This is a text-only version of the following page on https://raymii.org:
---
Title       :   I enforced the AGPL on my code, here's how it went
Author      :   Remy van Elst
Date        :   20-10-2020
Last update :   28-02-2022
URL         :   https://raymii.org/s/blog/I_enforced_the_AGPL_on_my_code_heres_how_it_went.html
Format      :   Markdown/HTML
---




Five years ago I made [a website][1] that allowed you to put in a few domains and get
an email when the SSL certificate was about to expire. No ads, no fuss, just
an easy way for people to keep tabs on their sites without setting up their
own monitoring like Nagios. As with all of my software, I released it under
the GPL, specificaly the AGPL due to it being web based software. The AGPL
differs from the GPL on one point, simplified, you have to release the source
of any modifications you make under the same license, even when you host the software (not distribute)
online. With the regular GPL, you don't have to release the source if you
provide a modified version online, only if you distribute it.

Recently I found a company that hosted certificatemonitor, with some modifications
(branding and a dutch tanslation), without any reference to its origin, no source
code provided and no mention of the license. I'm not going to link to the company,
you can see the screenshots, but I don't want to give them any extra exposure.

In this article I'll talk about what I did to enforce the license and how it went.
TL;DR, not as expected. The company responded timely and friendly, but did a half assed
attempt (added a link to my site with `Inspired By Remy` as the text), then after my
complaints, took down the entire site.

I was a member of the [Free Software Foundation Europe][18] back in [2010][19]
and have [donated many times][20] to the Software Freedom Law Center / Software
Freedom Conservancy (the thing Bradley always talked about on the Linux Outlaws Podcast)
and at work I'm the goto guy whenever we [get][21] a [GPL request][22] for our coffee
machines, so you might say I have a heart for open source. If anyone from the SFC or FSF
or GPL violations.org is reading this and wants to do more with it, please send me an email.

I license all my  personall stuff under the GPL and AGPL (where applicable)
and dislike the  permissive licenses (MIT, 3 clause BSD, X11, Apache) because
they allow people to  take your stuff and never contribute back. I prefer
strong copyleft licenses that force you to contribute. [Here is a good
article][23] going into permissive vs copyleft licensing.

<p class="ad"> <b>Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:</b><br><br> <a href="https://leafnode.nl">I'm developing an open source monitoring app called  Leaf Node Monitoring, for windows, linux & android. Go check it out!</a><br><br> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a><br><br> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a><br><br> </p>


The following two paragraphs are taken from the [Plausible.io article][9]
explaining their license switch. I found them to explain the AGPL so well,
that I cited them here. Please [go read their article][9], I found out that
Google has a [anti AGPL policy][10] by reading their article.


Update 28-02-2022: Added actual AGPL text and backlink to FSF site due to [comments on a HN thread][26]


### What are the benefits of the AGPLv3?

The AGPL license is identical to the original GPL license with the only
additional term being to allow users who interact with the licensed software
over a network to receive the source for that program.

AGPL is designed to ensure corporations contribute back to the open source
community even when running the software as a service in the cloud.

If you used AGPL-licensed code in your web service in the cloud, you are
required to open source it. It basically prevents corporations that never had
any intention to contribute to open source from profiting from the open source
work.

It explicitly prohibits corporations from parasitically competing with an open
source project. They won't be able to take the code, make changes to it and
sell it as a competing product without contributing those changes back to the
original project.

Here's that [extra paragraph][24], summarized from the FSF site:

> If you run a modified program on a server and let other users communicate
with it there, your server must also allow them to download the source code
corresponding to the modified version running there


The actual difference is in section `13. Remote Network Interaction; Use with the GNU General Public License.`:

>  Notwithstanding any other provision of this License, if you modify the
  Program, your modified version must prominently offer all users
  interacting with it remotely through a computer network (if your version
  supports such interaction) an opportunity to receive the Corresponding
  Source of your version by providing access to the Corresponding Source
  from a network server at no charge, through some standard or customary
  means of facilitating copying of software.  This Corresponding Source
  shall include the Corresponding Source for any work covered by version 3
  of the GNU General Public License that is incorporated pursuant to the
  following paragraph.


[Here][25] is the full diff between the licenses, using this command minus the
`--suppress-common-lines`:

   # https://www.gnu.org/licenses/gpl-3.0.txt
   # https://www.gnu.org/licenses/agpl-3.0.txt
   diff --side-by-side --suppress-common-lines  agpl-3.0.txt gpl-3.0.txt


#### What are the restrictions with the AGPLv3?

A corporation needs to be clear and provide a prominent mention and link to
the original project so people that are considering to use their version of
software can be aware of the original source

If a corporation modifies the original software, they need to open source and
publish their modifications by for instance contributing back to the original
project


### Hey, that looks a lot like my code

I sadly only took a few screenshots on my phone, so I cannot show more than this,
but the similarities will be more than clear. In the email conversation we had,
they ackowledged that it was my code, so there's no doubt on that.

Here are the pictures, including the statement that triggered my enforcement
action (their copyright).

First the FAQ items on my original code and next to it their translated version:

![hoasted gpl][6]

- Their headings are collapsed, but match mine, translated in dutch.
- Their cert check times are exactly the same as mine.
- They claim full copyright as authors (which is wrong, they're not authors and its not their copyright)

Here's the confirmation page after you've signed up.

![hoasted gpl][7]

- The blue `Email: ` is exactly the same (twitter bootstrap styling).
- The green `Confirmation` is exactly the same.
- They've added call a to action "Buy Now" button

Last but not least, here is the confirmation email you get after signing
up.

![hoasted gpl][8]

- The confirmation link has the same UUID format
- The date time format matches
- It lists the IP you signed up from

They however forgot to remove the `Unsubscribe` link from the first email,
it says, `To receive no more emails, click this link` and then, no link to click.

### Our email conversation

It was pretty hard to find an actual email address for this company. Nothing listed
on their website, just a contact form. Hidden on their [jobs page][11] I found a
[job listing][12] which included an address and on their [General Terms and Conditions][13]
page their was a support address.

Maybe thats just me, but every major support ticket system
supports emailing, next to web portals. Please let me just send an email instead of forcing
me to use a webpage.

So I decided to go for the Jobs email, not a large organisation so probably no dedicated HR,
big change that jobs go right to the founders.

Our email conversation was polite and they responded in a timely fashion, within days,
other GPL requests I did never got any response or took at least two weeks for an
initial reply, they did score some points there.

I'll summarize the emails for those who do not speak dutch.

[My first email][14] stated that their tool looks a lot like one I wrote a few
years ago and that they probably should provide the source code. I stated that
they did provice the source/links on another tool they host (ssl decoder) and
that they should do that here as well. I also noted the dificulty in finding
an email address.

[Their first response][15], three days later, says some companyspeak thank you
for your service, we looked into it and indeed, we are using your code for 3
years, without  providing any attribution. We've added something to the
footer, if you want textual changes, please let us know.

I sadly did not take a screenshot of the new footer text, but it said
`Inspired by Remy`, and linked to this site. That's not how it works guys,
my first email was clear enough, full source code and license, not this crap.
It really is not that hard to create a new github/gitlab repo, do one initial
commit and never touch it again.

[My response][16] said, in a more civil way, that they should provide
source code under the same license.

Four days later, [they responded][17], stating that they had discussed internally
and decided to take the site offline.

That concludes our conversation, they took down their site and never complied with
the license. I think they're not violating it now, but have done for a few years.

### How should they have acted?

They should have provided the source code to anyone asking, preferably online, right
from the start when they set up their service. Even if they would not have named
me, but had provided source code, it would be fine by me.

I'm not sure how long their site was online (they state 3 years in the email),
but they have been violating the license all that time, and the half-assed
attempt ended badly. I suspect their service was not  used that much, because
they just took it down without notice. I hope all their subscribers know of
it, since they will never be notified if their certificate is about to expire.

When I still hosted this code myself, I had about 20,000 (twenty thousand) domains being
checked. When I cancelled the service, each and every one of those domains got a message
notifying them that their service would be cancelled after 30 days with a few alternative
services they could use.

And you know what the strange thing is? They have also hosted the [SSL decoder][4],
another piece of software I wrote in the same vein, with a link to the source code.
Here's an image where you can see the URL and at the bottom, the license and source
code link:

![hoasted gpl][5]

So why do it there but not on the other site? I suspect it's because they changed
the source code to translate it, and the ssl decoder site doesn't seem to be changed.

### A good example (sig-i/o)

A friend and fellow [revspace][2] member Mark Janssen has also hosted these services.
[Read his post here][3], where he states that he has forked the repositories, links
to the source code and has used the same license for the forks.

If you want to use the software I made, please use Mark's versions here:

- [https://ssldecoder.eu](https://ssldecoder.eu) -- Print information about site-certificates or CSR's
- [https://sslmonitor.eu](https://sslmonitor.eu) -- Get mail notifications about expiring certificates
- [https://cipherlist.eu](https://cipherlist.eu) -- Recommended TLS/SSL configurations for populair services

It's not that hard to provide the source and use the same license. "Just do it".


[1]: https://github.com/RaymiiOrg/certificate-expiry-monitor
[2]: https://revspace.nl
[3]: http://web.archive.org/web/20201020071305/https://sig-io.nl/posts/ssl-services/
[4]: https://github.com/RaymiiOrg/ssl-decoder
[5]: /s/inc/img/gpl1.png
[6]: /s/inc/img/gpl10.png
[7]: /s/inc/img/gpl11.png
[8]: /s/inc/img/gpl13.png
[9]: http://web.archive.org/web/20201015140440/https://plausible.io/blog/open-source-licenses
[10]: http://web.archive.org/web/20201011081354/https://opensource.google/docs/using/agpl-policy/
[11]: http://web.archive.org/web/20201020125602/https://www.hoasted.com/over-ons/vacatures/
[12]: /s/inc/img/2020_Hoasted_Vacature_Senior_Linux_System_Engineer.pdf
[13]: http://web.archive.org/web/20201020125759/https://www.hoasted.com/over-ons/algemene-voorwaarden/
[14]: /s/inc/img/gplemail1.png
[15]: /s/inc/img/gplemail2.png
[16]: /s/inc/img/gplemail3.png
[17]: /s/inc/img/gplemail4.png
[18]: https://fsfe.org
[19]: /s/inc/img/fsfe.png
[20]: /s/inc/img/sflc.png
[21]: /s/inc/img/gpldjd1.png
[22]: /s/inc/img/gpldjd2.png
[23]: https://eerielinux.wordpress.com/2017/11/25/permissive-licensing-is-wrong-is-it-1-2/
[24]: https://web.archive.org/web/20220228150614/https://www.gnu.org/licenses/why-affero-gpl.html
[25]: /s/inc/downloads/gpl-agpl-diff.txt
[26]: https://web.archive.org/web/20220228152129/https://news.ycombinator.com/item?id=30494456




---

License:
All the text on this website is free as in freedom unless stated otherwise.
This means you can use it in any way you want, you can copy it, change it
the way you like and republish it, as long as you release the (modified)
content under the same license to give others the same freedoms you've got
and place my name and a link to this site with the article as source.

This site uses Google Analytics for statistics and Google Adwords for
advertisements. You are tracked and Google knows everything about you.
Use an adblocker like ublock-origin if you don't want it.

All the code on this website is licensed under the GNU GPL v3 license
unless already licensed under a license which does not allows this form
of licensing or if another license is stated on that page / in that software:

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.

Just to be clear, the information on this website is for meant for educational
purposes and you use it at your own risk. I do not take responsibility if you
screw something up. Use common sense, do not 'rm -rf /' as root for example.
If you have any questions then do not hesitate to contact me.

See https://raymii.org/s/static/About.html for details.

You are viewing proxied material from raymii.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.