Review license

[radarhere]

The LICENSE file refers to PIL, but makes no mention of Pillow. Since we otherwise refer to them as separate entities, is this something that should be fixed?

[hugovk]

I think "Python Imaging Library (PIL)" needs to remain intact, and the wording of the licence itself.

Perhaps Pillow could be added to the top.

What do others think?

[wiredfool]

Somewhere we've lost the copyright notices for the additions that had been added (at least in the readme) and maybe elsewhere. I remember an assertion somewhere that it was now copyright AC and contributors.

We've now got a situation that's something slightly different than what's specified in the license. We have a collection of code that has copyrights owned individually by the contributors, and a licence that has been in effect while collecting these contributions that is essentially a MIT license. We do not have a single collective copyright, since we've never collected copyright assignments.

I think that we should carefully think about the license that we have and supersede it with one that references that there are many individual contributors, and that the current maintainers aren't offering warranties either.

Whatever we do, we should not be changing the existing license we should be prepending/appending to it in a manner that doesn't change the essential character of the license. If possible, I'd like to use an actual, recognized named license that's compatible with what we have now, rather than one that's almost, but not quite one that we can just reference. (Either Python, MIT or BSD, whichever is closest.)

[radarhere]

Just as a suggestion to try and get this rolling again, here's a suggestion, prepending some text to the license so that Pillow is covered by MIT -

Pillow is the friendly PIL fork. It is

    Copyright © 2015 by Alex Clark and contributors

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

Since Pillow is a fork, some sections of the code may still be recognised as PIL.

The Python Imaging Library (PIL) is

    Copyright © 1997-2011 by Secret Labs AB
    Copyright © 1995-2011 by Fredrik Lundh

By obtaining, using, and/or copying this software and/or its associated documentation,
you agree that you have read, understood, and will comply with the following terms and
conditions:

Permission to use, copy, modify, and distribute this software and its associated
documentation for any purpose and without fee is hereby granted, provided that the
above copyright notice appears in all copies, and that both that copyright notice and
this permission notice appear in supporting documentation, and that the name of Secret
Labs AB or the author not be used in advertising or publicity pertaining to
distribution of the software without specific, written prior permission.

SECRET LABS AB AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
SECRET LABS AB OR THE AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER
IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

[radarhere]

As a relevant note, I just realised that the docs state Like PIL, Pillow is licensed under the MIT-like open source PIL Software License

[aclark4life]

@radarhere Still working on this? I guess we just need to explicitly state in the top level LICENSE that Pillow is licensed PSL (PIL Software License), if we haven't done so already.

[radarhere]

Okay, I've created a PR for inspection.

[aclark4life]

Tidelift has asked us to review our license, particularly with regard to Libraries.io understanding of what our license is. My guess is that since GitHub thinks our license is "other", Libraries.io has no idea what to make of that, and is deciding "unknown".

We may need to ask them to configure Libraries.io to say "other" as well … at least then they'd match. @kszu ?

[kszu]

That sounds right to me @aclark4life ! I'm going to cc Tidelift's cofounder / actual licensing lawyer @tieguy to confirm 👍

[tieguy]

Yes, what's happening here is that (since our goal is to have high-quality license information everywhere, not just our tools) we're looking at the GH API. Most of the time, when the GH API chokes, it's because of poor formatting or legitimately complex license situations. This is the first time I've seen in a while where it is choking because of a rare license.

It looks like it has also uncovered a bug in libraries.io (which for some reason thinks the license is the Barr license, which I admit I hadn't heard of until today). So that's two for the price of one :)

At any rate, I don't think there is much for y'all to do here - your license situation is just complex/rare, and so we're going to have to change the status in our database for now. Thanks for helping us learn :)

Also, if no one objects, I'm going to submit the license to SPDX (a standards group that tracks licenses) so that SPDX-based tools can recognize and track PIL/Pillow.

[tieguy]

Good news: Turns out that this is an obscure, but already documented, license: https://spdx.org/licenses/HPND.html

Bad news: pypa does not currently allow HPND as a license identifier. (The current list is discussed here.) We'll update it at Tidelift, and hopefully pypa and GitHub will recognize it at some point.

[aclark4life]

@tieguy Thanks!

But can you also please explain how the "Standard PIL License" and https://spdx.org/licenses/HPND.html are related? I'm assuming you're classifying the Standard PIL license as an HPND license, but not 100% sure about that. And if you are, I wanted to confirm that classification is accurate.

As such I'll note further, in case it helps, that we've never discussed licensing with Fredrik Lundh (remember this is a fork of his software licensed with the Standard PIL license) and our collective goal, historically, has always been to make as few changes as possible to PIL, including maintaining the same license.

It just so happens that at some point we had to give up on "making as few changes as possible" … and now that this licensing issue is coming up again I'm wondering if should consider any licensing changes. For example …

Hah! Never mind.

After I wrote all that I came across:

• https://effbot.org/zone/copyright.htm

which, in referencing the Standard PIL license, states

(This is a trivial variation of the old Python license, 
as used for Python 1.5.2 and earlier. In OSI terms, 
it’s known as the Historical Permission Notice and Disclaimer.)

so now I just answered my own question. 🎉

[tieguy]

I think you figured it out! but to be 100% clear, just in case: we are not asking you to make a change to your license! We would only ask for that if it were completely, certainly cosmetic, and would make a significant difference for automated scanners. That's not the case here (at least, no such suggetion that I see right now) so no request to change anything.

Since the license text is almost exactly the text of the HPND, we'll note that in our database - will help some of our customers automate their license compliance. Thanks!

(A quick scan also suggests there's a bunch of other licenses in various places, like LGPL in ImageCms.py - but we aren't going that deep yet.)

[hugovk]

I've requested HPND is added as a Trove classifier: pypi/warehouse#5627.

For the longer term, do we want to supersede HPND with, say, BSD or MIT? Wikipedia suggests:

It is unique among the OSI's licenses because of the choices it allows in its construction; it lets the licensor pick anywhere from 0-2 warranty disclaimers, whether they want to prohibit the author's name from being used in publicity or advertising surrounding a distribution (like in the BSD License), and other spelling and grammar options. Besides this, the license can be almost functionally identical to the new 3-clause BSD License (if the option for the no-promotion clause is exercised), or the MIT License (if the option for the no-promotion clause is not exercised).

How to proceed?

[tieguy]

If you were starting a new project, or a rewrite, I'd recommend a newer license, like BSD-2-clause+Patent.

But since you've got all this old code contributed by people who are no longer with the project, you're pretty much stuck with the existing license - you can't simply make it go away. So not much upside in switching for new contributions; then people just have to comply with two licenses.

One possible exception: if you've got plugins or other clearly separable code that is often written from scratch and lives separately, you might require a more modern license for that code?

[hugovk]

Not really. The different image formats are supported as plugins, but it all lives together with the main code at https://github.com/python-pillow/Pillow/tree/master/src/PIL.

---

See #3752 to update the Trove classifier in setup.py to use the new HPND on PyPI.

[tieguy]

Do you know of anyone forking/reusing those plugins? If so, might be nice for new ones to be consistently under a more modern license. But realistically if they're only useful with PIL then not much upside to clarifying things.

[aclark4life]

@tieguy We'd have no way of knowing because they're in this repository … https://github.com/python-pillow/Pillow/tree/master/src/PIL. Also, looks like HPND got merged so I'm closing this again. pypi/warehouse#5627 Thanks all!