The Quietly Accelerating Adoption of the AGPL

The Quietly Accelerating Adoption of the AGPL

The AGPL (Affero General Public License) has continued to gain in popularity and is showing up frequently in modern code bases.

My blog Are SaaS Companies Immune to Open Source Risk? mentioned a key concern for SaaS or Cloud companies, a class of open source licenses that includes the Affero GPL designed to plug the SaaS loophole. (As I describe in the blog, this is by no means the only concern for SaaS companies.) Heather Meeker wrote good one last year that looks at the AGPL from all angles and muses about its adoption. 

Recently, an open source attorney friend asked Black Duck to refresh research we’d done several years ago on AGPL numbers, and it was striking to see how much such licenses have gained in popularity.

What's the Legal Loophole?

The aforementioned legal “loophole” refers to the fact that the obligations of the GPL, the very popular license of most concern to most companies, are triggered only on distribution, and therefore do not affect hosted software. The AGPL was conceived of by Richard Stallman and Henry Poole, the founder of a web services business called Affero. The preamble describes that the license was “specifically designed to ensure cooperation with the community in the case of network server software.”  Their aim was specifically to put the GPL’s obligations on companies offering their software as a service, i.e. not distributing.

A number of other licenses share this attribute, including the Open Software License, the Common Public Attribution License, the Sleepycat License, the Academic Free License and the Honest Public License. You can find them all in the SPDX license list. But the AGPL is by far the most popular license, covering over 80% of projects governed by this style of license.

When we first dug into the expansion of use of the Affero GPL, it had been adopted by about 1000 projects. It was small number even at the time, but associated with some very popular projects. Refreshing the data recently, we found that the use of AGPL has ramped by almost an order of magnitude — to about 8000 projects.

AGPL Adoption over time

https://www.blackducksoftware.com/open-source-security-risk-analysis-2017

And adoption certainly doesn’t look to be slowing down. The AGPL continues to be used be the license of choice for a number of popular projects including SugarCRM, Launchpad and Diaspora and popular smaller components as well. As a consequence, Black Duck finds AGPL-licensed code showing up in about 10% of the code bases we audited in 2016, and it’s almost always problematic. Overall, 13.5% of code bases contained AGPL-like licensed components. By the way, itext, software to create and manipulate pdf documents, appeared with most frequency. (These numbers come from 1100 code bases Black Duck audited in 2016 as described in the 2017 Open Source Security and Risk Analysis.) 

With Cloud or SaaS being so popular today, if someone wants to keep their software “free” (as in Freedom) or if a company wants to cover all cases with a dual-licensing strategy, it makes sense that they would pick the AGPL. And, while 8,000 projects is not huge in the context of the millions of open source projects out there, the frequency with which they show up in audits suggests they are overall very popular. The AGPL is alive and well.

AGPL: Out of the Shadows

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Equifax Reminds Us: Open Source Audits are Only a First Step

| Sep 22, 2017

My blog, A Case for Continuous Open Source Management, lays out a number of reasons why an audit by itself isn’t enough. The Equifax disaster underscores the importance of post-audit vigilance, particularly with respect to security vulnerabilities. Much has been written about the recent breach.

| MORE >

Diving Deep into Wild & Wacky Open Source Licenses

| Sep 5, 2017

Copyleft terms seemed pretty strange to many seasoned attorneys familiar with commercial software licenses when they first encountered the GPL, but it is far from the weirdest license out there. The GPL-2.0 remains the most popular license and the choice for millions of open source components

| MORE >