Enterprise repo: licensing

[matt.]

Please note: This is not a question of money, but a question of freedom in terms of licensing.

I'm investigating to use Proxmox VE for our hosting business (e.g. selling VPS). Since our company only uses software that is released under a FLOSS software license without exception, I stumbled over the "enterprise repository" during the first minutes of my research.

I understand that the enterprise repo is optional and the community edition repo "generally works", however the Proxmox website states: "As the name suggests, you do not need a subscription key to access this (Proxmox VE No-Subscription Repository) repository. It can be used for testing and non-production use. Its not recommended to run on production servers, as these packages are not always heavily tested and validated." [source: https://pve.proxmox.com/wiki/Subscriptions]

• To me, this boils down to: Don't use PVE without the subscription in an environment that is sensitive to service interruptions.
  Am I correct with that assumption?
  Secondary issue: Is there any known ISP that, successfully, runs the PVE community edition and why did they opt into doing that?

• More importantly, since I didn't find detailed answers about this: how and where are the sources for any for the four different PVE subcriptions [source: https://www.proxmox.com/en/proxmox-ve/pricing] released and what is the license of the software included in these subscription models?

 

[dietmar]

Support services and licensing is something different. We use AGPL3 license for our software, and you can find the sources at https://git.proxmox.com

 

[matt.]

Thanks for the answer. I mean no personal disrespect and I'm only interested in being compliant to our companies values on FLOSS. but this answer seems tight-lipped and unspecific given you're a representative of Proxmox.

Support services and licensing are something different, however it seems that there is some strange entanglement between those two in PVE. For example, I did not find instructions how to build the binaries that are offered in the subscription models. So how can I make sure that if I attempt to build the software myself, I'll get the same results as the binaries distributed by you?

If there is now shared knowledge about how to build software, there must be some kind of build gurus working at Proxmox. If that's the case let me say that centralization in this way potentially endangers GPL/AGPL compliance, which requires you to provide build scripts.
Does that exist?
Where do I find more information about it?

Thanks in advance for clarification.

 

[dietmar]

Thanks for the answer. I mean no personal disrespect and I'm only interested in being compliant to our companies values on FLOSS. but this answer seems tight-lipped and unspecific given you're a representative of Proxmox.

Really? I thought you asked about the License and if we are FLOSS. I have done my best to answer that correctly.

Support services and licensing are something different, however it seems that there is some strange entanglement between those two in PVE. For example, I did not find instructions how to build the binaries that are offered in the subscription models. So how can I make sure that if I attempt to build the software myself, I'll get the same results as the binaries distributed by you?

Packages contains a SOURCE file inside the debian doc directory, pointing to the exact git repository version. All git repositories contains Makefiles to build the packages. That way you can rebuild the binaries yourself.

 

[LnxBil]

Since our company only uses software that is released under a FLOSS software license without exception ...

I believe that your company tries this and it is honorable and fine, but that is most certainly not possible. The kernel contains some binary blobs of firmware e.g. microcode updates for cpus that are not FLOSS. If you really want to run FLOSS, you need to have FLOSS hardware, too. It is nearly impossible to run Debian on a current Server without having at least one non-FLOSS blob of code loaded for e.g. RAID controller, network, fiber channel, gpu or even cpu.

Besides the licensing stuff, every GIT repository of PVE I looked at has the ordinary Debian package structure so that you can do the same stuff that you'll do to a normal Debian GIT repository ... build it with Debian build chain. I'm unaware that Proxmox is participating in a reproducible builds movement that Debian has committed to, but maybe @dietmar can shed lights on this.

 

[matt.]

I believe that your company tries this and it is honorable and fine, but that is most certainly not possible. The kernel contains some binary blobs of firmware e.g. microcode updates for cpus that are not FLOSS. If you really want to run FLOSS, you need to have FLOSS hardware, too. It is nearly impossible to run Debian on a current Server without having at least one non-FLOSS blob of code loaded for e.g. RAID controller, network, fiber channel, gpu or even cpu..

Thanks for your input! What you say is actually not correct though: Linux and other software distributed by Debian does only contain DFSG-compliant packages which is analogue to FLOSS. For Debian to use non-free software, you'd have to use the contrib and non-free repositories. In fact, Debian would even be recommended by the FSF if they wouldn't give instructions how to use non-free software in their distro.

Regarding the CPU microcode you'd have to distinguish between the actual microcode and microcode updates. I agree to FSF's stance on microcode blobs for the most part (which they regard as a non-issue): "The exception applies to software delivered inside auxiliary and low-level processors and FPGAs, within which software installation is not intended after the user obtains the product. This can include, for instance, microcode inside a processor, firmware built into an I/O device, or the gate pattern of an FPGA. The software in such secondary processors does not count as product software." Of course it would be most ideal is there were no binary software in modern CPUs at all, to my knowledge that's almost impossible though because CPUs are too complex. POWER9 comes very close to the ideals of the FLOSS community.

We only use hardware that can run without microcode updates, so we don't need it and it's a non-issue.

We don't need graphics that require proprietary firmware/drivers.

We don't need FLOSS hardware to fun a project that only runs with FLOSS software. It would be best, sure, but that's a very small niche (which we also serve, e.g. with the Libretea/EOMA68, which is made of a free/libre hardware design but has very poor performance).
If we'd think like this we wouldn't achieve anything. Every router that transports our packets had to be FLOSS as well if you think all the way. Not going to happen. We're taking an approach that is already hard enough to accomplish: 100% free/libre software and as secure as possible, e.g. no boot firmware backdoors (IME), no microcode updates, no proprietary UEFI/BIOS and no proprietary out-of-band-management or storage controller firmware/drivers.

Besides the licensing stuff, every GIT repository of PVE I looked at has the ordinary Debian package structure so that you can do the same stuff that you'll do to a normal Debian GIT repository ... build it with Debian build chain. I'm unaware that Proxmox is participating in a reproducible builds movement that Debian has committed to, but maybe @dietmar can shed lights on this.

Yes, that would be very interesting indeed!