Gitlab put on hold their GraphQL implementation due to the patent. Gitlab Senior Director of Legal Affairs said:
"If we were to allow this license, it could lead to potential future conflicts with software licensed under Apache. Also, we could be impairing the future rights of our customers. Essentially, this is not really an open source product based on the implications of the license. While there is no payment of cash, payment is in the form of giving up future rights." [1]
- She is talking there about the PATENTS grant in React and most other Facebook software, not about GraphQL.
- This is immediately preceded by a mention of the Apache Foundation. When she says it could conflict with Apache, it either means Apache Foundation projects (since they wouldn't be able accept contributions without reversing their stance), or she's suggesting that Apache Foundation might issue future revision of the license that specifically breaks compatibility. Because as of right now, there is no conflict with Apache-the-License, only Apache-the-Foundation, and it doesn't really matter how Apache Foundation feels about Facebook's PATENTS grant wrt license compatibility. The conflict is a policy one, not a legal one.
The comment I responded to framed the situation as if GitLab took a look at the terms of the GraphQL spec, realized that it wasn't good for them, and made the above comments to explain why. The reality is, GitLab realized the current lack of FRAND-RF terms for GraphQL wasn't good for them, and they made the above comments only in response to somebody else's proposed solution to the current situation. That is, the comment doesn't explain why GitLab isn't using GraphQL right now, it explains why GitLab wouldn't use GraphQL if Facebook included the PATENTS grant. Which means that if someone is trying to understand the current situation or why GitLab originally halted GraphQL development, the comment I responded to isn't going to help anyone, because GraphQL is not and never has been subject to the terms of that grant.
If you're still not able to make sense of this, look no further than the first person account from the author of the Medium article referenced (who happens to be the same person who opened the issue):
> I've been a Facebook licensing defender for other OSS like React, but I think this is a completely different issue
I just installed this and now carussel's comment is empty, but I can see it in incognito mode. Also the textbox where I'm typing this doesn't even fit and has a scrollbar.. gonna skip this one..
Edit: Oh. Never mind, there seems to be two buttons to expand/collapse?
“TL;DR Facebook’s GraphQL spec doesn’t grant a patent license. Therefore, for reasons as set forth below, most GraphQL users infringe Facebook’s patents.“
> fnord123: That post has text of the patents in question. Please warn if you're linking to text of patents so people don't expose themselves to triple damages
Specs are a bit weird to try to come up with the right licensing (It was a bit of a pain in the butt to try to get this right for webm, for example).
You want to encourage compliance with the spec, and protect people who implement the spec.
That is a different type of language that say, apache 2.
To be concrete: If you license the reference code as apache2, that would grant patent rights to people if they used reference code, and they'd be SOL otherwise. Licensing the spec as apache2 would do nothing, as it's not software.
So if you want something apache2 like, you have to use a grant that tries to talk about granting rights to implementations of the spec, and that, for example, terminates if people sue people for implementing the spec.
Allegedly it is legally binding! Scroll down to the bottom of the page, expand "OSP General" and you'll see a question "Is this OSP legally binding on Microsoft and will it be available in the future to me and to others?". The response is:
> Yes, the OSP is legally binding upon Microsoft. The OSP is a unilateral promise from Microsoft and unilateral promises may be enforced against the party making such a promise. Because the OSP states that the promise is irrevocable, it may not be withdrawn by Microsoft. The OSP is, and will be, available to everyone now and in the future for the specifications to which it applies. As stated in the OSP, the only time Microsoft can withdraw its promise against a specific person or company for a specific Covered Specification is if that person or company brings (or voluntarily participates in) a patent infringement lawsuit against Microsoft regarding a Microsoft implementation of the same Covered Specification. This type of "suspension" clause is common industry practice.
IANAL, but I believe that what will happen is that those patent sales will be encumbered by the existing agreement, and accordingly less valuable.
If the new patent owner tries to sue people who relied on Microsoft's prior promises not to sue, it might be possible to accuse them (Microsoft) of promissory estoppel and force them to cover any damages. It's probably not in Microsoft's interest to play games like this.
As I understand it, this is bad because you could use their code within the copyright license but then be sued for using it without the applicable patent license... Making it open source but far from free.
Just out of curiosity though, has this sort of backdoor patent infringement actually been tested in court?
IANAL, let alone a bitter twisted IP lawyer, but it seems perfectly reasonable to infer relevant patent licenses from an open source contribution. "Hey here's a free meal, but you better not eat it or we'll sue!" Sticky stuff.
> you could use their code within the copyright license but then be sued for using it without the applicable patent license... Making it open source but far from free
This has been the gist of the complaint against software patents for the last decade+. It's why all the latest revisions of Apache, GPL, and MPL include explicit patent grants and termination criteria in their texts. It's why Microsoft included a separate patent promise when they placed .NET Core under MIT. And it's why Facebook themselves has released most of their projects with the now-infamous PATENTS additional grant.
> As I understand it, this is bad because
Not really. This is bad because GraphQL is a spec. If Facebook released some GraphQL-related software under any modern FOSS license, you'd be able to use it, regardless of any patents covering it. (See above.) The problem with GraphQL being a spec is that if you use some GraphQL-related software that doesn't originate from Facebook, then the licenses on any Facebook software (and thus the patent grants in that license) are irrelevant and you have no patent protection. And now you might begin to see why everyone in OSS who's acting in good faith would be better off with their own Facebook-style PATENTS grant.
Perhaps, but patents can be sold. Imagine a future Facebook sells the patents to BadTrollCo. Now you have two parties : the company that open sourced the thing (hence, perhaps didn't intend to sue people for infringement) and BadTrollCo that wants their pound of flesh.
My take on all this is Facebook's legal team seems to be sending a message to the open source community that they should come for the ideas, but wait for a truly open source alternative to come out before using those ideas in their own products.
I'm obviously not condoning patent infringement. The idea is to learn from useful ideas and implement a non-infringing equivalent as an open source project. You can't patent "math", or "computer science", or ideas comparably broad.
Still, the result is an arms race among land-mine manufacturers. Nobody wins but the undertakers and the orthopedic surgeons... or in this case the lawyers.
Software patents can only be used defensively when you are claiming your source code implements a patient.
In that light, the owner (or even expiration) does not matter. You can claim to implement an expired patent as a defense of a patent lawsuit. You can claim to implement/steal somebody else's patent (but that is unwise at times). This principle is how RISC-V and J-Core have survived. They pointed to expired patents and saying, "we do that, not your thing." (They really did too)
Privately owned patent rights, without rights granted to other entities can only be used offensively. Anyone saying otherwise is wittingly or unwitting supporting the patent system and arguing company line.
Offense is defense. If your competitor has enough patents that they'll find something they can reasonably argue that you infringe on, it's useful to present the same threat to them.
Companies that are serious about only using patents for this purpose can contribute them to open licensing schemes.
(And in the case of specifications that want to be standards, full patent grants should absolutely be included. You want people to use their stuff, make it safe for them to do so)
It does, but unfortunately, that's how humans work. We use threats to make cooperation the best choice for all parties, because we can't trust that none of those parties is an asshole.
How about we work on not allowing patents in fields where it's unreasonable to expect the patent office to assess novelty and non-obviousness? Like software?
Or at least making their duration commensurate to the invention itself, and the speed of evolution of the field. 3 years would be more than enough time for the "inventors" to make money off their software patent.
Isn't it enough to publish the patent text such that it can be used as prior art to prevent other companies from patenting the same thing, but in that form can't be used to actively go after other companies from using the same technology?
Not really. If you publish X I can still patent X + Y and probably catch a lot of people doing a derivative of X. If you patent X then my X + Y patent is much less useful and if I become obnoxious about it you can always threaten to destroy my customer base by enforcing X.
> Generic computers performing generic computer functions, without an inventive concept, do not amount to significantly more than the abstract idea. The type of information being manipulated does not impose meaningful limitations or render the idea less abstract. Looking at the elements as a combination does not add anything more than the elements analyzed individually. Therefore, the claim does not amount to significantly more than the abstract idea itself. The claim is not patent eligible.
> Examiner suggested . . . to advance the prosecution of this application: 1) Add the following limitations in claim 1: ‘a) graphs associated with a social-networking system’ . . . .
It sounds to me like the examiner is contradicting their self. They initially state that the type of information being manipulated does not render the idea less abstract, then go on to suggest limiting the information to social networking graphs.
The MIT license doesn't change anything in this case, because the MIT license doesn't have a patent grant.
This GraphQL situation is different and, arguably, somewhat worse than the ReactJS BSD+Patent license issue.
The problem here is the GraphQL specification doesn't have a patent grant (unlike ReactJS, which does, but people don't like the terms of the grant). And Facebook have filed a patent for GraphQL (https://www.google.com/patents/US9646028) that has some quite broad language.
Due to the patent, and the lack of a patent grant, most GraphQL users likely infringe on Facebook's patents.
I am not a lawyer, but MIT and BSD are thought to have implicit patent grants.[1] It would be completely absurd for a company to argue that they give the public the right to use their software, but "just kidding -- we were secretly withholding the rights to the patents all along so that we could sue you for using our software!" An apparent problem with Facebook's PATENTS file is that it explicitly withdraw the patent license if Facebook decides to infringe on your patents and you speak up about it.
I'm not sure if the author of that article is partially trolling in the attempt to get Facebook's patents terms applied to the entire spec.
The best solution would be to abolish software patents completely.
I think this entire PATENTS situation with Facebook is a good reason why people should prefer Free software that is created and managed by individual developers and independent foundations over "open source" software produced by large companies with legal teams and dubious agendas.
I don't think that they are the same. If the PATENTS file usage becomes widespread, it would probably impact small startups without legal teams more than anything regarding implicit patent grants would.
The topic of willful infringement, while unpleasant, is a real concern for many developers and companies. I don't believe the downvotes are justified for a valid concern.
Sure you can apply. And you might very well get it too. They don't have time to check much at the patent office, mostly standarized IP databases (probably not including your code). And if you get it, it becomes the burden of the others to prove the patent invalid. Bad patents are common, and litigation so expensive that they are a real problem to whoever is affected by them.
Some lawyers argue that if you publish software under an open source license without an explicit patent grant, that their is an implicit grant with it. As far as I know, this has not been tested in court, but it seems reasonable to me, (not as lawyer).
TL;DR - In 2012, Yahoo sued Facebook over 10 patents, "general sentiment in the industry was that the lawsuit against Facebook was without merit; some said Yahoo was a patent troll." Facebook spent a lot of money acquiring a patent warchest to be used defensively against patent suits in the future. Yahoo then drops the patent infringement case.
"The key thing to understand is that Facebook used and invested in patents as an important way to defend itself."
Facebook asserts that anyone can use these open source libraries with a patent use grant. However, if that company then sues Facebook over patent infringement, Facebook reserves the right to revoke all patent grants so they can use their own patents in a countersuit.
I can see how it makes sense for Facebook, but still a toxic effect on the actual "open source" status of React et al.
First of all, the whole thing is limited to patents, which are a small part of the IP of most IT companies. If Microsoft uses GraphQL, Facebook can't freely pirate Windows.
Second of all, you can still sue FB over patents, you just have to stop using things they are providing free of charge first. Also, there is an exception if FB sues you first. It seems fairly clear that the intent is to avoid litigation over patents, especially software patents, which many people think are a bad thing.
So if fb just uses something patented by my company in one of their products, just uses it without my company's permission, but doesn't sue, what is my company's recourse?
What is my company's leverage or incentive to get them to pay my company for a license?
You assume an intent but the intent is unclear here. React is an incredibly attractive technical product. As a web dev at my company I really want to use it, but had I not realized its strange underhanded bidirectional patent grant and evangelized it I could have boxed my company into a corner, forcing it to decide to sacrifice our React web infrastructure or defend our patents.
Spreading misinformation about the danger only serves to undermine the OSS community's response.
No. Apache 2.0 indemnifies you only in relation to the patents held by contributors to that project.
In more concrete terms, if you see some project is licensed under Apache 2.0, then you can still be sued for using it, because while you may have a guarantee that its contributors won't sue you, it doesn't make anybody else's patents go away.
In slightly more concrete terms than that, if Project X causes Facebook to be sued by Corp Y because Facebook is using that project, then Facebook has no protection if it is not a Corp Y project nor have they ever contributed to it.
In real life, Corp Y is Yahoo, who sued Facebook several years ago on a bunch of patent-related matters. Facebook then went on a tear building up a war chest and crafting the PATENTS text so that it could never happen again.
Can anyone point me to a single instance where anything bad has actually happened because of Facebook's patent clause in one of their open source libraries?
Did you read the article? This issue has nothing to do with the patent clause in their libraries. This is a problem with the GraphQL spec being patented. Since there is no grant of GraphQL itself, any library implementing it on the server side that isn't written by Facebook and conveying that grant, is infringing.
Serious question. React has been around for a while. Companies like Airbnb and Wix, for example, have been using React for a while. If Facebook were going to leverage this the way people are scared of, wouldn’t there be some example of them using it the way people are scared of? You know, on a company doing something it’s proven that they could make major money on? It’s not like this is a new provision, it’s been around for a while, and they’ve not used it to backhand a single company that I’ve come across (please, correct me if I’m wrong on this). So can’t this be boiled down to a conspiracy theory? There are massively successful, profitable companies who they haven’t tried to leverage these provisions on, so I’m honestly trying to figure out, what’s the basis for this fear?
Companies change. People change. You don't want it written into the license like that and depend on good will. If good will were enough we wouldn't have laws or government.
I don’t know if this really answers my question. You have to assume Airbnb, for example, has a legal presence that is very involved in tech decisions and how they might hurt the business. What I imagine was a very thorough scrutinization process came back with a green light to use it. Most of the startups worried about this don’t have the luxury of anything near that level of legal scrutiny, but can’t a startup that can’t afford it extract some value from a company like Airbnb using it without worries?
It's possible that Airbnb has their own, separate license with Facebook. It's also possible that they decided they could absorb the cost of a countersuit if they ever sue Facebook over a patent. I don't think speculating about Airbnb's situation gives any assurances to an entirely unrelated company.
I’d agree if Airbnb were the only large company using React, but they’re not. They were just the company I chose to mention. There’s also Twitter who just went all in building Twitter lite, Wix who is huge in the native navigation world, and plenty more. So would you guess that Facebook is negotiating a separate license with all of them? And besides, wouldn’t that nullify concerns even more because that means they’re willing to negotiate a more lenient license with any company that makes enough money to make them worth knocking off?
I’m not trying to be sarcastic, I just really don’t understand how these fears are justified. Besides, if Facebook decides they want to crush you and use React as a shield, you’ll probably have bigger problems in that moment than your choice of front end libraries. A bigger problem, I would think, is that you have something worth Facebook thinks is worth stealing. Facebook doesn’t need a React patent clause to smother a company.
Those were also just a few examples. Companies negotiate reciprocal agreements for baskets of patents all the time. Who knows what's in the basket? My point was that they have circumstances that don't apply to any other company, and there's no way to know what they are. Either the license itself, as written, works for you or it doesn't.
I see what you’re saying and I agree. But to continue down this path one last time, I still think what you’re saying meshes with my original point. If you’re big enough for Facebook to care to leverage this against you, you’ll have a legal team who can negotiate one of these nice reciprocal agreements. Until you reach that point, Zuck or his theoretical sinister successor probably won’t know, or care, that your company exists. Can we at least agree on that?
I can agree with the tautology that if a company is too insignificant for Facebook to care, then they're safe. But it doesn't take a large company to be a thorn in Facebook's side.
Imagine a tiny company finally figures out UX and solves some of the problems with spam, load balancing, etc. on a decentralized social network. If the cat gets out of the bag, they're an existential threat to Facebook.
> If Facebook were going to leverage
> this the way people are scared of,
> wouldn’t there be some example of
> them using it the way people are
> scared of?
Sadly no, it's a real issue, because we can't predict the future. Zuck dies, is replaced by someone with a more billg frame of mind, chaos ensues. That's something we don't have any control over, so it is a valid question. The current global political situation shows the dangers of relying on political norms to protect you, rather than law.
> So can’t this be boiled down to a conspiracy theory?
The license is real, anybody can read it, when you can guarantee or demonstrate that Facebook will never act on in, not today, not in 10 years, under any circumstances then you can call it a conspiracy theory.
So React is damned for including a PATENTS license and GraphQL is damned for not including a PATENTS license? Facebook can't win for losing. Geez, wish they would just re-license under Apache 2.0.
> So React is damned for including a PATENTS license
A patent grant is a good thing, you want a patent grant as a user of OSS.
The problem people have with React's patent grant is the one sided terms of the patent grant (and the fear that Facebook could hold you hostage with those terms).
> Geez, wish they would just re-license under Apache 2.0.
This would be my preference.
IMO, for the React issue, even if the issue is a paper tiger (https://medium.com/@dwalsh.sdlr/react-facebook-and-the-revok...), this puts a massive hit on Facebook's OSS credibility. Even if the fear was irrational, many people are never going to understand that now and many people won't touch any Facebook OSS because of that fear.
Facebook would probably solve a lot of that credibility loss by just re-licensing under Apache 2.0.
Unfortunately that logic seems to lead to a strategy of FUD in the direction of a different patent license, which if that approach is validated then leads to being less open doesn't it?
I don't get what you are saying entirely, but companies like Microsoft and Broadcom, of all places, have given patent licenses with their open source work that were not as one-sided as Facebook's was.
If Microsoft and Broadcom are better OSS+patents citizens then you are, you have a serious problem.
It's a real threat, just blown way out of proportion. The second Facebook leverages this patent clause on ANY company, React is dead and everyone will migrate to Preact / VueJS, etc.
This means that the React patent card is a one-time play with HUGE repercussions. Facebook isn't going to target your little company or startup and worrying about it IMO is foolish.
It isn't just React. The PATENTS file is in most of Facebook's repos and it's becoming part of dependencies of dependencies. In the future it could be difficult to remove that software from your stack. (Immutable, Jest, Flow, Hack, etc.)
I think this is exactly what I am saying. There are companies using React that are much larger than anyone who is worried about this, and they don’t seem phased by it. That has to mean something.
These large companies could afford to move off of React if they had to. Smaller companies could be severely impacted by having to move a core product off of React quickly. I don't know why people are using Google as an example of it being safe to use for a 10 person company.
Okay sure, they could “afford” it, but that doesn’t mean they would want to. And if there’s even a feeling on the legal team that some day it might be an issue, why not just use what you’d someday have to switch to and start investing in that ecosystem instead? That would be making a business decision that you know could be flushing years worth of work and investment down the toilet just because.
Besides, isn’t the wording in this clause immediate loss of use? You’d either have to take the time to convert your app to something else before you sue them, which would still take a long time and give them the time to build/perfect your new lethal competitor, or sue them and shut your business down until you converted it to something, which is equally lethal.
OData is particularly interesting because its design has clear overlap with GraphQL, and it's a lot older. This means it could even be brought up as prior art in some patent cases, maybe.
There's significant differences, but it means that if someone designs an "OData without the suck" then there's a fair chance Facebook doesn't have much to go on.
That said they can still play patent troll of course - patents hardly ever get evaluated on their merits in court AFAIK.
Help me on this: Facebook has just removed the PATENTS file from GraphQL repository, and now there are issues for this? And at the same time people are arguing over removing it from React?
This GitHub issue is almost three weeks old and without any formal answer.
At the very least, Facebook doesn't care about solving the problem, which is almost as bad as having malevolent plans to use these GraphQL patents.
> At the very least, Facebook doesn't
> care about solving the problem
This attitude isn't in the least bit helpful. It's been escalated to their legal council and the maintainer has said many many times that he's chasing it.
The poor developer answering in the GitHub issue tracker probably cares, but he is a worker bee, not someone with any authority. All he can do is escalate the issue into a brick wall.
"If we were to allow this license, it could lead to potential future conflicts with software licensed under Apache. Also, we could be impairing the future rights of our customers. Essentially, this is not really an open source product based on the implications of the license. While there is no payment of cash, payment is in the form of giving up future rights." [1]
[1] https://github.com/facebook/graphql/issues/351#issuecomment-...