Licences for Assets / Reference Implementations in EIPs

SamWilsn · May 17, 2023, 3:09pm

Currently there is no consistent policy for licenses allowed in the EIPs repository (aside from the EIP itself.) This is especially relevant for reference implementations.

Policy Options

There are three camps:

Please be aware that I am biased, so if I misrepresented your views below, call me out on it.

All assets must be `CC0-1.0`

This view is held by @Pandapip1.

Simple, clearly unambiguous. Most permissive for implementers. Most restrictive for authors.

Allow non-copyleft open source assets

This is my view.

Assets may be any license that doesn’t impose significant restrictions on implementations. So this would allow MIT, Apache-2.0, and likely some others. It would, however, deny GPL-3.0 and BUSL-1.1.

More ambiguous (we’d need to maintain a list of approved licenses), but balances author vs. implementer interests.

Unrestricted Reference Implemenations

This view is held by @xinbenlv and @gcolvin.

Allow any license we can legally distribute, and allow linking to reference implementations we cannot distribute.

Also extremely unambiguous, provides authors the most flexibility, but doesn’t preserve our immutability/availability goals and can potentially create copyright traps.

Related Reading

xinbenlv · May 17, 2023, 5:10pm

Thank you for summarizing it, @SamWilsn !

My stance is generally: “we should make it easy for ERC authors to share reference implementations for educational purpose”.

On that basis, for the question I am happy with either of the following:

Allow check-in a broad range of Open Source Licenses for RefImp code into asset folder
Allow link to external reference implementations.

Disallowing both will make it super hard to share reference implementation and undermine the open standardization effort.

SamWilsn · May 17, 2023, 7:36pm

How broad is broad? Would you permit a license that allows viewing the reference implementation, but disallowed any derivative work?

If so, what is the point of such a reference implementation?

tbergmueller · May 17, 2023, 8:26pm

While CC0 is optimal for the EIP, I feel it’s too restrictive for reference implementations.

I’d consider especially CC0 4.a stating “No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.”

IMHO (not a lawyer obviously) “No […] patent rights held by Affirmer are […] licensed” implies that I cannot be 100% sure when I use a reference implementation licensed under CC0, whether I will applicable to license fees under certain circumstances.

This was the prime reason why we decided to use MIT license (also used throughout OpenZeppelin) for the Reference Implementation in our ERC-6956. We wanted people to be able to freely use it, without having any second thoughts. Especially since for our edge-case there is a broad application range with physical products and smartphones involved etc. and as soon as things get beyond digital-only, you enter a patent landscape that’s hard to comprehend.

SamWilsn · May 18, 2023, 1:03am

We discussed this at some length in

github.com/ethereum/EIPs

EIPs should preemptively add a CLA

opened 11:53PM - 15 Sep 22 UTC

closed 05:34AM - 09 Oct 22 UTC

kdenhartog

enhancement e-consensus

### Proposed Change I've seen these types of issues arise when trying to build …out technical specifications in the DID and VC space. Generally speaking, most people here seem to be operating in good faith, but there's always some point where IPR is brought up because companies have to appease their lawyers as they grow. I'd suggest that this repo adopt some sort of basic IPR rules preemptively to avoid the mess that arises in the case that patents and royalties come into play. They're a few different methods on how to approach this which will directly affect the ability of contributors to assist in the process of developing an EIP and the governance necessary to maintain and enforce the rules. This is the unfortunate reality of how these things go. Here's some places to look at and consider modeling after: 1. IETF IPR as defined by [RFC8179](https://www.rfc-editor.org/rfc/rfc8179) 2. W3C approach to IPR which is outlined here in their [patent policy document](https://www.w3.org/Consortium/Patent-Policy-20040205/). Note this typically requires that legal agreements need to be signed by members/participants/orgs etc 3. OASIS IPR - I don't have a link to this one, but I know this one sparked some controversy in the past because they allowed for royalties from my understanding (it's before my time). 4. GSM IPR - again don't have links to this here, but I've heard that there's some sort of IPR rules that lead to setting specific royalty amounts per patent or relevance of patent. Let's not go this way, but I'm highlighting it to further define the landscape of IPR. In any case, I think it's useful for us to start this topic now so that we've got something sorted before people start getting dragged into court or depositions to settle patent cases based on EIPs. My personal preference would be go the IETF or W3C route. I'm curious where others fall on this.

tbergmueller · May 18, 2023, 5:03pm

Thanks, although I believe I have another angle, which has not been discussed so far.

As responded in much more detail to your comment in PR 6956, we have a situation, where we do own patents that have at least similarities to the EIP and I want to be very clear that the EIP and reference implementation can be used freely and unrestricted by anyone. Yet, I do no want to grant a free, unlimited and world-wide license on any of our patents, as they cover much more than just what’s in the EIP and reference impl.

For the EIP I think CC0 still works, but I would argue that if we were to enforce CC0 for reference implementations and not allow any amendments, I would in my case not have the legal framework to ensure people it is safe to use our reference implementation here. That’s why the reference implementation must allow MIT, BSD or similar imo.

SamWilsn · May 18, 2023, 5:33pm

I don’t think the EIPs repository has the authority to stop you from additionally granting patent licenses If you wanted to dual license under CC0-1.0 and/or MIT, of course that’d be fine. I think @Pandapip1 just wants one of the options to be CC0-1.0 (though I may be misrepresenting his position.)

tbergmueller · May 18, 2023, 5:52pm

Well, that’s clear but I think I didn’t express myself clear enough .

I meant; I have a patent US1234, which is partly similar to the EIP. But the EIPs content is e.g. just one aspect, not the complete content of the patent. So I need to find a legal way, to license EIP + Reference Impl freely and unrestricted. But at the same time, it is not possible for me to say “With this EIP I grant you a license for US1234” - because the US1234 has other aspects beyond the EIP, which I do not need or want to waive.

Dual licensing works imo! I just thought the goal was to have CC0 mandated as in the verbatim Waiver in the EIP. That would’ve been an issue - but seems all is fine then. Thanks for the clarification

SamWilsn · May 18, 2023, 6:21pm

Right, that makes sense.

Yep, that’s perfectly understandable. The requirements, today, of the EIPs repository are roughly:

Text of the EIP itself, including any inline code, MUST be available under CC0-1.0.
Files under the ../assets/eip-xxxx/ directory SHOULD be CC0-1.0, but MAY be a non-copyleft OSI approved license.

joeysantoro · October 26, 2023, 9:11pm

The current validation doesn’t allow any external linking at all. Is this conversation the right place to petition to allow external links in the Reference Implementation section? It would be hard to validate their license so I am in general pro allowing any reference impl.

SamWilsn · October 27, 2023, 2:33am

We do allow some external links, and are open to more (following EIP-5757). You can see the full list of currently permitted origins in EIP-1.

Eh, it’s close enough

In addition to the reasoning behind prohibiting external links in general, there are a couple important concerns specific to external reference implementations.

When people link to an external implementation, it’s often their production implementation. It usually comes with a ton of stuff that isn’t directly related to the EIP itself, and often divides the functionality over several libraries. Simplicity and minimalism are rarely a primary concerns. A reference implementation for an EIP should be short and sweet, and help clear up any questions in the EIP.

@/Dexaran brought up an excellent concern with ERC-20. Having an external reference implementation right in the EIP gives the authors of that EIP an unfair advantage, since it looks like their implementation is the “official” one. Once the proposal goes to the Final status, it can no longer be updated, so no competing reference implementations can be added.

All that said, @xinbenlv has started a project over at https://ercref.org/ to provide a better source of reference implementations.

Dexaran · October 27, 2023, 5:45pm

When people link to an external implementation, it’s often their production implementation. It usually comes with a ton of stuff that isn’t directly related to the EIP itself, and often divides the functionality over several libraries. Simplicity and minimalism are rarely a primary concerns. A reference implementation for an EIP should be short and sweet, and help clear up any questions in the EIP.

I completely agree with this.

The main purpose of the “reference implementation” is to be a demo of the proposal. It is supposed to answer questions of “how it should work” or “does the logic of that particular code match the logic described in the EIP”.

To find a production implementation the reader must use Google - this will allow for healthier competition among multiple potential implementers.

I don’t see any reason for a “reference implementation” to be a link at all. In my opinion it would be much better to write the code in the text of the EIP and make it CC0 licensed alongside the text.

joeysantoro · October 28, 2023, 7:01pm

I agree completely with the logic behind not allowing production implementations and think that there can be clear rules to enforce around this.

The idea and intention behind a reference implementation is difficult for ERC authors to fulfill without the ability to provide external links to github for example.

This is all the info in EIP-1 about reference implementations: “An optional section that contains a reference/example implementation that people can use to assist in understanding or implementing this specification. This section may be omitted for all EIPs.”

With sufficiently complex standards, the reference implementations would get unwieldy to write in the file. https://github.com/ERC4626-Alliance/ERC-7540-Reference/blob/main/src/ERC7540AsyncRedeemExample.sol was written purely as a reference for ERC-7540 and is over 100 lines of solidity without including the inherited ERC-4626 library which is an additional several hundred lines.

This is a great initiative. At a certain point the reference implementations section is unnecessary. I’d propose doing one of the following:

deprecating the reference implementation section and pushing more towards initiatives like ercref
allowing external links to github with some restrictions such as permissive free licensing, not production implementations
editing EIP-1 and the eip-template to provide more clarity on the goals and parameters of the current reference implementation section. For example can it be pseudocode or inherit an unimplemented additional ERC that is abstracted in the reference.