AGPL is not FOSS

Affero GNU Public License is not Free and Open Source Software, according to security researcher Jeffrey Paul.

Watch on Substack.

I am a big fan of Paul for past work exposing privacy issues, such as his analysis of macOS OCSP service which was enabling tracking of every mac user and the apps they opened, sending unique IDs unencrypted over the internet.

He’s known for taking strong well-researched positions, and his latest is on the AGPL license.

The Affero GNU Public License, released in 2007, modifies the GPL license – traditionally associated with Free and Open Source Software to address a specific concern.

Its focus was on software “providers”, those running Free Software in their clouds for others to use. Oftentimes, these providers would make tweaks to the software for their customers benefit. AGPL would obligate and require them to publish their changes.

For example, if Amazon Web Services modified and offered AGPL-licensed software to its users, the AGPL would require them to release their changes.

The Free Software Foundation found the GPL lacked the ability to force companies to share their code, because “providers” didn’t actually distribute the software - they just ran it for other people.

The FSF wanted to close this loophole. Only one problem, it violates the first principle of Free Software.

Reminder that Free Software gives you 4 freedoms.

0 - Freedom to run the program, for any purpose

1 - Freedom to study how the program works (you need the source code)

2 - Freedom to redistribute copies so you can help others

3 - Freedom to distribute copies of your modified version to others

Paul points out that the last 2 freedoms, redistribution and modifications are just that, Freedoms.

They are not enforced or required.

The AGPL changes this, obligating you to share your source code even when the code isn’t distributed.

This means private modifications, such as sharing a modified AGPL project with your friends would require publication of your changes, at least to your friends.

Paul makes the point that this violates his Freedom to run the program, for any purpose. Its also not viable to follow AGPL in a normal development flow, which would need to update a link to the source in real time, as soon as changes were made.

In practice this would be incredibly difficult to keep up especially with third party developers contributing to the project. You would violate the license.

Lastly Paul makes the case that the AGPL is actually an EULA. A software license grants you permissions, it doesn’t impose obligations like an EULA would.

Our product Above Share is based on Sharry, an AGPL licensed software. Its a file sharing service that lets you send files temporarily to others using a link.

You can purchase access to Above Share as part of Above Suite, our suite of software services.

When making our changes, we needed to follow AGPL so our customers could see the source code. We felt that this was great from a privacy perspective, but I can see Pauls point - it doesn’t feel like a license, it feels like more restrictions.

🎙️ Follow the show

Finally, a laptop that respects your privacy and your freedom of choice.

✅ Modern reliable hardware.

✅ A cutting-edge Linux OS that's actually easy to use.

✅ Access to more software than ever before.

❌ And best of all, no big tech tracking!