3rd party code and licensing in OpenMRS module

Tags: #<Tag:0x00007f0f1640fae8>

Dear all,

I am contributing to the module radiologydcm4chee and noticed that the module includes code from 3rd party projects which use different licences than the current OpenMRS (MPLv2+disclaimer)

I would like to know if this could be an issue?

  • the api uses some code from the dcm4che project:

https://github.com/teleivo/openmrs-module-radiologydcm4chee/blob/master/api/src/main/java/org/dcm4che/tool/hl7snd/HL7Snd.java

It says:

Version: MPL 1.1/GPL 2.0/LGPL 2.1

and reading further I think it means that this file is under MPL 1.1 and could be used under GPL 2.0/LGPL 2.1 if we would like to do so. Would including code with the MPL 1.1 from 3rd parties be ok with the current OpenMRS MPLv2+disclaimer ?

  • and the omod part includes javascript files:

https://github.com/teleivo/openmrs-module-radiologydcm4chee/blob/master/omod/src/main/webapp/resources/js/jquery.dataTables.min.js

which are under either the GPL v2 license or a BSD style license, as supplied with this software.

does this pose problems?

@sunbiz and @burke you already discussed module radiologydcm4chee a little here

would be great if you could give some feedback on this topic!

I think any code with compatible licenses can go together. Particularly, now that we’ve moved to MPL 2.0, it improves compatibility with a number of other licenses.

For another research, I actually discussed this matter in depth with Akhil Ravindran (original author of the module) and he said that re-licensing this code with the most permissible license is fine with him. But I guess we need a more formal way to do that.

By what I wrote above, I am not suggesting re-licensing the module code. If we keep the code unmodified the way it is and include copyright notice and license header with other tools that are in a compatible license, then we should be good to go. The source code file you mention is released under multiple licenses. LGPL and MPL 1.1 would make it compatible with remaining code. I don’t see any problem, but I am not a lawyer! @michael would know the OpenMRS lawyers :slight_smile:

mhmm, in

https://github.com/openmrs/openmrs-module-radiologydcm4chee/blob/master/api/src/main/java/org/dcm4che2/tool/dcmof/MPPSSCP.java

he actually did modify the dcm4chee code to catch DICOM MPPS events and update the database with

DicomUtils.writeMpps

not sure if that makes a difference

I’m not a lawyer either, but my caveman understanding is that MPL 1.1 doesn’t play well with GPL 2.0, so the licensing of the 3rd party code may already be conflicting with itself. :confused:

If he’s available, @lrosen might be able to offer some guidance.

FYI – modules can use any license they choose (it doesn’t have to be MPLv2 + HD).

I’ve been working closely with the IPO lawyer in my company, so I’ve learned at least her opinion on things (you know, sometimes things are a big gray area).

When a code is licensed under several licenses, you can pick any of them. For example, if this code were only GPL, I’d say we couldn’t use. If it was only LGPL, I’d say we could use as far it was a different jar.

As one of the options is Mozilla, we could use that one as it’s the most permissive.

yes as you mention @cintiadr in the dcm4che2 code it states the code is under MPL 1.1 with the option of choosing GPL 2.0 or LGPL 2.1. Would MPL 1.1 work with MPLv2 + HD ?

and the javascript files use “GPL v2 license or a BSD style”, does this conflict with MPLv2 + HD ?

@burke thanks for the info that the module could use another license than MPLv2 + HD but than again I wouldnt know which one would fit with the above 3rd party licence mix :smile:

I think it would be good to use the MPLv2 + HD in this module and to harmonize licenses. Maybe at a later stage I can remove the javascript libraries from the web part which are used to display a table of studies.

Hi Burke and others, I’m still here but mostly silent.

Among the things I enjoy the least in open source projects are these infernal questions about FOSS license compatibility; Everyone has an opinion and (in my opinion as a lawyer!) only a few are right. I live this topic continually in Apache, and every such compatibility question results in long, boring license discussion email threads there.

I was hoping I wouldn’t relive it here at OpenMRS also. Every person has at least two opinions and I’m tired of hearing them. :smile: Sorry, but I’ve done this work as an open source lawyer for too long to pretend to have all the answers…

So we included the following in the OpenMRS Contribution Policy:

Approved Open Source Licenses for OpenMRS Contributions

OpenMRS relies on the recommendations of Open Source Initiative, the Free Software Foundation, and Creative Commons to determine which free and open source licenses are compatible with the Mozilla Public License 2.0 with Healthcare Disclaimer (MPL 2.0 HD) under which OpenMRS distributes software and documentation.

Some of those licenses may not be compatible with the license requirements of some commercial companies. That is another purpose for the NOTICE file that OpenMRS projects provide with each software distribution. Each downstream modifier and/or distributor of OpenMRS software and documentation is responsible for making such license compatibility determinations for itself.

Rest assured that OpenMRS software and documentation can be used for free by everyone in the world under the open source MPL 2.0 HD license.


So I’ll summarize my indirect answer to your question: Ask Open Source Initiative, the Free Software Foundation, or Creative Commons. Let the experts there advise you about license compatibility with MPL 2.0 HD.

Please don’t allow the OpenMRS project to be consumed by licensing threads.

/Larry Rosen “If this were legal advice it would have been accompanied by a bill.”

4 Likes

An even more direct answer to the initial question asked in this thread::

  1. All of MPL 1.1, GPL 2.0 and LGPL 2.1 code is FOSS! Feel free to accept such works as OpenMRS contributions. If you believe it is not FOSS software, ask Open Source Initiative, Free Software Foundation, or Creative Commons experts. OpenMRS projects must describe all third party FOSS components in the NOTICE file.

  2. If you modify those components, those derivative works must be under their original license. (If there are double or triple licenses, pick the one you like best.). If you don’t know whether you are creating a derivative work, ask a lawyer. OpenMRS projects must describe these derivative works in the NOTICE file.

  3. For those commercial downstream companies that intend to modify or redistribute OpenMRS modules, we tell them to read our NOTICE file. We offer no warranties or promises regarding commercial license compatibility.

Is that an easy way to summarize our own non-attorney analysis of third party licenses?

/Larry “If this were legal advice it would have been accompanied by a bill.”

2 Likes

Yes, that was exactly what I meant, @teleivo.

So, my understanding of GPL is very based on this:

https://www.gnu.org/licenses/gpl-faq.html#WhatIsCompatible and https://tldrlegal.com/

If you are building a GPL software, you can include compatible licensed libraries and dependencies. That’s why so many javascript libraries are released as dual licensed GPL and MIT, to cover both GPL and anything else, and make sure no one gets confused. A lot of open source licenses allow sublicensing.

On the other hand, if your code is NOT GPL, you cannot use neither Affero GPL or GPL libraries. At least one of the licenses of the dependency needs to be compatible with your main license. It’s said that GPL and Affero GPL are ‘viral’, everything that touches GPL will be GPL - except if it’s in another process, communication via sockets, and other things like that.

All that said, it would be nice to mention explicitly where the code comes from and keep the license files, to be compliant to the open source license.

Not really. You are exaggerating the effects of GPL licenses. Even FSF doesn’t state things this strongly.

This issue is ONLY whether you create a derivative work. “Touching” has nothing to do with copyright law. “Dependency” has nothing to do with copyright law. “Communication via sockets” has nothing to do with copyright law.

If you create a derivative work of some GPL code, then THAT DERIVATIVE WORK must be under the GPL license. If you are not sure whether you create a derivative work – that’s a good question for a lawyer.

That’s part of the reason why I suggest, to make your life simpler, you should create what OpenMRS software you need out of FOSS components and let the downstream modifers/re-distributors (if any) do their own analysis based on what you describe in the NOTICE file. We could spend our lifetimes arguing general and hypothetical questions about whether SOME touching, dependencies or sockets lead to problematic derivative works, and the world would end up with less wonderful OpenMRS code.

Remember that, for the USE of OpenMRS software, ALL FOSS LICENSES are good around the world. What OpenMRS does is aggregate code from many contributors. That aggregation is not the same as a derivative work. That aggregation is distributed under the MPL 2.0 HD license. The individual contributions remain available under their own individual FOSS licenses in case anyone wants them.

/Larry “If this were legal advice it would have been accompanied by a bill.”

Note: I keep adding this signature line because I don’t want you to take this as legal advice. However, if you have a lawyer who wants to talk to me more about this, I’ll take some private email…

1 Like

Love this tag line. Concise & clear. :grinning:

1 Like

dear all, thanks a lot for your explanations!

Added a notice file referring to all 3rd party FOSS code :smiley:

One thing I still would like to get your guidance on is what license would you choose in the case of the dcm4che code giving me the choice between

MPL 1.1/GPL 2.0/LGPL 2.1

?

As many FOSS lawyers will recommend: “Make your own choice.” :smile: That’s no help at all!

If it were me making the choice, MPL is easiest given that OpenMRS already uses a later and better version of the MPL license (MPL 2.0 HD). A safe recommendation is usually to stick with the same family of licenses if that choice exists.

/Larry

3 Likes