Announcement: The Upcoming Version 2.0 Will Be Released Under Dual-License: AGPLv3 License / UAParser.js "PRO" License #680
Comments
|
When using an unmodified, CDN-hosted, version of the (2.0) library, does the website javascript code need to be AGPL too? |
|
|
Thank you for the questions, please allow me to give my view on these matters: From my understanding of the AGPL license, only the code that contains what's considered as a derivative work that needs to be released under AGPL-compatible license as well.
|
|
@faisalman Please have a look here: https://snyk.io/learn/agpl-license/#closed AGPL is a strong copy left license. I'm not sure if this is really what you intend to do. I think LGPL, MPL, CDDL or EPL, which are all weak copy left licenses, might be what you really want to achieve. |
|
@Nikemare @TIncorviaITLS which license would you suggest? We're aiming for an open-core model to simply maintain a mutual balance between us and our users. |
|
Is |
|
From our perspective of an open-core model, in UAParser.js case, The You should choose the paid version only if you need the features of |
|
We need a lot of clarity on these terms: "Core" "Shell".
This. 100%. Not to mention that the license change is happening in such a "weird" way (small notice, not a lot of traction.. etc). We are not sure if we should trust this or the maintainer after these moves. |
https://en.wikipedia.org/wiki/Open-core_model In UAParser.js case, basically: (
Thanks for the insight. Any idea on how to announce the change as to not be considered weird? We're thinking about adding a |
|
@faisalman A few thoughts:
|
|
Wow. Thanks for the thoughtful inputs!
Indeed, our idea is that by offering a one-time payment we hope that it would make it easier for companies/developers to spend their development budget. While we also realize that it would make our revenue to be unpredictable on the other side, but it's something that we can accept at this time. We'll try to reconsider this at some point though.
This seems to be easy to implement yet overlooked by us, will definitely try it! 👍
Agree 100%! We prefer to provide the migration experience to be as seamless as possible. Currently we are publishing the packages in public npm registry under our organization scope: @ua-parser-js with the license agreements as the only difference. |
|
@faisalman A few thoughts... I had never actually heard of your library until today as I was looking for a JS-based UA parser script to use in one of our company projects. We can write our own. But we try to be efficient with our time when possible. In any case, I definitely represent the kind of company that would seriously consider purchasing an Enterprise license. In fact, I actually came very close to buying one today. This licensing issue, however, is the thing that stopped me from doing so. Companies that can afford an Enterprise license are going to think a bit differently about scripts that have any connection whatsover with a strong copyleft license like AGPL3. We have a lot of proprietary pre-existing projects that are entirely incompatible with open source copyleft licenses. While your UA Parser script is great, it's most definitely not worth the risk that its use in a pre-existing proprietary project would "infect" all separate and pre-existing code. Just to keep it short:
For a commercial/private enterprise, copyleft is a HUGE risk. It's so huge that a lot of companies will not touch any project that even suggests that it has a connection with GPL or AGPL. The only time that I've seen open source projects used by private companies, those projects have been either MIT or similarly licensed (as your script has been until now) MIT and similar licenses are known to have no risk of copyleft for the private company. There's a reason for that. There's just no room for gray areas with this stuff for private companies. It's either safe to use or it's not. If there's even a question of whether it's safe to use, that falls into the "not safe" category by default for most companies. When a package is deemed unsafe, a company that can afford a license like this has a few options:
They typically can afford every one of those and all of those are going to be safer than using anything that "might" have a copyleft connection (and definitely lacks clarity about that). Given all of that, I think you might be undercutting the overall goal with AGPL + Pro. As others have already mentioned, AGPL + Pro will likely delist the project from a lot of distribution channels that it currently enjoys but if you're also scaring off any commercial buyers with talk of copyleft licenses, then the entire project is just going to head to the trash bin rather than get funded. For what it's worth, you might try to change this to something that appeals to all existing user groups that you work with right now. That might be something like:
There are other ways to monetize like support programs and such too. But the model that I'm suggesting has several advantages over the AGPL + Pro route that you're proposing:
I know that while I won't touch a project that has any perceived risk of copyleft for our private projects (even if they "say" that they have a pro license that isn't copyleft), I not only will but have purchased pro editions of projects that do something like I described above where an old branch/version is MIT and the new/feature/R&D branch is Pro only with some limited support. Take all of that for whatever it's worth. I just thought it would help you to get the perspective of someone that is fully inside of the demographic that you're trying to court with these Pro licenses (since I came close to buying one until I saw the AGPL connection). |
|
@faisalman: for enterprise software companies, the surprise license change from MIT to AGPL is the end for your project -- it will be forked under MIT or simply removed. If you value continued control of the project, consider reverting to the MIT license. |
|
I disagree. Take Sidekiq Pro for example. It's offered under LGPLv3 and a commercial license. Here are some of the companies that are paying for it:
https://sidekiq.org/products/pro.html That said, I do think you (@faisalman) should basically copy-paste the license, FAQ and purchase flow from Sidekiq, or some other software project that has done this transition. Companies won't be bothered by the cost, but they will care about 'ease of purchasing'. This is a mix of terms/license, payment methods, distribution, etc. Regarding distribution, I'd go with plain download (this is the approach that Docker desktop took, which I think will serve you better than private NPM -- that's a lot of hassle). All this said, I still think it could be the end of your project, because getting someone to fork out money is always difficult. But I don't think a commercial license in itself is a blocker. |
|
Sidekick Pro has an existing license and an infrastructure for billing. So far, the UA.Parser.JS license appears to be an idea. Until there is an acceptable EULA, a payment infrastructure, etc. there will be little uptake. QUESTION: how many licenses have been sold to date? |
|
@lancedockins @sandstrom @TIncorviaITLS Thank you for the thorough evaluations. It's really valuable for us to get to know from the enterprise-side perspectives. We see some interesting points to be considered within this transitioning process. Thanks! |
|
Please post a link to the terms and conditions of your commercial licenses. I see that there are fees for the commercial licenses, but I do not see copies of the licenses (i.e., the terms and conditions related to the commercial licenses). Thanks |
|
I went to the website, saw the table for the different licensed versions, and wanted to use the MIT licensed one. But there's no indication of how to do that. I poked into the It's only once I snooped around the issues and find this one that I understand how the MIT vs AGPL license works, and know I need to use 1.0. Your messaging on where the divide is and how to acquire the MIT licensed one should improve |
|
Thank you for pointing. I'll work on enhancing the clarity of the licenses. |
|
@faisalman I'm having doubts about which one is installed when we install it from npm and set the version to 2.0.0-beta. Is it the MIT one? or the AGPL/privative one? I have no trouble with paying for the license, but of course I want to be sure that I'm getting the more complete one, and it is very unclear how to obtain one or the other. On the other hand, I'd have preferred to go through sponsorship instead of going through Lemonsqueezy, for clear reasons: it's a win-win situation since it slightly increases the visibility of the sponsor as well. |
|
If you installed it from But since you have purchased the PRO license, you are allowed to use the As for the license acquiring method, I'm currently using Lemonsqueezy as I found it to be easy to setup and pay, however, if one have trouble using it or prefer to use another method they can also purchase the PRO licenses from my GitHub sponsors page: https://github.com/sponsors/faisalman?frequency=one-time |
|
If I am using the free version 2.0 beta of ua-parser-js and I do not make any modifications to it, do I need to open-source my code? Can I use it for commercial purposes? |
|
Will the v1 line (the one the entire ecosystem is likely to remain on for the duration) receive security vulnerability backports, or is it explicitly End of Life? |
@ljharb we’ll try our best to keep the As can be seen that since the license change was announced at |
|
Awesome, thanks for confirming :-) |
|
I personally support the change to AGPL-3.0 + offering a PRO license to those who fear the strong copyleft principles and "viral" nature of (A)GPL. OSS development needs to be sustainable and your proposal is fair enough. There is some FUD in this thread that AGPL-3.0 is an "unsafe" license. Yes, you cannot use an AGPL-3.0 licensed library in a proprietary system or even import it in an MIT licensed project without making either software open source and GPL-comptible licensed as well. However, there is the alternative of the PRO license being offered (which you are not coercing anyone to use). If they don't like the terms of the AGPL (Copyleft/FSF/GNU principles) they can always pay and obtain the usually more permissive commercial/PRO license. |
|
As |
|
Hi @aagorelik, Thank you for your feedback! In addition to AGPL, we also offer PRO licenses for more permissive use -if your security scanner allow for such commercial license. I’m sorry to hear that you have to leave. I’d be happy to get more suggestions on what we should improve. |
It sounds like what you actually want is the LGPL license, as that permits linking without restrictions while still requiring that one release their changes. The AGPL is much stricter. For Node/JavaScript, it's broadly agreed that requiring or importing AGPL-licensed code triggers the virality of the AGPL and would then require the enclosing work to also be licensed under AGPL. I don't know that this has ever actually been tested in court, but I'm not interested in testing that myself. As it stands, it's unclear what license I should pick if I want to give you money. "PRO Business" is not listed as allowing "unlimited use". What limits to the use are there? It's listed as being offering a permissive license. What license is it licensed under? I run an open-source project that folks can run themselves, but also offer a hosted version. Is buying a licence sufficient to cover my own commercial use, as well as all use of my project by others? If not, what license option do you recommend here? |
|
Hi @nwalters512, For your use case, I recommend the PRO Enterprise License option, which allows you to distribute your software that includes UAParser.js to an unlimited number of customers. However, this license includes the following restriction clause: "You may not deliver a Project that contains The Code as an open-source Project that might be used for commercial purposes by the general public, except with our written consent". To address this, I can provide you with written consent in the form of a license addendum for your specific situation. |
|
Unfortunately $600 is untenable for me right now. Thank you though. My unsolicited advice: I'd strongly encourage you to update your original post on this issue to make it clear what the AGPL license requires of users. It is not as simple as "you just need to provide the source and changes that you've made to the library". You're free to license your code as you see fit, but you shouldn't mislead potential users about what using AGPL-licensed code will mean for them. |
|
Thank you for your advice. I truly hope I’m not misleading anyone. Here are some articles that share the same perspective that I’m referring to:
Although, I do agree that there are various interpretations of the AGPL license, and that this should be discussed more to avoid misunderstanding. |
|
The first two articles essentially deal with the case of interacting with an AGPL-licensed binary in another process (e.g. a database that's communicated with over a socket), which is broadly considered not to be a derivative/modified work under GPL licenses. If you want your code to be licensed under "the perspective you're referring to", I believe the LGPL license is what you want, as that permits linking (importing/requiring) this library without also requiring that the library/application using it also be licensed under a GPL license, provided that one does not modify |
|
I see your point, and I apologize if the current explanation regarding the license's potential effects contains inaccurate viewpoint. I'm continuously work on improving the description to be more comprehensive. Thanks! |
|
Hi there, happy new year 🎉 I'm discovering this just now well after the battle :) Also came here for unsolicited advice (sorry 😬 ) and too late anyway ^^ When doing such a license change, IMO it would be better to publish the new-licence code under another package name (like ua-parser-js2), then mark the old one as deprecated. It would make easier for dependent packages to notice the old version is now unmaintained (or mostly unmaintained), and would avoid "trapping" users that might upgrade a bit too carelessly (which I'm sure is not the goal here, but still, given the state of the JS dependency ecosystem, it is bound to happen). Regarding the license choice, my feedback is:
Anyway, good luck and thanks for your open source work 🎉 |
|
As many have already said, it should've been relicensed to The license change to If you care about your work not being abused by services and still being usable as, you know, a library, then you should've chosen a license like
Saying that 2.x is OSS doesn't matter anyways when it's unusable for most users of 1.x. While not an OSS license, changing the license after 4 years to |
and others
Hi All,
We've been announcing this change in a discussion page two weeks ago, but since it might not reach the large part of the community, we will provide more details about the change here:
What the license change means
Starting from version 2.0 you'll be able to choose between using our regular free & open-source license (under AGPLv3) or PRO license. AGPLv3 is an OSI-approved open-source license from GNU, pretty much same as GPL, only with an addition of network clause. If you opt for the free version of UAParser.js, you just need to provide the source and changes that you've made to the library. If you opt for the PRO License instead, you don't have to open-source your modifications. We offer 3 tiers of PRO License: Personal (non-commercial), Business (1 license per project), and Enterprise (indefinite projects).
Note that if you are using the current stable version of
v0.7.x/v1.0.xthen you won't be affected by this change since this new license will only applies tov2.0.xupwards. You can continue using those old versions as usual without the need to revisit the terms as we have no plan to re-license them. The development for those versions also won't get prioritized, alhough they might still get occassional updates, particularly for bugfix-related updates.Behind the change
Looking back, after more than a decade, what initially started as a for-fun and for-learning side-project, has been slowly growing to become a popular module in npm, with almost ~12M downloads per week, and are being used by top tech companies, with a little to no incentives.
Looking forward, we still want to continue develop this small project to be even more awesome. For it to be successful we are aiming for a sustainable model that works for an open-source project. In the past two years, we have tried the voluntary donation route with a little success. This time, we decide to try a new model where we can get paid for maintaining the project while still keep it Free & Open-Source.
Future roadmap
Lately, Chrome has been freezing its user-agent in favor of their new proposal for a user-agent client hints. Although other browser vendors like Apple & Mozilla doesn't support it, but with Google's massive share of browser usage, incorporating User-Agent Client Hints data on top of the existing User-Agent seems inevitable if we still want to get a reliable detection, like avoiding the vague Android K, differentiate Windows 11 from 10, Brave from Chrome, etc. On top of that, other major browsers that doesn't support client hints also starting to freeze some part of its user-agent, which made feature detection the only route to identify iPad from macOS.
These kind of future-proof detection enhancements, along with some new cutting-edge features, better tooling support (ESM, TypeScript, etc), more extensive test, helpful documentation, and other best practices, will be available in the upcoming version 2.0 of UAParser.js.
Finally, we are aware that collaboration will be the key for this plan to be successful. If you have something to ask or offer, please don't hesitate to drop us a question here or email us directly.
Thank you!
Faisal Salman
Maintainer of UAParser.js
https://github.com/faisalman
The text was updated successfully, but these errors were encountered: