaymiiOrg/ssl-decoder [5]: /s/inc/img/gpl1.png [6]: /s/inc/img/gpl10.png [7]: /s/inc/img/gpl11.png [8]: /s/inc/img/gpl13.png [9]: http://web.archive.org/web/20201015140440/https://plausible.io/blog/open-source-licenses [10]: http://web.archive.org/web/20201011081354/https://opensource.google/docs/using/agpl-policy/ [11]: http://web.archive.org/web/20201020125602/https://www.hoasted.com/over-ons/vacatures/ [12]: /s/inc/img/2020_Hoasted_Vacature_Senior_Linux_System_Engineer.pdf [13]: http://web.archive.org/web/20201020125759/https://www.hoasted.com/over-ons/algemene-voorwaarden/ [14]: /s/inc/img/gplemail1.png [15]: /s/inc/img/gplemail2.png [16]: /s/inc/img/gplemail3.png [17]: /s/inc/img/gplemail4.png [18]: https://fsfe.org [19]: /s/inc/img/fsfe.png [20]: /s/inc/img/sflc.png [21]: /s/inc/img/gpldjd1.png [22]: /s/inc/img/gpldjd2.png [23]: https://eerielinux.wordpress.com/2017/11/25/permissive-licensing-is-wrong-is-it-1-2/ [24]: https://web.archive.org/web/20220228150614/https://www.gnu.org/licenses/why-affero-gpl.html [25]: /s/inc/downloads/gpl-agpl-diff.txt [26]: https://web.archive.org/web/20220228152129/https://news.ycombinator.com/item?id=30494456 --- License: All the text on this website is free as in freedom unless stated otherwise. This means you can use it in any way you want, you can copy it, change it the way you like and republish it, as long as you release the (modified) content under the same license to give others the same freedoms you've got and place my name and a link to this site with the article as source. This site uses Google Analytics for statistics and Google Adwords for advertisements. You are tracked and Google knows everything about you. Use an adblocker like ublock-origin if you don't want it. All the code on this website is licensed under the GNU GPL v3 license unless already licensed under a license which does not allows this form of licensing or if another license is stated on that page / in that software: This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Just to be clear, the information on this website is for meant for educational purposes and you use it at your own risk. I do not take responsibility if you screw something up. Use common sense, do not 'rm -rf /' as root for example. If you have any questions then do not hesitate to contact me. See https://raymii.org/s/static/About.html for details.