[enhancement]: consider relaxing restrictions on distribution of code / binaries

[afontenot]

Which feature or improvement would you like to request?

Currently, as I read the SEL license, only the following things are allowed:

• Downloading, using, and modifying SEL licensed code, and binaries built on that code, is allowed for paying licensees.
• Downloading / "copying" (unclear) SEL licensed source code is allowed for development and testing purposes, but downloading / using binaries is not permitted to non-licensees.

This omits the following things that are probably not intended to be prohibited:

• Downloading a copy of the program (e.g. from Github releases or the installer) that contains SEL-licensed code, and using it without activating the enterprise features with a license key.
• Distributing a binary copy of Stalwart that is built with the enterprise --feature enabled.
• Distributing SEL licensed source code might not be allowed (e.g. creating a fork on Github); the license allows "copying", but not explicitly distribution.

I suggest the following improvements:

• The SEL should be modified to apply to users who have not purchased a license, and explicitly allow modifying, copying, and distributing covered works in both source and binary form, so long as the other terms are met (including, of course, that the user not attempt to subvert the licensing mechanism). Note that this wouldn't change anything at all about the community / enterprise split, it would only acknowledge the status quo that the vast majority of community edition users are running non-free software, and give them a right to continue doing this under the SEL license.
• The FLA most likely needs to be modified or replaced. As I read it, signatories do not grant Stalwart Labs the right to create derived / combined works with non-free licenses, and that's pretty unambiguously what the enterprise edition is under the AGPL. Specifically:

We agree to (sub)license the Contribution or any Materials containing, based on or derived from your Contribution under the terms of any licenses the Free Software Foundation classifies as Free Software License and which are approved by the Open Source Initiative as Open Source licenses.

More specifically and in strict accordance with the above paragraph, we agree to (sub)license the Contribution or any Materials containing, based on or derived from the Contribution only under the terms of the following license(s) AGPL-3.0 (including any right to adopt any future version of a license if permitted).

I think Stalwart enterprise edition is clearly a "Material containing ... your contribution", which means Stalwart's CLA needs to allow the creation of combined works that are non-free. Otherwise the whole work becomes AGPL, and it explicitly allows stripping out additional restrictions added to combined works.

Is your feature request related to a problem?

I'm looking at this from the perspective of Linux distribution maintainers. As the community edition of Stalwart claims to be open source software, including it in e.g. Debian should be possible, but currently I think this is actually quite doubtful.

In particular Arch Linux appears to have been caught out by this. They're distributing Stalwart, but they're building it with the default features which means that SEL licensed code is included in the resulting binary. This means that the resulting program isn't AGPL, and also that Arch Linux is distributing Stalwart without the right to do so under the SEL. I've reported this issue to them.

The AGPL requires that distributors of covered works in binary form also "convey the machine-readable Corresponding Source under the terms of this License". This means that it is not allowed for Arch Linux to distribute a "clean" version of the program without the enterprise crate, unless they also clean up the source tree to remove all SEL licensed code, as otherwise it's not possible to convey a source version under the AGPL's terms.

My proposed solution would allow Arch Linux to continue distributing a non-free version of the work that users could add their own license keys to, if they decide to do that.

Code of Conduct

• I agree to follow this project's Code of Conduct

[afontenot]

The AGPL requires that distributors of covered works in binary form also "convey the machine-readable Corresponding Source under the terms of this License". This means that it is not allowed for Arch Linux to distribute a "clean" version of the program without the enterprise crate, unless they also clean up the source tree to remove all SEL licensed code, as otherwise it's not possible to convey a source version under the AGPL's terms.

Chasing this part of the issue down a little further, the following script appears to turn the source tree into AGPL-clean code that compiles successfully. Obviously, you have to compile without the enterprise feature for this to work. I believe that building from a cleaned tree like this one, and then making that cleaned source available to users the binary is distributed to, would be sufficient to meet the conveyance requirements of the AGPL. It's my hope that something like this would be sufficient for including Stalwart in Debian.

perl -i -0pe 's/ *\/\/ SPDX-SnippetBegin[^\n]*\n[^\n]*\n[^\n]*SPDX-License-Identifier: LicenseRef-SEL.*?\/\/ SPDX-SnippetEnd *//gms' crates/**/*.rs
grep -l 'SPDX-License-Identifier: LicenseRef-SEL' crates/**/*.rs | xargs truncate -s0
perl -ne 'print if m/(?<!OR) LicenseRef-SEL/' crates/**/*.rs

If any of these lines print anything, you can assume something has gone wrong. Requires the globstar shopt in Bash.

In the process I discovered another issue, which is that some source code files are missing license annotations:

* crates/common/src/expr/functions/asynch.rs
* crates/common/src/listener/acme/directory.rs
* crates/common/src/listener/acme/jose.rs
* crates/common/src/listener/acme/order.rs
* crates/imap/src/core/mailbox.rs
* crates/jmap/src/api/management/log.rs
* crates/nlp/src/lib.rs
* tests/src/smtp/inbound/antispam.rs

[williamdes]

It's my hope that something like this would be sufficient for including Stalwart in Debian.

By the way, I did a working packaging. If you are one to package Stalwart in Debian ping me here and I will share the source code.