Response to Weka’s Post and Clarifying Terminology
By Garima Kapoor, co-founder and COO, MinIO
This is a Press Release edited by StorageNewsletter.com on April 25, 2023 at 2:01 pmBy Garima Kapoor, co-founder and COO, MinIO, Inc.
After listening to community feedback, we feel as if an update is warranted on a number of fronts including Weka.IO Ltd. We wanted to take the opportunity to clarify some language we used – specifically around revocation.
At the outset we want to make clear:
Any company is free to use MinIO’s licensed code for commercial purposes, even for competitive purposes – provided they prominently disclose that they are using MinIO’s code and comply with all the other terms of the license. This is true for the code we released under the Apache v2 License and the code we release under the AGPL v3. We chose those licenses and we abide by them.
Let’s also be clear that we don’t think you should be running any of the older, unmaintained versions we released under the Apache v2 license. They have bugs and security vulnerabilities. They lack important features and performance enhancements. Still, if you choose to do so you can – provided you adhere to the license terms.
Weka.IO made 3 assertions in their post:
- They were compliant with the Apache v2 notice and attribution requirements.
- We don’t have the right to revoke Weka’s Apache v2 license.
- They only use MinIO open source software licensed under Apache v2. Which is to say they don’t use any GNU AGPL v3 code.
They are wrong in all 3 of the assertions above. Let’s take their assertions one by one.
Weka’s assertion #1: They are compliant with the Apache v2 notice and attribution requirements
Weka was not compliant with the Apache v2 notice and attribution requirements prior to our blog and is not still.
It claims that there was a disclosure file on their website. If you saw how thorough our analysis was in our initial findings, you also know that we looked hard for this disclosure file. We could not find the MinIO copyright notice and license file in their binary distribution and their website. Search engines and the WayBackMachine could not find this disclosure document:
Click to enlarge
It shows up after our blog came out. Hidden disclosures are not in compliance with the FOSS license requirements and completely defeats its purpose. We could not find any license notices in their binary distribution either. The claim that they were compliant simply isn’t supported by the evidence.
Furthermore – the provided disclosure document does not include MinIO Client (mc) which provides several Unix utilities for S3 compatible object stores and filesystems. Open source cannot survive and thrive if proprietary companies appropriate it, obscure it and don’t contribute anything back. Anyone in the FOSS community would agree with us.
Weka’s assertion #2: We don’t have the right to revoke their Apache v2 license
An open source license is a type of contract. By releasing code under the Apache v2 license, we offer a contract to anyone who agrees to our terms. The way they accept that contract is by complying with the terms of the license. However, if they don’t uphold their part of the bargain, including by not providing us attribution, they haven’t accepted our terms. That means they haven’t entered into the contract that allows them to use our code. This is established law, and is the reason why violating open source license conditions constitutes copyright infringement and contract breach.
Regarding revocation, our language may have suggested that Apache v2 licensors can unilaterally and permanently withdraw a company’s right to use the code. We don’t believe they can. If, and when, a company complies with the license, it may use the code. We apologize if we conveyed a different message. The intent was to communicate that we had terminated the license due Weka’s years-long non-compliance. Weka may regain the ability to use our software if they come into compliance.
One last item here. Based on discussions we have had with the open source community – there does appear to be some misunderstanding with our references to Weka’s customers. To reiterate, termination only applies to Weka and not their customers. Weka’s customers are most certainly able to continue to use MinIO software as long as they comply with the Apache License v2 and GNU AGPL v3 licenses.
Weka’s assertion #3: Weka says they only use MinIO open source software licensed under Apache v2. Which is to say they don’t use any GNU AGPL v3 code.
This is not true. They have included the MinIO WARP performance benchmarking utility in their MinIO bundle (along with the server and client). We clearly pointed this out in our blog post:
Click to enlarge
WARP has always been licensed under AGPL v3. The GNU AGPL v3 license has an up to 60 day cure period, so they can either remove it or comply with the license requirements. Additionally, WARP is also not included in the open source disclosure URL (that didn’t publicly exist until few days ago).
Engagement model
The team at Weka has noted that we did not engage them prior to publishing the blog post. This is true. In this case, we felt Weka’s behavior went beyond open source compliance to direct brand harm to MinIO, so, after careful consideration, we made the decision to go public first. We think their continued denials of their infringement even in the face of overwhelming evidence confirm our thinking here.
Nonetheless, it is our policy to resolve any open source compliance issues privately first with a notice and cure period. Failing that we reserve the right to call out violators publicly and legal action as a last resort. We operate in the open source community and we recognize the norms for engagement.
Takeaways
The takeaway here is that if you are using MinIO you need to abide by the license – whether you choose the old Apache v2 code or the current AGPL v3 code. If you do not abide by the license, you cannot expect to distribute the software. This is not unique to MinIO. Almost all software has some type of license and in order to distribute it you must abide by it.
There are some on Twitter, Reddit and HackerNews that would like us to clarify our position on the GNU AGPL v3 license and the linking implications. We hear you and we are going to provide that clarification through a future post. In the interim, we have updated our License FAQ to reflect our position on license compliance. We also recommend you follow the Free Software Foundation’s interpretation of the license.
Ultimately, this is about protecting the MinIO brand and its licenses, trademarks and copyrights. It is also about accountability. We reserve the right to pursue all remedies in these matters and will continue to defend the integrity of our FOSS licenses. Open source does not mean public domain. Open source means freedom of user rights. Freedom to examine the source code, freedom to modify, freedom to distribute and freedom to use – again, in accordance with the license.