Recently, Apache re-classified code under Facebook's BSD+ Patents license to "Category X," effectively banning it from future contributions to Apache Foundation projects. The move has re-ignited controversy over the patent grant, but like many events in the open source community, the controversy is more partisan than practical. In fact, it's unlikely the move will affect adoption of React.js, and the criticisms of the BSD+Patent grant mostly don't survive the scrutiny of reason.
A new reaction to an old grant
The reaction to this news is surprising, given the parallel patent licensing model is nothing new. Facebook released its BSD+Patents grant in 2013 (with a revision in 2015). But a similar model was used with some fanfare by Google with its WebM codec in 2010. This licensing model involves two parallel and simultaneous grants of rights: a BSD license to the copyright in the software, and a separate grant to practice patents that read on the software. Putting the two together means there are two independent and parallel grants of rights. In this respect, it is quite similar to the Apache 2.0 license which, like BSD, is a permissive license, and which also contains a defensive termination provision that exists alongside the copyright license grant.
Much of the reaction to Apache Foundation's announcement has just created confusion, such as this article misleadingly calling it "booby-trapped." In fact, many open source licenses have defensive termination provisions—which are mostly considered a reasonable mechanism to discourage patent lawsuits, rather than a booby trap. They are also the rule rather than the exception; all major open source licenses with patent grants also have defensive termination provisions—each with slightly different terms. The difference between the Facebook grant, which Apache has rejected, and the Apache 2.0 license, which Apache requires for its projects, is more subtle than the controversy suggests.
Defensive termination provisions come in many flavors
Defensive termination provisions vary in two main ways: the trigger for termination and the scope of rights terminated. As to the scope of rights terminated, there are two camps: those that terminate only the patent rights grant (including Apache 2.0, Eclipse Public License, and the Facebook grant) and those that also terminate the copyright license as well (Mozilla Public License and GPL 3). In other words, for most licenses, bringing a patent infringement suit can only cause termination of one's patent rights; for the others, bringing a patent lawsuit can result in termination of the copyright license as well—forcing one to stop using the code. Copyright license termination is a much stronger anti-patent mechanism, and more risky for private businesses, resulting in some private companies refusing to use GPL3 or MPL code.
The Facebook grant differs from most other open source licenses in its threshold for triggering termination. In Apache 2.0, for example, the termination of the patent grant is triggered by a patent claim accusing the software provided under the license. The idea is to create a "patent commons" for the software. Most other open source licenses follow roughly this calculus. The Facebook patent license also terminates if the licensee brings a claim against Facebook or any party accusing a Facebook product. In that respect, the termination trigger is similar to the one in the Common Public License 1.0, written many years ago by IBM. ("If Recipient institutes patent litigation against a Contributor with respect to a patent applicable to software…then any patent licenses granted by that Contributor to such Recipient under this Agreement shall terminate as of the date such litigation is filed.")
Nothing new under the sun
Defensive termination provisions of the scope in the Facebook grant are common in patent licensing outside of the open source landscape. Most patent licenses terminate if the licensee brings patent claims against the licensor. The reason is that a licensor does not want to be unilaterally "disarmed" in a patent battle. Most patents are used only defensively—asserted when a competitor sues the patent owner. A sues B and then B sues A, resulting in mutually assured destruction. If B has released its software under an open source license without a broad defensive termination provision, B is potentially without recourse and has paid a high price for its open source code release. A gets to simultaneously free ride on B's software development and sue B for patent infringement.
Finally, the Facebook grant itself is not new. The grant was released in 2013, and React.js's popularity has been growing since then. As with many open source licenses, the industry's willingness to absorb a new license depends on the tastiness of the code released under it. In the case of React.js, the code was great, and the patent license terms were new but reasonable.
Is it open source?
Some have suggested that the BSD+Patents Clause violates the Open Source Definition. The OSD does not allow licenses that discriminate against persons, groups, or fields of endeavor. But the patent grant does not have license scope limitations; it terminates if the licensee misbehaves—that misbehavior having a lower threshold for actions against the code author than for others. So it seems likely that BSD+Patents does not violate the OSD, and moreover, CPL is already approved by the Open Source Initiative as compliant. CPL, like BSD+Patents, sets a lower threshold for termination based on patent suits against the code author.
What is the upshot?
The practical result of the Apache Foundation's decision is unclear. Category X licensed code cannot be included in an Apache Foundation repository. (That category also includes licenses like GPL.) Apache's re-classification doesn't mean anyone is restricted from using React.js—it just can't be committed in an Apache project. It's not even clear that an Apache project cannot contain a dependency on BSD+Patents-licensed code.
Meanwhile, in private business, there is little controversy about using code under the BSD+Patent terms. Most companies have examined the marginal legal risk of this license compared to others (like Apache 2.0) and considered it underwhelming. Unless a company decides to sue Facebook (or accuse its products), the termination trigger has no actual effect. If you want to fling patent claims at a company that developed and released a great piece of code, removing the code from your business seems like a reasonable price to pay.
Some of the controversy seems to arise from concern that Facebook is advantaged over others in the license terms. But that is not the same as harming the open source community. The BSD+Patents grant establishes the same "patent commons" as Apache 2.0 as a baseline, but provides more protection for the contributor (Facebook) against software patent claims of licensees. It's odd that a community so opposed to software patents would find this objectionable, particularly in light of the array of defensive termination provisions that have been used in the past.
PLEASE NOTE: This blog entry is about the BSD+Patent license, not about Facebook. This post represents my personal views only, and not the views of Facebook. I do represent Facebook on open source matters, but I did not draft the BSD+Patents license grant.
This was originally published on the FOSSA blog and is reprinted with permission.
Are you new to open source?
Browse our collection of resources.