Would AGPL/GPL licensing require secret files (e.g. `.env`) to be source available?

Following on from Dual Licensing: GPL, Unlicense I am considering licensing my dotfile ecosystem project, Dorothy, under the following terms:

Dorothy is licensed under GNU Affero General Public License v3.0. This means your modifications to Dorothy will also become AGPLv3 licensed.

If are a sponsor, Dorothy is also licensed to you under The Unlicense while your sponsorship is active. This means while you are a sponsor, you have an irrevocable public domain grant into perpetuity for the commits you cloned.

Copyright © 2013+ Benjamin Lupton

That said, it is common for users of the project to contain private configuration files in their user configuration, such as my own which are public but encrypted:

dotfiles/config.local at master · balupton/dotfiles · GitHub

Would GPL/AGPL licensing require people to make the source code available for their configuration repositories (which are seperate to the Dorothy repo), including sensitive configuration files?

I can’t give free legal advice here and stand behind it.

With that in mind, two general thoughts:

That is not technically correct. It’s not making changes or further work that triggers the requirement to share alike. It’s sharing those changes or further work with others outside your company. That’s the rule of GPL. AGPL goes further in saying that making your changed version available to others as a service also triggers a requirement to share alike.

If you’re talking about dotfiles, I imagine the primary business use case doesn’t involve sharing copies outside companies. Dotfiles aren’t network services, so the extra rule in AGPL probably doesn’t matter, either.

If you give some user a choice between permissive and copyleft, and the permissive license allows them to share with others under the same permissive terms, that user can make your copyleft license irrelevant just by sharing online under the permissive terms.

You can try to rely on sponsors not to do that. But they are arguably within their rights to do it.

Asserting copyright in something and dedicating it to the public domain are opposites. You cannot do both.

If a copyright owners successfully dedicates work to the public domain, that effectively destroys copyright in it. Without copyright, they have no basis to enforce any copyright license terms on the work. You may have heard “no copyright, no copyleft”. But the same problem could stop enforcement of an attribution requirement under an MIT- or BSD-style permissive license, too.

If it’s truly in the public domain, nobody needs a license for it.

Thanks.

The duality seems good enough; a feature not a bug.

Still seems that sharing one’s configuration in a public repo would trigger the requirement to make the source of any encrypted or private files used in the repository public too.