notice: I've disabled signup/login as malformed RSS feeds were costing me loads in cloud bills. Will look at a better way to fix this in future. Contact me on twitter if there's a feed you'd like included in the meantime

Can a package manager solve the AGPL "remote network interaction" problem?

lobste.rs - Thu Jul 22 02:37

In AGPL discussion, there is a corresponding "remote network interaction" design problem, based on three fragments:

[...] 3. "some standard or customary means of facilitating copying of software": Most vendors don't have such customs

I guess this is the point where most people see the core of the design problem, and that is because the requirement is being interpreted incorrectly.

The AGPL does not require an in-app facility to download the source code of the application. The requirement is that you offer access to the source code and that you do so in a manner that is recognized by a software developer as a mechanism to obtain source code.

There are numerous ways to satisfy that requirement, including providing a link to a publicly accessible repository or providing a link to a zip file or tar-ball with the sources.

What would not satisfy the requirement is that people would have to send HTTP requests like GET /index.php with a specific content type to avoid the file being interpreted by the server. That is not a customary means of copying software.


If they modify the Program, their modified version must reply to requests for the Corresponding Source of their version by transmitting a self-signed bundle with the Corresponding Source. In terms of enforcement, have we enforced the AGPLv3 in a manner which solves the "remote network interaction" problem?

You cannot enforce the AGPL requirement of providing access to the source code with technical means.

If I modify the Program and choose to honor the protocol requirements of responding to that special command with the Corresponding Source of my version of the Program, then I comply with the requirements of the AGPL.

But, if I modify the Program to drop support for that protocol and use a different protocol, then that modification is fully allowed by the AGPL. Within the new way(s) of interacting with the Program, I now have to find a way to tell my users how to obtain the Corresponding Source to satisfy the requirements from the AGPL. If I don't, then the only way to enforce compliance is through legal means.