Indeed, that's what the AGPL is for.

AGPL only changes things if you give access to your software over the internet. If you're just using the software internally (e.g. it's used in the corporate SSO solution for access to an internal wiki) than no OSS license will force you to publish the code.

Furthermore, if I contract a company to build a service which I will run internally, and they use (A)GPL software in this service that they are building for my internal use, neither I nor the company probably have any requirement to publish the source code to anyone, perhaps except that the contractor may have to provide me with the source code if this was not otherwise stipulated. But you don't have any right to see the code that they modified for me, even if you are the initial author of that code.

> perhaps except that the contractor may have to provide me with the source code if this was not otherwise stipulated.

They wouldn't have the right to otherwise stipulate. The contractor can't change the license to the software without losing the license to the software. Even if they were distributing a modified version to a single customer, that customer would have the right to the source. That customer, using it internally, wouldn't have the obligation to distribute any of the source or changes but they would have the right to.

Otherwise, you could just sell software as a "contractor" in name only to any number of customers, and effectively relicense it with "stipulations."

Yes, I agree with everything you say. What I meant with that phrase was the opposite - I was thinking that for software subcontracting it is somewhat common to explicitly stipulate that the source code of what is being built belongs to the client. I meant that the (A)GPL would give you the right to the source even if the there were no other stipulations to give you that right to other source code.

AGPL does not seem to apply only over the internet. It is a network. That could be a USB cable or WiFi or a serial cable, possibly even a SATA port.

I don't believe this has everything been tested in court, but I fail to imagine how a USB cable or SATA constitutes a network. Wifi, sure. If you have an IPX or TokenRing or an ISO/OSI network, then sure.

Either way, the more relevant part here is the use inside an internal organization.

It's about intent. If the customer is communicating with you then it's "supposed" to count. This is important, because it covers devices that you talk to to use.

Per the literal text of the AGPL, it's about providing a service over a network via a protocol. So if it's a SATA device the network is peer to peer and the protocol is SATA. I have no reason to believe a real test of the AGPL would be so restrictive.

True. Though I am very curios if there is anyone offering services to 3rd parties over SATA or USB.

The service you are offering is SATA compliance for storage, or USB (sub)protocol compliance for one of myriad reasons. E.g. I have projects where the main interface is USB or CAN bus. I expect the AGPL to apply. I mention this explicitly when discussing the license as well just to be airtight, but it's my belief it is already.

Did Orange then "distribute" the library to users as part of deploying this authentication service, or was this purely internal, SaaS use? If the latter, it makes sense that the counterfeiting claims were dismissed, since these only arise when the software is "distributed".