Slack Archive

To Index

Back To Top
<@U024CJMG22J> has joined the channel
<@U04F9ME0V39> has joined the channel
robert.mitwicki
<@U013F46SDRR> has joined the channel
michal.pietrus
<@U02N7K951DW> has joined the channel
daniel.hardman
<@U03RLLP2CR5> has joined the channel
<@U03EUG009MY> has joined the channel
Thanks for setting up this channel, <@U024CJMG22J>. I'm a Brit based in Basel, Switzerland. It is a pleasure to e-meet you. As I mentioned in the <#C03TSFRNWLU|cesrox> channel, I'm the inventor of *OCA*, a core utility technology that underpins Layer 1 of the . As such, the vs licencing debate is of particular interest as it sits at the core of the refactored next-gen data economy. With the unprecedented projected increase of _"data"_ across the digital landscape over the next several years, Europe is committed to implementing scalable and distributed data ecosystems to ensure European digital sovereignty through the initiative, part of the . The major EU-funded projects (e.g., , the , etc.) use as a multilingual open-source licence to support that mission. I thought it would be helpful to add this framing to help people understand the digital landscape in Europe. The EU has developed the EUPL licence to ensure that the European digital infrastructure doesn't fragment. Will the U.S. follow suit? This discussion may act as a catalyst. At HCF, we are adopting the fundamentals of two core utility technologies, (Semantic domain) and (Inputs domain). We have chosen the EUPL licence at the Foundation to ensure that the core codebases don't fragment. An open-source IPR licence for the underpinnings of an entirely new web infrastructure needs to be robust. By _"robust"_, I mean those fundamentals can't fragment at the lowest technical layers of the DDE. is a licence widely adopted for a "broken" Internet. However, thanks to <@U013F46SDRR>'s wisdom at HCF, we are aware of the licencing problem and have drafted a __ to clarify our position. As OCA and KERI demonstrate, the innovation across the Semantic and Inputs domains is profound. In line with these new technologies, we may need a new licence to protect them. Innovation in the Governance domain, in this case, is also required. The arguments that Linus Torvalds, the creator of the Linux kernel, puts forward in the video, _ _, are precisely why the issue of licencing is such a key topic at HCF. The ramifications go far beyond this community. Other core utility technologies in the first layer of the and stacks will need to be resolute and compatible to stop potential fragmentation. I'm keen to learn from the leading voices of this community before the discussion comes to a natural conclusion. Let's hope we all end up on the same page. By the way, outside of HCF, this is the first time I've seen this debate in any other open community forums, so this is a neat place to continue the discussion. We might even persuade some lawyers to join the debate for some of the trickier questions. But, at the very least, we all must clearly understand the consequential outcomes of these critical decisions. So, let's keep our toys in the pram and have a healthy and well-considered debate. I'm here to learn.
<@U04FT2WF4RJ> has joined the channel
robert.mitwicki
One of the argument against supporting EUPL repositories which I saw on <#C03TSFRNWLU|cesrox> channel is to have lowest bar entry. I don't think this is a valid argument since personally I didn't observed that at all. I don't think we have a big problem with adoption because of the license. Even that license is important does not rises the bar best on what I can see. Implementation of keri components under EUPL1.2 license starting being used by businesses and startups in our community. I am already aware of 3 commercial companies which are planning to build business cases based on the components under EUPL1.2 license and few more are I see on horizon including governmental institutions. None of them afaik is worry about the license and they are happy to support its development by putting money and resources to push it further.
robert.mitwicki
I think using that argument against contribution to EUPL repository is very weak, and we need to remember that core components needs to have sustainable development. If we allow for companies to leverage access to the repositories to gain competitive advantage by not releasing all changes right away. I see that as a huge brier for early adopters and leads to fragmentation since everyone would move with different speed. We saw how business can act in such ecosystems. We intentionally switch to EUPL1.2 in early stage since we want to avoid exactly such situation. It must be fair ecosystem and build together, forcing sharing (giving back) is one of the option to achieve that.
robert.mitwicki
Practically speaking everyone who knows how keri components works, knows that not many developers/companies would be interested in contributing in that code base as the entry level is quite high. It would be lead by few organizations or freelancers which are interested in technology itself, and the rest would consume it as it is. Obviously this know-how can be easily leverage to provide consulting services to those who would like to build products on top. If we won't force sharing some of the organization/individuals could get into trap of conflict of interest where sharing could be treated as direct danger for potential revenue. I can easily imagine companies like IBM to "take over" development and use their resources to offer "way better" keri implementation for governmental institutions for developing eID projecst or credentials platforms. As community we would not be able to control such development by any mean, and consequences could very destructive for vision of protocols for "new internet"
robert.mitwicki
how likely this scenario is we don't know but worth to mitigate it by simply changing the license. It won't protect fully against this scenario but for sure help a bit.
daniel.hardman
I find the concern about tech giants taking over development to be unconvincing. That's not because it can't happen, but because A) right now adoption and sponsorship by a tech giant would be a blessing, not a curse; and B) we don't have any reason to believe that if they adopted the technology, they would take it in a bad direction (has Google ruined REST? has Microsoft ruined XML? has Apple ruined JSON?). In my experience, it is during *design* that tech giant influence can dangerously skew things, not when implementing against a crisp spec. Are we still designing KERI and CESR? I also disagree with Robert's reasoning on barrier to entry. The fact that a number of community members are uneasy about EUPL is direct, concrete, timely proof that EUPL is a barrier to entry; the copyleft in the license scares people away. I KNOW this is true from first-hand experience, and I am confident that my experience isn't a weird anomaly. I believe Robert when he says that he hasn't encountered these barriers with his customers, but I suggest this is true because we are imagining two different kinds of usage. If companies just want to *use* tech that someone else writes, then copyleft is no big deal. All of us use GPL'ed stuff in linux all the time, without giving it a second thought. But if companies want to *contribute to* tech that is copylefted, it's a whole different analysis. The assertion that EUPL's copyleft is no problem whatsoever rings false to me. I'm sure tons of EU lawyers have reviewed the license, and as I said, I think it probably IS the case that "derivative work" will end up being acknowledged to exclude source code linked to a library across an interface boundary -- in the EU. Robert cited a line from the license that says that if no other legal jurisdiction is identified, Belgium law applies. The "if" in the line is the problem, and it actually makes my point. Most companies that offer contracts to their customers identify a legal jurisdiction, and only ones that pick an EU jurisdiction will have the legal perspective that EU lawyers like. It's extremely common (almost universal) to pick the jurisdiction where a company is incorporated, because legal fees are less if the court is local. Thus, the statement that EU law applies if no other law is specified helps almost nobody outside the EU. A "derivative work" is NOT guaranteed to be evaluated according to an EU law perspective if a lawsuit is adjudicated in the UK or Mexico or Canada or Japan or the US. That's why I asked if there was case law or precedent that could be cited. I can't find any. That's a problem. Speaking just for Provenant, I think we might be able to use EUPL-licensed code and run the risk that the copyleft provision in the license would never be enforced against higher levels of our software stack. But what would make me totally comfortable is if the license had an explicit statement like the following: > In this license, "derivative work" means a work of software that changes the source code of the library, and explicitly excludes works of software that call the library against published library interfaces. Thus, it is possible to consume the library either as a pre-compiled artifact or as unmodified source code without creating a derivative work. As I understand it, that is what Robert is claiming the license already means, and what his intention is with respect to the EUPL-licensed cesrox. And that is what I claim is NOT guaranteed by the EUPL license in its current form, because it relies on a legal analysis that is only likely to be true in EU courts. "Likely" and "in EU courts" are both a problem. The paragraph above is similar to the GNU Classpath Exception (). There IS good reason to believe that will be honored in jurisdictions around the world. Would you be open to adding such a sentence to the license in your codebase, <@U013F46SDRR>?
robert.mitwicki
If companies just want to use tech that someone else writes, then copyleft is no big deal. All of us use GPL'ed stuff in linux all the time, without giving it a second thought. But if companies want to contribute to tech that is copylefted, it's a whole different analysis.
Very good point, I had a chance to work with companies which are on both side means they are interested in contributing to the source code, as well as companies which just consume it (most of them obviously are on the consuming side).

Consuming part is not an issue as you mentioned. The problem is with contribution to the code. Practically speaking this is not easy thing to do, you can't just get random dev throw him into that space and hope that he would do right things. Just starting with 150 pages of whitepaper is high enough barrier for most. I think we can agree that having specific skill set is required and a lot of time to chew what Sam produced.

My point is that I don't see any big tech throwing resources here until they would see direct benefits. It is rather smaller companies or units which are interested into "let's see if we can create better future". They tried that with blockchain they would try it with KERI. Basically early adopters or believers where they can see benefits of having infrastructure like that.

In first stage where we are the biggest concern are startups and VC founded entities who under pressure of delivery won't have time to build it right and would do a lot of short cuts, in consequence which we could end up in the situation where they (intentionally - to gain competitive advantage, or unintentionally - just lack of time) would postpone to contribute back. This would lead to forks and lack of interoperability. When the technology would be at certain stage it would be necessary to bring it to the enterprise level where "big tech" companies comes in. We saw how IBM treated Indy or Fabric in that regards. Having this extra security would help community and smaller players to compete with them and benefit from their involvement when that would happen.
robert.mitwicki
Are we still designing KERI and CESR?
I would say that we still are at the design level, Sam is doing amazing work to flesh all that all but we still observing some core changes in both keri and cesr. It is clear that without Sam this won't be possible and I would love to provide him all necessary resources to let him continue solving those problems and get stable spec, I think we are close enough but still lots of work is needed. The reason for it that we need to test it in practice to see how it would work, we are on PoC level where we would find out what else is missing. At least that is my judgment.
robert.mitwicki
Speaking just for Provenant, I think we might be able to use EUPL-licensed code and run the risk that the copyleft provision in the license would never be enforced against higher levels of our software stack.
Understand completely and happy to assure you about that from our side and/or if needed put mentioned paragraph in place.
robert.mitwicki
Robert cited a line from the license that says that if no other legal jurisdiction is identified, Belgium law applies. The "if" in the line is the problem, and it actually makes my point.
This is interesting point as well which actually not sure how applies to other licenses. I didn't saw many licences which specify what is applicable law of that license. Since we are decentralized community would it be always the person from first commit? Author jurisdiction?

I like that with EUPL that is explicit. you know exactly what to expect.
I agree with the point that EUPL didn't do it well by not specifying "derivation work" clearly without references to any other law framework. As this would make it super explicit and clear. We are planning to contribute that to the next version of EUPL to make sure that this would be cover, until then we need to bound it under EU law or explicitly specify that as you requested.

Since behind cesorx and keriox we have HCF as a author, we are under Belgium law (we are based in CH). Even that we have multiple contributors. We specifically wanted to have one entity behind it since it makes it easier for compliance and regulation. As you may know even if you have license and you would not specify copyrights this would fail any check in legal department). Not knowing who is behind it (as one entity) is the worst thing which you can have in enterprise. This was one of the reason why DIF changed their policy about individual contributes and similar activities we observe in ecosystem.
robert.mitwicki
I assume that since Sam is the author of keripy and everything which was there, those repositories are under his jurisdiction which is US law. Which wonders me if there is a need to comply with US export law:
Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits" (75 FR 36494).


I needed to deal with that recently by just uploading an app to the apple store. No idea if that applies to open source a we build it here. Happy to hear someone opinion if he already checked that.
robert.mitwicki
Would you be open to adding such a sentence to the license in your codebase,
Definitely, we already checking that with our lawyers what we can do in that regards to assure that this interpretation is as we stated. We do not aim to block adoption by any mean.
daniel.hardman
> I assume that since Sam is the author of keripy and everything which was there, those repositories are under his jurisdiction which is US law.
daniel.hardman
I think it's subtly different from that, although that's a good approximation. The Apache 2 license doesn't contain a clause like the one you identified in EUPL, stating what legal jurisdiction governs. Therefore, I think this creates a potential ambiguity. However, that license does not reserve to the content creator the right to enforce a copyleft provision, so the ambiguity is not dangerous in practice -- there is less to enforce. Specifically, it says the following: `For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.`What this boils down to is that, unless you are copying the material in a way that fails to give credit to original authors or that attempts to subvert the grant-of-patent-license that Apache 2 intends, it's pretty hard to violate the license, no matter what legal jurisdiction you're in.
daniel.hardman
> Which wonders me if there is a need to comply with US export law
daniel.hardman
I am not a lawyer, but I'm pretty confident that the answer to your export question is no. Here's my reasoning; see if you agree. US export law recognizes a distinction between exporting products and publishing source code. According to the wikipedia article you linked, exporting products (ready-made tools to do fancy stuff) that contain certain kinds of crypto requires approval, whereas publishing open source (telling the world how to make tools) merely requires notification (but not approval/permission). Publishing a compiled app on the app store = exporting a product; sharing code on github = releasing source code. Setting that line of thought aside, here's the second reason I don't think so. The existing impls of KERI do not themselves implement any cryptography. Rather, they call libraries like libsodium that implement cryptography. Libsodium must have complied with the requirement to notify BIS before it was released to open source. (Or maybe, the forerunner of libsodium, NaCl, would have complied. NaCl was sponsored by both the European Commission and the National Science Foundation and is well known to the US government; I don't think we have to feel responsible to tell them that libraries can be built atop it. But when finished products get shipped atop it, then the export concern may be triggered.) But as I said, I'm not a lawyer.
robert.mitwicki
Kind of make sense, thanks for the comment. I was wondering since you guys are US based (mainly :wink: ) maybe you know more how that works for open source and if there are any restriction or limitation. Never thought about that before. But indeed split publishing and exporting would make sens. I would throw that topic into our lawyers just to see how they see that problem, if would learn something new happy to share.
<@U03SYCGJ4Q7> has joined the channel
I am here!
rodolfo.miranda
<@U03P53FCYB1> has joined the channel
Reminder: the next step in the culmination of our licensing chat is occurring tomorrow morning / evening at the bi-weekly CESRox meeting. The zoom link is in the <#C03TSFRNWLU|cesrox> channel description and here for reference: The working agenda (feel free to add) is the following: 1. Repository naming strategy moving forward including any potential name releases or transfers to the WebOfTrust organization. 2. Licensing strategy clarification moving forward. 3. Contribution strategy moving forward for Rust implementations of CESR (WebOfTrust as the upstream or dual upstreams with WoT and THC)
Good timing. Regarding the licencing discussion, we envisage an increased trend towards "Source Available" rather than "Open source". The following article is another example of that trend.
<@U04HMQT1XFV> has joined the channel
<@U0448S72CQN> has joined the channel
<@U04HQD29Z7E> has joined the channel
As a resolution of the discussion we had here I have a write-up of today’s CESR working group meeting as posted in the <#C03TSFRNWLU|cesr> channel: Thank you to all who attended today’s meeting. A few important events happened today. 1. The group has been renamed for broad applicability from the CESROX Working Group to the CESR Working Group as is reflected in the channel name changing from `#cesrox` to `#cesr`. 2. The naming and licensing fork was acknowledged between WoT and THCLabs. As a result this working group is coming up with a set of names, headed up by Kevin Griffin, to be voted on next meeting, Thursday January 19th. Suggested names so far include: a. CESRust / cesrust- Steven Milstein b. CESRide / cesride - Kevin Griffin c. cesr-lib - Joseph Hunsaker d. cesr_lib - Joseph Hunsaker 3. Focusing of this group on the core API of Rust CESR and the foreign function interface (FFI) layer required for cross-language usability. Next meeting we will vote on a name for the WebOfTrust repository and continue our discussion on the core API and FFI layer.
See the for a full listing of the minutes.
nuttawut.kongsuwan
<@U04H17ZEX9R> has joined the channel
<@U02MD0HA7EJ> has joined the channel
nuttawut.kongsuwan
I saw a discussion in another community (that I will not name) about the IPR concern for KERI. Apparently, some people are concerned that currently the repositories related to KERI are run by personal accounts. I am wondering if anyone has an opinion on this concern.
robert.mitwicki
Thanks for sharing that observation, interesting to see that there is more companies/communities rising that issue. Honestly technically speaking there is no reason to be worry about that situation, there is a lot of open source projects which are running without governance (they are just private repositories all over the place) and they are fine, communities are build around it and development move on. Unfortunately not everyone think that way and some organization (gov/enterprise) they are very uncomfortable to deal with projects which does not have "proper" governance around it. Having legal structure around it helps a lot in such situation. To get that clear by governance I mean that IPR are not in hands of one person but organization / legal entity. But again technically speaking it does not matter we saw what happened with OpenAI which started as non-for profit and converted after GPT-2 into commercial focus. The beauty of such projects is that if people realize that something is going off, they fork and move on and if there is a big non-profit organization or individual person does not make huge difference, except.... if the individual person didn't took care properly about protecting work and contribution from day one. WebOfTrust (where most of the repositories of KERI related stuff is) did it very well, Sam took care of that part carefully to protect IPR from day one.
robert.mitwicki
I would summarize it, that from legal stand point there is nothing to worry, from what I observing the only downside is on the marketing side, when we (HCF) speak with interested parties some of them expecting to have governance in place in a form of legal entity. In our case we are handling that from perspective of Foundation which is based in Switzerland and offering legal protection in regards of all components which are building (including warranty if needed). We are doing that for all DDE components were KERI is one of them. We have long term sustainable roadmap which gives some extra confidence for those who seek it.
robert.mitwicki
I would as well point out that when you say KERI and concern of IPR there is few items which you need to take care of : • KERI related SPEC - IETF (covered) • KERI implementation - I am aware of only two: from WebOfTrust (Apache2.0) and Human Colossus (HCF) - EUPL1.2 • KERI ecosystem (all additional libraries, tooling, network components etcc..) - WebOfTrust (Apache 2.0) and HCF ( EUPL1.2 ) In both cases the IPR are in place and there is nothing to worry about as soon as the communities will stay healthy.
robert.mitwicki
it is nothing secret that current WebOfTrust activities are mainly around GLEIF use cases since this is the major driving force. Building community around other use cases would be crucial to get that to the next level and reduce the risk of stagnation in case if the GLEIF would decided to slow down or change the focus.
nuttawut.kongsuwan
<@U013F46SDRR> Thank you for the insightful response. I agree that the problem is in the marketing side. My impression is that some people are skeptical of adopting KERI. I think more work is still needed to build confidence and get the adoption beyond GLEIF. The care and effort that Sam and WebOfTrust have done may not yet be apparent for people outside our community.
<@U04GUPCB1M4> has joined the channel
contact.johannes
<@U04PXR871PS> has joined the channel
petteri.stenius
<@U03U37DM125> has joined the channel
joseph.l.hunsaker
<@U03QRSUA87Q> has joined the channel
daniel.andersson
<@U04DQE2G36F> has joined the channel
<@U04UYSACZTR> has joined the channel
<@U055XBX2EAD> has joined the channel
charles.lanahan
<@U05H2PS5U6Q> has joined the channel
amin.benmansour.10
<@U05GQD16J1L> has joined the channel