A few weeks ago, the Apache Software Foundation dramatically declared that the BSD+Patents license currently in use by Facebook is not a proper open source license. React uses such license, and the news sent some ripples down the React community.
Last week, WordPress decided to move away from React, a costly decision given how React was a centerpiece technology for existing and planned new features. That’s a good opportunity for us to take a look at the whole issue.
Understanding the license
now’s a good time to note that I’m Not A Lawyer. it’s also nice to remember that most people in the internet aren’t lawyers either.
if you want a lawyer, you should hire one.
The License in question is the BSD+Patents. BSD is a common and well-know open source license, so no issues here. The problem lies within the “Patents” part; usually identified by a PATENTS file within the project in question. This file reads:
The license granted hereunder will terminate, automatically and without notice, if you (or any of your subsidiaries, corporate affiliates or agents) initiate directly or indirectly, or take a direct financial interest in, any Patent Assertion: (i) against Facebook or any of its subsidiaries or corporate affiliates, (ii) against any party if such Patent Assertion arises in whole or in part from any software, technology, product or service of Facebook or any of its subsidiaries or corporate affiliates, or (iii) against any party relating to the Software.
Essentially, this is a separate license, operating under patent law. This blob of text tells us that this license is automatically revoked if you initiate a patent claim against:
- Facebook or its business partners and affiliates;
- anyone, if the patent claim concerns any software or service owned by Facebook or its business partners and associates;
- anyone, if the patent claim concerns the software in question.
In even simpler terms, it’s an “open source” license, except that it self-destructs if you get in a patent dispute with Facebook or anything related to it.
Why Facebook is doing this?
Behind the scenes, big tech companies are frequently suing each other and trying to either enforce their own patents or make opponents lose theirs. Blindly making code public goes directly against a company’s desire to protect its intellectual property.
That’s why a lot of companies don’t contribute to open source (Facebook itself started doing so only in recent years) at all, or have costly processes to allow it to do so without putting its property at risk: in extreme cases, the company’s legal department may be required to manually review every single feature, bug and commit, which is as maddening as it sounds.
According to Facebook, this license is a necessary compromise between its desire to write open-source software and its need to protect itself; and I think that’s a very fair assertion. They don’t intend to change the license.
What’s the issue here?
I see a lot of people arguing that this license is a “trap“, but this defensive termination clause is a frequent feature of software licenses, specially open source ones. No company is crazy enough to risk losing intellectual property, its brand or patents due to an open source code release.
For comparison, both the Mozilla Public License and GPL3 have such defensive termination clausules, and triggering them terminates both the copyright license and the patent license granted along with the software. In comparison, Facebook’s license only terminates the license granted under patent law; so it’s actually less restrictive.
talking with individual Facebook developers, it seems clear by that Facebook has no intention of being particularly evil about this.
Additionally, this license has been in use since 2015 and Facebook didn’t do anything nasty with it yet. No one seemed to care much about this until the Apache Foundation drew some attention to the issue.
So, while I do believe the public outcry about this “trap” is a bit unfair and uninformed, there are real issues here. Let’s get to them:
The defensive triggers are too broad
Normally, a defensive termination clause is triggered by making patent claims regarding the software.
For example, your company may opt to use a computer vision library licensed under the Apache 2.0 – which terminates automatically if you make a claim to the software the license applies to – after considering that the company has no interest to compete in the field of computer vision and therefore has no chance whatsoever to ever have a patent dispute concerning the software. This is a very objective, narrow decision: In order to use this software, do you agree to not make any patent claims about it?
However, what Facebook’s license asks is: in order to use this software, do you agree to not make any patent claims about anything we and our partners own?
it’s like a girlfriend that requires that you never talk to woman, ever.
no matter how much you like her, what she’s asking in is just unreasonable and doesn’t match the benefit she offers.
That’s an entirely different question, and when you think about it in this way, it’s kind of an absurd thing to ask.
Not rescinding the copyright is not an advantage
As I mentioned, the defensive termination clause in some licenses (like Mozilla’s) revoke the license under both patent and copyright law. It can be argued that Facebook’s license, given that it only revokes the patents, is less restrictive and may still allow the software in question to be used.
This is false. If you have a copyright license saying that you can use something, but the thing in question is protected by patents that you lack a license for, you just can’t use the thing, period.
That would be equivalent to thinking that you can eat a sweet someone gives you even if you have diabetes. One responsibility doesn’t cancel the other – it’s true you have a right to eat a sweet someone gives you, but the act of giving you a sweet does not somehow makes it okay to eat it regardless of any other reasons you may have to not do so.
I’ve also heard people say that patent law is ‘weaker’ than copyright law and harder to enforce, therefore safer. While this can be true when dealing with smaller companies, that certainly would not be the case in a dispute with Facebook, which for all effects has unlimited legal and financial resources if it really wants to litigate.
People are confused and scared
Regardless of any real threat here, the fact is that this issue has been widely covered by the media. The result is a widespread feeling of fear and distrust.
As developers and architects, it’s not really our job to defend Facebook’s licensing choices. But if you want to use React, you’ll likely have to argue for it with your fellow developers, boss, CEO and legal department. That can be a very real cost.
What should I do?
I’m an open source enthusiast
If you care a lot about open source ideology, you shouldn’t use React.
In a way, this license is more restrictive than proprietary software. If you buy a copy of Windows – a proprietary software – you may not look at its code and understand how it works, but you retain the right to use it regardless of what’s going on between you and Microsoft. You may personally invade their headquarters and steal some of their patented research, and you’ll still retain use of the software you bought, because one thing has nothing to do with the other.
Regardless of your capability to view the source code, a license that ceases to work if you perform actions unrelated to the software at hand does not respect your freedom, is not in the spirit of open source, and you should avoid it.
I’m a big company with intellectual property
If you’re big enough to have a legal department, you likely shouldn’t use React, or at least should consider the decision carefully. You should also take the opportunity to rethink which licenses you’re okay with in general, given that patent-bound licenses are more common than most people think.
I’m a startup
Don’t use React.
Sounds extreme? Well, here’s where the broadness of that defensive clause becomes an issue.
Let’s suppose you have a small company that is developing a Virtual Reality clothing store, and you use React and React-Native. But suddenly:
- You discover that another company is developing something very similar, and you strongly believe they are infringing your patents;
- You and your lawyer investigate the issue and agree that indeed you have a strong case for patent infringement, and should pursue it;
- Facebook buys that company.
Now you’re between a rock and a hard place: you either have to let go of your patent claim, or pursue it and lose the right to use the software framework you’ve built your business with. Your business is kinda ruined either way.
Getting into a patent dispute with Facebook is more likely than you think when you remember that the defensive clause covers Facebook and any of its partners os subsidiaries, and that Facebook – like most big tech companies – has an habit of buying and investing into promising companies across the field.
I’m developer of third-party software
If you develop software that will be used by third parties that you do not control, you shouldn’t use React.
If you build a software with React and sell it to your customers, you’re passing on Facebook’s license and effectively making an implicit patent agreement with Facebook for then.
This rationale was a big factor in WordPress’ abandonement of React. Let’s consider that WordPress powers 1/4 of the internet. If WordPress uses React, surely at least one of those thousands of sites belongs to a company that is suing Facebook for patent infringement. And that one site then becomes a legal liability, likely without its owner’s knowledge.
It would simply be irresponsible to pass on those licensing concerns to thousands of unsuspecting customers that just wanted a solid content-management framework for their sites and blogs. They didn’t ask for a non-aggression patent pact with Facebook as a condition for using WordPress. And certainty this isn’t what they expect to get with your software either.
I still don’t see the issue
If you’ve read all this and still don’t see a problem, just use React already. You’ll be fine.
What should I use instead?
Preact is pretty great and looks and works a lot like React. In fact, most of the time you can replace React with Preact directly; the API is compatible and most React plugins will work out-of-the-box. It’s also a bit faster and lighter.
There’s also Angular (not AngularJS), from Google. It’s not compatible with React, but has Google behind it.
Vue.js fills the same niche, but is not compatible with React. It’s simpler, faster and lighter, and I like it a lot.
In summary: Preact if you want a quick replacement, Angular if you want something backed by a big player, but consider Vue.js if you’re starting a new project.
What are your thoughts?
Glad you asked.
First, I think the whole issue showed how much developers don’t pay attention to licensing, which is troublesome. It also annoys me how the media covered the topic in a very superficial, click-baity way, and most developers just fell for it and are shunning React without seeking more information.
While I agree with Facebook’s sentiment – they do need a balance that affords some protection – I think this license is absolutely crazy due to how broad the defensive termination trigger is. I can’t agree with that part.
of course, if a customer understands the situation and wants to use React, I’ll do so.
I don’t intend to use React in my projects; I just don’t think its a responsible thing to do. As of now, Vue.js is my default framework for front-end development.