> I've historically been the maintainer of shared-mime-info for around 15 years, and script/freedesktop.org.xml looks like it's a copy of the database shipped with shared-mime-info, which is released under the GPL, with shared-mime-info's translators work merged in, and the GPL header removed.
> The license that you're shipping mimemagic under (MIT) isn't compatible with shared-mime-info's.
Seems like quite a reasonable request, even if folk don’t like the results.
..and to be clear, I’m quite sure that rolling back to the commit before the license change does exactly nothing to address the issue.
You don’t magically get your MIT license back by forking before the license change was added, that’s not how it works.
If the previous version contains GPL code, it’s GPL. It doesn’t matter if you slap an MIT license file on it, or used it in “good faith” presuming it was MIT license.
One thing I am not sure is why such a radical action was taken so quickly without thinking carefully first? It's not like a lawsuit was threatened or something. The original request in https://github.com/minad/mimemagic/issues/97 that you linked to was very polite and professional.
1) A time extension to remove the GPLed code could be politely requested. I know that the copyright belongs to all contributors but getting on good terms with the maintainer could be a solid first step. I think just opening a PR with that file deleted (and tests failing) could have been interpreted as a willingness to comply with the request in good faith.
2) A request to relicense the XML file in question under LGPL could have been sent to the original project (could be problem without CLAs, but still worth a try). Then the library could have been relicensed under LGPL.
3) Gem users could have been notified. Some prominent people from those projects could have helped with (1) and joined a kind request (2) to the original project.
At least that's how we'd (try to) handle it on our project under Eclipse Foundation (though we used to have a GPL code scanning for releases in the first place until very recently) if such situation arose. Anyway, talking to people first before doing something quickly is often a good idea.
> If the previous version contains GPL code, it’s GPL. It doesn’t matter if you slap an MIT license file on it, or used it in “good faith” presuming it was MIT license.
This depends.
Rails used a gem by a different developer, a gem that had its own MIT license. The Rails project and all others using Rails can not be expected that they ought to have known the license is invalid, so usually the GPL does not count for their usage back then.
You can in general never retroactively change a license, so their usage back then was certainly valid. You can [be forced to] stop using a license and re-license future versions of an artefact, and also possibly have to stop distributing the old versions. But that's on the gem's author, not Rails, and would likely not even impact future usage of the old, already obtained versions.
If the original author wanted to claim damages under GPL from Rails, he would have to do so via the gem's author. And even then: What damages? And would the projects have had to know? None and no is the likely answer, safe juridical incompetence/corruption like in the Oracle-API case.
It would be further be complicated by the file in question being a database file. You typically can not license databases in a meaningful way under GPL. Even if you could, reading a GPL'd database has no chance of carrying GPL code obligations over to the consuming program.
As always with those questions, this might depend on your specific jurisdiction. Also, it means in no way that it is not the ethically right thing to swap the dependency to one that does not have this issue.
PS: Also consider that in most uses of Rails, GPL or MIT does not change much, as accessing a server running GPL software does not trigger GPL's distribution clause (you want the AGPL for that). This already limits the impact here. The Github thread has comments in the direction of all Rails projects having to be open source now if the license changed to GPL. Not only can the license of old versions not change, this is also not the effect GPL would have.
I guess this is subjective (though maybe not legally), but this lookup table of extensions to mimetypes doesn't feel like GPL "software". It's just a description of other software's conventions using the GPLed source as a reference: https://github.com/minad/mimemagic/blob/master/lib/mimemagic...
To create a non-GPL version, you would have to do what? Research extensions without letting your eyes see this GPLed list?
> You don’t magically get your MIT license back by forking before the license change was added, that’s not how it works.
And all RoR apps don't magically became open source because one of the depencies got contaminated by GPL. It's up to the courts to decide not parties who don't haven't standing.
> "You don’t magically get your MIT license back by forking before the license change"
Am I understanding this correctly. If for example, 15 years you have an MIT code base with only MIT code. Then yesterday, you add a few lines of GPL code. Then today, you remove 100% of the GPL code you just previously added in order to revert back your codebase to be only MIT code ... it's no longer "MIT"? The GPL has now tainted their entire existing codebase?
This is what I personally dislike about GPL it is a viral license, without any 'cure'. Especially the more aggressive licenses feel like a ransom. Either accept gpl, or spend the rest of time trying to quarantine gpl from your projects.
This is a huge unilateral attempt to make FOSS a certain way. And I don't think this kind of unilateral action does anything but set bad blood.
IANAL but I don't think it works like that. Using GPL code in non-GPL project doesn't mean your code is automatically licensed under the GPL, it just means you're violating the license of the original code. How that shakes out — whether you have to re-license your project or just remove the offending code — ultimately depends on the two parties and the court system.
This is the sort of thing that makes some people really wary of the GPL and other "viral" licenses, and I don't think you can blame them. The "blame" for this falls on someone for throwing in GPL'd code into an MIT project, but the headache drops onto a whole bunch more people down the line. It seems other commenters think this will probably be alright, but I bet this is a lot of corporate type's worst nightmare, that some underling added some segment of GPL code to their product, and now the entire thing is "technically" GPL.
One can only imagine if it was AGPL instead of GPL, and how people would debate if they should send source requests to all the sites running on rails ;-)
> but I bet this is a lot of corporate type's worst nightmare, that some underling added some segment of GPL code to their product, and now the entire thing is "technically" GPL.
IANAL, but I'm pretty sure this is _not_ how it works. Your code doesn't magically "become" licensed under GPL if you use GPL code. Your code is now in _violation_ of the GPL and one way of fixing it is to re-license your code. Another way is to eliminate the dependency.
However, if you decide to re-license to GPL then you may still have to pay damages for the time you were violating GPL.
In practice I can't imagine that a court would make anyone pay anything for this incident.
I don’t think this situation is inherently different from buying a proprietary library, and discovering that the vendor stole code from the Windows kernel. Or a musician buying a sample, and discovering it was copied from a Disney movie.
You’re responsible for the stuff you use. You should audit it as well as you can—but realize that crap always happens.
So what is a good license for "everybody can use this 100% free of charge but please don't change one line and call it yours"? What about a company like Amazon copying your codebase, throwing millions at it and then leaving you in the dust?
MIT seems far too permissible now and I'm looking for a default license for my projects.
> This is the sort of thing that makes some people really wary of the GPL and other "viral" licenses
True, though the people most concerned about GPL & related licenses are usually commercial users and commercial licenses that include code access are no less "viral" then the GPL.
> makes some people really wary of the GPL and other "viral" licenses
It's worse than that surely - as in this case avoiding GPL doesn't prevent the problem. This sounds like for a medium-paranoid-legal perspective, that it would "prove" that even non-GPL code isn't safe, thus discouraging from usage of any open source software [edit: dependencies]
> One can only imagine if it was AGPL instead of GPL
Right, that seems like the only saving grace that avoids this being an potentially apocalyptic event.
“When others hurt me, I try to defend myself. But some tell me that this makes them sick. They tell me that I should permit people to rob me of my work. They tell me that I should never try to defend myself.
They tell me that I should stop using the GNU General Public License, a license that vaccinates me against hurt. Instead, I should adopt a license that permits other people to rob me with impunity. They want me to adopt a license that forbids me from fighting back. They want me to give up my right to benefit from a derivative of my own work, a right I possess under current copyright law.
Of course, the language is a little less feverish than this. Usually, I myself am not called “infectious”. Rather, the legal defense that I use is called “infectious”. The license I choose is called “viral”.
In every day language, words such as “infect” and “virus” describe disease. The rhetoric is metaphorical. A legal tool is not a disease organism; but it is popular to think of the law as an illness, so the metaphor has impact.
The people who want to rob me use language that says I make them sick when I stop them from robbing me. They do not want to draw attention to the so-called “disease” that makes them ill: my health and my rights, and the health and rights of other people. Instead, they choose metaphor to twist people's thinking. They do not want anyone to think that I am a good citizen for stopping crime. They want the metaphor to fool others into thinking that I am a disease agent.
The GNU General Public License protects me. The connotation of “virus” and “infect” is that my choice of defense gives an illness to those who want to rob me. I want freedom from their robbery; but they want the power to hurt me. They get sick when they cannot hurt me.
To use another health and illness-related metaphor, the GNU General Public License vaccinates me; it protects me from theft.
Note that the theft about which I am talking is entirely legal in some situations: if you license your work under a modified BSD license, or a similar license, then others may legally take your work, make fixes or improvements to it, and forbid you from using that code. I personally dislike this arrangement, but it exists.”
1. Is a database like that even copyrightable, especially in the US?
> United States: Uncreative collections of facts are outside of Congressional authority under the Copyright Clause (Article I, § 8, cl. 8) of the United States Constitution, therefore no database right exists in the United States. Originality is the sine qua non of copyright in the United States (see Feist Publications v. Rural Telephone Service). https://en.wikipedia.org/wiki/Database_right#United_States
2. I'm skeptical that using a GPLed database makes this library a derivative work of the GPLed database, though the "distribute as a part of the whole" clause still applies
> These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works
> But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
This was handled quite poorly -- a different course of action could have avoided all the chaos while also resolving the GPL violation.
As the GPL FAQ states:
> If a programming language interpreter has a license that is incompatible with the GPL, can I run GPL-covered programs on it? (#InterpreterIncompat)
> When the interpreter just interprets a language, the answer is yes. The interpreted program, to the interpreter, is just data; the GPL doesn't restrict what tools you process the program with.
In mimemagic's case, similar logic could apply:
* mimemagic could redistribute the GPL licensed freedesktop.org.xml file. This redistributed file would retain the original GPL license and its terms.
* mimemagic could then read the freedesktop.org.xml file at run time and generate whatever data structures it needs. mimemagic would continue to be MIT licensed without violating the GPL license.
The problem is that mimemagic includes Ruby code generated from the GPL licensed XML file, and it could be argued that this makes part of mimemagic a derivative of a GPL licensed work. They just needed to stop doing that.
Of course I can't point this out to the repository owner now that the repo has been archived and thus commenting is now disabled.
With the difference that the gem will by default download the XML file at runtime, with the option of using a local copy specified by an environment variable. I guess they are operating under the belief that including any GPL file taints the library, or perhaps they're just playing it safe.
It's interesting how many commenters on the various issues around the license change seem to think that software licensing is an inconvenience, rather than a serious legal question.
Well, when viewed from the perspective of legal realism, a lot of software licensing is a joke.
I'm an open source developer - but even if Oracle had violated my license terms and I had indisputable proof of it, I wouldn't take them to court.
Arguing about the differences between GPL3 and WTFPL in a hypothetical court case is about as meaningful and productive as arguing about the differences between a chainsaw and a katana in a hypothetical zombie apocalypse.
Note that using a GPL dependency on servers is always allowed: "except executing it on a computer or modifying a private copy." Most Ruby on Rails projects are executed only on own servers. Smells like flamebait.
In Rust a yanked version can still be downloaded when compiling (you have a lock-file referencing it), but isn't chosen when adding it as a new (transitive) dependency to your application. So yanking shouldn't break any existing applications.
(Though since is about a copyright violation, a DMCA notice against the package registry could result in a hard removal, and not just a yanked package)
Summary: Before 2015 then yanking didn't delete anything, but you could contact support to have it removed. They ended up getting tons of support requests and therefore changed it to be permadelete.
The first thing that I noticed was that some people are not understanding the GPL. It's far more impactful to Rails than the vast majority of web applications built using Rails. The use of GPL'd files means that the gem itself has to be released under the GPL. Since the gem is now under the GPL, dependencies are also under the GPL. That would include Rails. However, even if Rails was under the GPL, organizations could still build closed-source web applications using Rails since network access is not distribution. That's the whole point of the AGPL.
However, it does raise a lot of questions about when someone is allowed to yank a gem (or any library, really). It's been a while since I took a deep dive, but I was under the general impression that there was some leeway around not breaking the world when rectifying license issues. I would think that releasing new versions under the correct license and giving everyone notice and time (30 days?) to update would be fine for most copyright holders. I'd suspect that most open source developers wouldn't want to break the world. The sudden yanking with no warning caused builds to fail everywhere.
The absolute worst thing, though, was that changing a license should not be a minor (or a major) version number increase. It should be a patch. The breaking was simply because Rails is pinned to 0.3.x, but the first release under the new license was 0.4.x. Fortunately, the author released a 0.3.6 patch with the correct license, so it's just a matter of a bundle update to get the latest version. But if he hadn't, Rails would have had to release a new version and anyone on legacy/unsupported Rails versions would be hosed if they had to rebuild and redeploy.
This is a really good reason to stand up your own artifact repository and put all of your third-party dependencies in it, especially if you're a business.
> The absolute worst thing, though, was that changing a license should not be a minor (or a major) version number increase.
The license didn't change. It was always already GPL, due to the usage of GPL-licensed code, regardless of what the metadata said. The change just made the metadata correctly reflect reality.
[EDIT: I should clarify that technically mimemagic wasn't already GPL, but the only legal way to use it was by satisfying your obligations under the GPL, making it effectively GPL. The author did relicense his own code to be GPL instead of MIT.]
To me it seems like making your downstreams aware of that ASAP is pretty important, since this has important legal implications for them as well. Yanking the old versions and releasing an update with an incompatible version number is a way to do that, albeit one that's quite disruptive.
After the "left-pad" fiasco, and a similar event on the Ruby side, I started vendoring my dependencies as standard practice. I have not been sorry yet, in fact I feel vindicated in that approach.
> The use of GPL'd files means that the gem itself has to be released under the GPL. Since the gem is now under the GPL, dependencies are also under the GPL.
No, that's not true. You can dual-license dependent software under GPL and MIT. The GPL merely requires a license at least as permissive as it.
I wonder how much software will be unbuildable in 10 years time, due to dependencies that can no longer be downloaded. Is there an archive.org for packages?
At least this dependency makes sense: mime type parsing is nontrivial and something you'd logically want to leverage a library for. I can't comprehend how somebody could ever have said "I need left padding. I wonder if there's a library for that somewhere?"
I really do wonder about the long term sustainability of package systems. The oldest business software, think COBOL, still works because it can still run the way it did when it was created. Will I be able to say the same about my software in 50+ years?
Mimemagic got its MIME tables source generated from `freedesktop.org.xml` file, which is licensed under GPL2, and the resulting source was released under permissive MIT license. All prior 0.3.6 mimemagic versions violated the GPL2 license.
The author of mimemagic couldn't change the pre-0.3.6 versions so they simply deleted them.
Unfortunately "the fix" has broken the dependent projects and such have to either:
1) upgrade to GPL2 compatible mimemagic 0.3.6 or 0.4.0, which conflicts with MIT licensed projects like Rails or
2) build/use other MIME resolving library with has permissive license or
3) fork mimemagic under MIT and implement dynamic loading of `freedesktop.org.xml` which wouldn't violate the license.
Since the xml file is not included in the source, and was just a reference for a rb source file's lookup table, it just feels weird that 3 fixes the violation.
Is there any precedent to what happens, or could happen, if a project changes licence like this in a patch release? Is there any provision for mistakes like this in the GPL, or is everything that has ever used this package now considered "fair game" for classing as GPL and making source requests?
(although I imagine rails being a web framework probably protects anything using rails and only serving the end results publicly, this sounds like the sort of nightmare scenario that would make legal departments nervous about open source)
GPL licensing of derived works is not automatic. Instead, distributing under incompatible terms is copyright infringement.
It may be possible to remedy this infringement by releasing the source code under the GPL, but it also may not (e.g. source code contains un-relicenceable code from a third-party), in which case the only remedy is to not distribute the program at all.
IANAL so take with a grain of salt, but legal action is very rare under the GPL, and it's also expensive. In a case like this also I think it would be a tough case. I wouldn't worry about it, at least not currently.
Rails isn't considered GPL because of this dependency. It is in violation of the GPL¹, which is copyright infringement. Releasing the violating software under the GPL is one way to stop that infringement, but that's not an automatic legal mechanism.
If a copyright owner decides to pursue a GPL violation, they could get damages² and enforce that the infringement stops (i.e. cease using the GPL-licensed software). It's incredibly unlikely any judge would force anybody to release source code.
¹ Actually, Rails itself isn't even in violation, because the project satisfies all the obligations the GPL imposes. GitHub would be in violation.
² In this case, where infringement wasn't intentional, they'd probably get almost nothing provided that the defendant stopped infringing when they learned of it.
Rails was in a license violating situation, which doesn't make it GPL at all.
Then the outcome of a legal case trying to sue someone who is knowingly using rails which unknowingly pulls in a GPL licensed dependency might be less clean cut as you might think.
Lastly depending on the version of GPL and other factors like non-clean cut interpretations you might be able to argue that a company building a service using rails wouldn't need to make the service GPL even if they use GPL software to do so (if that GPL software is in the backend only!, not if it's in the UI). The reason is that the service is not distributed by them, it stays internally even through it is communicating with a website(html,css,js, not! server side rendering) which was distributed to the user.
Can someone please explain how it is possible to license a database of such sort in the first place? Pretty much all file types have some documentation on how to identify them by reading specific bytes, it's not like the folks from freedesktop invented those methods. On top of that, having the DB licensed under GPL would mean that every line of it is also under GPL, thus forcing the same GPL to all libraries out there that do even a simple PNG check using a magical byte check?
I'm really curious to understand how it this licensing works.
Note that GPLv3 still immediately creates a copyright violation. It just states that if you cure the violation within 30 days, the license is reinstated. Under GPLv2 you forfeit your license immediately and in perpetuity if you infringe on it.
> could a library author claim their old code infringed on copyright to force users to upgrade to a paid version?
Anybody can claim anything. Only the holder of the infringed copyright has standing to sue, so the library author in your example has no power to force anything. They may also be civilly liable for damages to the library users and, if unlicensed code was planted deliberately, then also criminally (extortion).
If your CI or deploys broke because of this, it basically means you're constantly re-installing all your dependencies from scratch, which is totally silly.
Configure your CI & other tools to cache the bundler directory between builds and not only you'll be protected from this, you'll also make your systems faster.
TLDR: the mimemagic gem was MIT licensed, but an issue was opened where it was reported that mimemagic is using a GPLv2 source file. Legally (IANAL) this forces mimemagic to become GPLv2. The mimemagic gem was changed to GPLv2.
However rails depends on mimemagic, and that means rails needs to be GPLv2, which is obviously a big problem. The discussion around this is taking place in the github repo for rails because mimemagic was archived for some reason (at least temporarily).
Looking through the linked comments & issues, it will be interesting to see how many people blindly adopt (forced into) GPL2 license. I wonder how big the R for spreading is? All from an XML file for mimetype info
I give my boss a hard time about our dependency management system because it is relatively unknown[0], but licensing is built into it from the ground up. You can't import any dependency (no matter how buried) without assigning a license to it.
This lets us confidently know, via software, the open and closed source licenses in our code base.
Licensing is one of those out of band concerns that doesn't burn you until it does.
> You can't import any dependency (no matter how buried) without assigning a license to it.
That wouldn't help here. Mimemagic declared itself to be MIT, and only turned out to be GPL because it embedded a file derived from GPL sources. That file didn't even have a license header specifying it as GPL.
Anyone importing it would mark it as MIT.
EDIT: Mimemagic didn't even turn out to be GPL, it turned out to be infringing on the GPL, and the author solved that by relicensing it to GPL.
That's a good idea generally, but it wouldn't have saved you from this issue. The gem had an MIT license, and the offending file was copied in, not sourced through a dependency.
You're correctly getting downvoted for your thinly-veiled advertisement because it's besides the point. The gem was labeled as "license: MIT" all the time, but that label was just factually wrong. Garbage in, garbage out.
Technically everyone using Rails right now may be in violation of the GPL. It doesn't matter that the version of the gem being used claims to be MIT, that's not how licensing/copyright works.
Github Enterprise licensees could try hit-up GitHub for source code!
EDIT: License in question is GPL, not Affero GPL. So github.com is not covered. However, Github Enterprise is.
In all likelihood, Github wouldn't comply, as Github Enterprise licensees have no such license/clause in effect with Github. It'd then be down to the shared-mime-info's copyright holders to take the matter to court.
Would be an interesting court case.
Some people in the Github issue commented that the XML "database" in question could be used under fair use. That'd be the logical defense. There's been many court cases where the "copyrighted material" is a representation of facts, as opposed to a "creative work", and thus has not been eligible for copyright protection.
It's probably also worth noting that "ignorance" is rarely an accepted defense in court.
wokwokwok|5 years ago
> I've historically been the maintainer of shared-mime-info for around 15 years, and script/freedesktop.org.xml looks like it's a copy of the database shipped with shared-mime-info, which is released under the GPL, with shared-mime-info's translators work merged in, and the GPL header removed.
> The license that you're shipping mimemagic under (MIT) isn't compatible with shared-mime-info's.
Seems like quite a reasonable request, even if folk don’t like the results.
..and to be clear, I’m quite sure that rolling back to the commit before the license change does exactly nothing to address the issue.
You don’t magically get your MIT license back by forking before the license change was added, that’s not how it works.
If the previous version contains GPL code, it’s GPL. It doesn’t matter if you slap an MIT license file on it, or used it in “good faith” presuming it was MIT license.
smarx007|5 years ago
1) A time extension to remove the GPLed code could be politely requested. I know that the copyright belongs to all contributors but getting on good terms with the maintainer could be a solid first step. I think just opening a PR with that file deleted (and tests failing) could have been interpreted as a willingness to comply with the request in good faith.
2) A request to relicense the XML file in question under LGPL could have been sent to the original project (could be problem without CLAs, but still worth a try). Then the library could have been relicensed under LGPL.
3) Gem users could have been notified. Some prominent people from those projects could have helped with (1) and joined a kind request (2) to the original project.
At least that's how we'd (try to) handle it on our project under Eclipse Foundation (though we used to have a GPL code scanning for releases in the first place until very recently) if such situation arose. Anyway, talking to people first before doing something quickly is often a good idea.
onli|5 years ago
This depends.
Rails used a gem by a different developer, a gem that had its own MIT license. The Rails project and all others using Rails can not be expected that they ought to have known the license is invalid, so usually the GPL does not count for their usage back then.
You can in general never retroactively change a license, so their usage back then was certainly valid. You can [be forced to] stop using a license and re-license future versions of an artefact, and also possibly have to stop distributing the old versions. But that's on the gem's author, not Rails, and would likely not even impact future usage of the old, already obtained versions.
If the original author wanted to claim damages under GPL from Rails, he would have to do so via the gem's author. And even then: What damages? And would the projects have had to know? None and no is the likely answer, safe juridical incompetence/corruption like in the Oracle-API case.
It would be further be complicated by the file in question being a database file. You typically can not license databases in a meaningful way under GPL. Even if you could, reading a GPL'd database has no chance of carrying GPL code obligations over to the consuming program.
As always with those questions, this might depend on your specific jurisdiction. Also, it means in no way that it is not the ethically right thing to swap the dependency to one that does not have this issue.
PS: Also consider that in most uses of Rails, GPL or MIT does not change much, as accessing a server running GPL software does not trigger GPL's distribution clause (you want the AGPL for that). This already limits the impact here. The Github thread has comments in the direction of all Rails projects having to be open source now if the license changed to GPL. Not only can the license of old versions not change, this is also not the effect GPL would have.
gedy|5 years ago
To create a non-GPL version, you would have to do what? Research extensions without letting your eyes see this GPLed list?
hartator|5 years ago
And all RoR apps don't magically became open source because one of the depencies got contaminated by GPL. It's up to the courts to decide not parties who don't haven't standing.
alberth|5 years ago
Am I understanding this correctly. If for example, 15 years you have an MIT code base with only MIT code. Then yesterday, you add a few lines of GPL code. Then today, you remove 100% of the GPL code you just previously added in order to revert back your codebase to be only MIT code ... it's no longer "MIT"? The GPL has now tainted their entire existing codebase?
rocqua|5 years ago
This is a huge unilateral attempt to make FOSS a certain way. And I don't think this kind of unilateral action does anything but set bad blood.
jakelazaroff|5 years ago
spijdar|5 years ago
One can only imagine if it was AGPL instead of GPL, and how people would debate if they should send source requests to all the sites running on rails ;-)
judofyr|5 years ago
IANAL, but I'm pretty sure this is _not_ how it works. Your code doesn't magically "become" licensed under GPL if you use GPL code. Your code is now in _violation_ of the GPL and one way of fixing it is to re-license your code. Another way is to eliminate the dependency.
However, if you decide to re-license to GPL then you may still have to pay damages for the time you were violating GPL.
In practice I can't imagine that a court would make anyone pay anything for this incident.
Tomte|5 years ago
The "thing" doesn't become GPL, though.
They are in breach of the license, it's a major headache, and re-licensing the thing as GPL may be one way forward.
That's not an automatism, though, and no court would declare the thing GPL.
You may pay hefty "fictitious" licensing fees and (punitive) damages, you may have to stop distributing your thing, but you're not losing control.
Wowfunhappy|5 years ago
You’re responsible for the stuff you use. You should audit it as well as you can—but realize that crap always happens.
sergiotapia|5 years ago
MIT seems far too permissible now and I'm looking for a default license for my projects.
dspillett|5 years ago
True, though the people most concerned about GPL & related licenses are usually commercial users and commercial licenses that include code access are no less "viral" then the GPL.
tinus_hn|5 years ago
misnome|5 years ago
It's worse than that surely - as in this case avoiding GPL doesn't prevent the problem. This sounds like for a medium-paranoid-legal perspective, that it would "prove" that even non-GPL code isn't safe, thus discouraging from usage of any open source software [edit: dependencies]
> One can only imagine if it was AGPL instead of GPL
Right, that seems like the only saving grace that avoids this being an potentially apocalyptic event.
bobbylarrybobby|5 years ago
I really hope someone writes an article with the title "what color is your license?"
teddyh|5 years ago
“When others hurt me, I try to defend myself. But some tell me that this makes them sick. They tell me that I should permit people to rob me of my work. They tell me that I should never try to defend myself.
They tell me that I should stop using the GNU General Public License, a license that vaccinates me against hurt. Instead, I should adopt a license that permits other people to rob me with impunity. They want me to adopt a license that forbids me from fighting back. They want me to give up my right to benefit from a derivative of my own work, a right I possess under current copyright law.
Of course, the language is a little less feverish than this. Usually, I myself am not called “infectious”. Rather, the legal defense that I use is called “infectious”. The license I choose is called “viral”.
In every day language, words such as “infect” and “virus” describe disease. The rhetoric is metaphorical. A legal tool is not a disease organism; but it is popular to think of the law as an illness, so the metaphor has impact.
The people who want to rob me use language that says I make them sick when I stop them from robbing me. They do not want to draw attention to the so-called “disease” that makes them ill: my health and my rights, and the health and rights of other people. Instead, they choose metaphor to twist people's thinking. They do not want anyone to think that I am a good citizen for stopping crime. They want the metaphor to fool others into thinking that I am a disease agent.
The GNU General Public License protects me. The connotation of “virus” and “infect” is that my choice of defense gives an illness to those who want to rob me. I want freedom from their robbery; but they want the power to hurt me. They get sick when they cannot hurt me.
To use another health and illness-related metaphor, the GNU General Public License vaccinates me; it protects me from theft.
Note that the theft about which I am talking is entirely legal in some situations: if you license your work under a modified BSD license, or a similar license, then others may legally take your work, make fixes or improvements to it, and forbid you from using that code. I personally dislike this arrangement, but it exists.”
— Robert J. Chassell, Viral Code and Vaccination, https://www.gnu.org/philosophy/vaccination.html
CodesInChaos|5 years ago
> United States: Uncreative collections of facts are outside of Congressional authority under the Copyright Clause (Article I, § 8, cl. 8) of the United States Constitution, therefore no database right exists in the United States. Originality is the sine qua non of copyright in the United States (see Feist Publications v. Rural Telephone Service). https://en.wikipedia.org/wiki/Database_right#United_States
2. I'm skeptical that using a GPLed database makes this library a derivative work of the GPLed database, though the "distribute as a part of the whole" clause still applies
> These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works
> But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
theta_d|5 years ago
Yes, collections of data are very much copyrightable, especially in the US.
This is not just a list of mime-types. It is a list of mime-types and instructions on how to detect those mime-types.
boleary-gl|5 years ago
cstrahan|5 years ago
As the GPL FAQ states:
> If a programming language interpreter has a license that is incompatible with the GPL, can I run GPL-covered programs on it? (#InterpreterIncompat)
> When the interpreter just interprets a language, the answer is yes. The interpreted program, to the interpreter, is just data; the GPL doesn't restrict what tools you process the program with.
In mimemagic's case, similar logic could apply:
* mimemagic could redistribute the GPL licensed freedesktop.org.xml file. This redistributed file would retain the original GPL license and its terms.
* mimemagic could then read the freedesktop.org.xml file at run time and generate whatever data structures it needs. mimemagic would continue to be MIT licensed without violating the GPL license.
The problem is that mimemagic includes Ruby code generated from the GPL licensed XML file, and it could be argued that this makes part of mimemagic a derivative of a GPL licensed work. They just needed to stop doing that.
Of course I can't point this out to the repository owner now that the repo has been archived and thus commenting is now disabled.
thedanbob|5 years ago
With the difference that the gem will by default download the XML file at runtime, with the option of using a local copy specified by an environment variable. I guess they are operating under the belief that including any GPL file taints the library, or perhaps they're just playing it safe.
ivanbakel|5 years ago
michaelt|5 years ago
I'm an open source developer - but even if Oracle had violated my license terms and I had indisputable proof of it, I wouldn't take them to court.
Arguing about the differences between GPL3 and WTFPL in a hypothetical court case is about as meaningful and productive as arguing about the differences between a chainsaw and a katana in a hypothetical zombie apocalypse.
crazypython|5 years ago
Dangeranger|5 years ago
CodesInChaos|5 years ago
In Rust a yanked version can still be downloaded when compiling (you have a lock-file referencing it), but isn't chosen when adding it as a new (transitive) dependency to your application. So yanking shouldn't break any existing applications.
(Though since is about a copyright violation, a DMCA notice against the package registry could result in a hard removal, and not just a yanked package)
judofyr|5 years ago
Summary: Before 2015 then yanking didn't delete anything, but you could contact support to have it removed. They ended up getting tons of support requests and therefore changed it to be permadelete.
packrat386|5 years ago
TomOwens|5 years ago
The first thing that I noticed was that some people are not understanding the GPL. It's far more impactful to Rails than the vast majority of web applications built using Rails. The use of GPL'd files means that the gem itself has to be released under the GPL. Since the gem is now under the GPL, dependencies are also under the GPL. That would include Rails. However, even if Rails was under the GPL, organizations could still build closed-source web applications using Rails since network access is not distribution. That's the whole point of the AGPL.
However, it does raise a lot of questions about when someone is allowed to yank a gem (or any library, really). It's been a while since I took a deep dive, but I was under the general impression that there was some leeway around not breaking the world when rectifying license issues. I would think that releasing new versions under the correct license and giving everyone notice and time (30 days?) to update would be fine for most copyright holders. I'd suspect that most open source developers wouldn't want to break the world. The sudden yanking with no warning caused builds to fail everywhere.
The absolute worst thing, though, was that changing a license should not be a minor (or a major) version number increase. It should be a patch. The breaking was simply because Rails is pinned to 0.3.x, but the first release under the new license was 0.4.x. Fortunately, the author released a 0.3.6 patch with the correct license, so it's just a matter of a bundle update to get the latest version. But if he hadn't, Rails would have had to release a new version and anyone on legacy/unsupported Rails versions would be hosed if they had to rebuild and redeploy.
This is a really good reason to stand up your own artifact repository and put all of your third-party dependencies in it, especially if you're a business.
Denvercoder9|5 years ago
The license didn't change. It was always already GPL, due to the usage of GPL-licensed code, regardless of what the metadata said. The change just made the metadata correctly reflect reality.
[EDIT: I should clarify that technically mimemagic wasn't already GPL, but the only legal way to use it was by satisfying your obligations under the GPL, making it effectively GPL. The author did relicense his own code to be GPL instead of MIT.]
To me it seems like making your downstreams aware of that ASAP is pretty important, since this has important legal implications for them as well. Yanking the old versions and releasing an update with an incompatible version number is a way to do that, albeit one that's quite disruptive.
freedomben|5 years ago
crazypython|5 years ago
No, that's not true. You can dual-license dependent software under GPL and MIT. The GPL merely requires a license at least as permissive as it.
toomanybeersies|5 years ago
I wonder how much software will be unbuildable in 10 years time, due to dependencies that can no longer be downloaded. Is there an archive.org for packages?
commandlinefan|5 years ago
hu3|5 years ago
I don't mind if CI ignores it but it's nice to have a fallback that ensures the project is buildable at all times.
sosodev|5 years ago
pjmlp|4 years ago
imhoguy|5 years ago
This unfortunate chain of events is rooted in licensing violation: https://github.com/minad/mimemagic/issues/97
Mimemagic got its MIME tables source generated from `freedesktop.org.xml` file, which is licensed under GPL2, and the resulting source was released under permissive MIT license. All prior 0.3.6 mimemagic versions violated the GPL2 license.
The author of mimemagic couldn't change the pre-0.3.6 versions so they simply deleted them.
Unfortunately "the fix" has broken the dependent projects and such have to either:
1) upgrade to GPL2 compatible mimemagic 0.3.6 or 0.4.0, which conflicts with MIT licensed projects like Rails or
2) build/use other MIME resolving library with has permissive license or
3) fork mimemagic under MIT and implement dynamic loading of `freedesktop.org.xml` which wouldn't violate the license.
gedy|5 years ago
boleary-gl|5 years ago
misnome|5 years ago
(although I imagine rails being a web framework probably protects anything using rails and only serving the end results publicly, this sounds like the sort of nightmare scenario that would make legal departments nervous about open source)
joshuaissac|5 years ago
It may be possible to remedy this infringement by releasing the source code under the GPL, but it also may not (e.g. source code contains un-relicenceable code from a third-party), in which case the only remedy is to not distribute the program at all.
freedomben|5 years ago
xucheng|5 years ago
Denvercoder9|5 years ago
If a copyright owner decides to pursue a GPL violation, they could get damages² and enforce that the infringement stops (i.e. cease using the GPL-licensed software). It's incredibly unlikely any judge would force anybody to release source code.
¹ Actually, Rails itself isn't even in violation, because the project satisfies all the obligations the GPL imposes. GitHub would be in violation.
² In this case, where infringement wasn't intentional, they'd probably get almost nothing provided that the defendant stopped infringing when they learned of it.
dathinab|5 years ago
no
> mean that GitHub Enterprise is now GPL?
even less so
---
Rails was in a license violating situation, which doesn't make it GPL at all.
Then the outcome of a legal case trying to sue someone who is knowingly using rails which unknowingly pulls in a GPL licensed dependency might be less clean cut as you might think.
Lastly depending on the version of GPL and other factors like non-clean cut interpretations you might be able to argue that a company building a service using rails wouldn't need to make the service GPL even if they use GPL software to do so (if that GPL software is in the backend only!, not if it's in the UI). The reason is that the service is not distributed by them, it stays internally even through it is communicating with a website(html,css,js, not! server side rendering) which was distributed to the user.
rushb|5 years ago
I'm really curious to understand how it this licensing works.
crazypython|5 years ago
Denvercoder9|5 years ago
protomyth|5 years ago
devrand|5 years ago
unknown|5 years ago
[deleted]
jahewson|5 years ago
Anybody can claim anything. Only the holder of the infringed copyright has standing to sue, so the library author in your example has no power to force anything. They may also be civilly liable for damages to the library users and, if unlicensed code was planted deliberately, then also criminally (extortion).
rubyist5eva|5 years ago
byroot|5 years ago
If your CI or deploys broke because of this, it basically means you're constantly re-installing all your dependencies from scratch, which is totally silly.
Configure your CI & other tools to cache the bundler directory between builds and not only you'll be protected from this, you'll also make your systems faster.
_ZeD_|5 years ago
forgingahead|5 years ago
heax|5 years ago
It's similar to backups, if you don't have one your data must be worthless.
lawwantsin17|5 years ago
[deleted]
crazypython|5 years ago
freedomben|5 years ago
However rails depends on mimemagic, and that means rails needs to be GPLv2, which is obviously a big problem. The discussion around this is taking place in the github repo for rails because mimemagic was archived for some reason (at least temporarily).
verdverm|5 years ago
mooreds|5 years ago
This lets us confidently know, via software, the open and closed source licenses in our code base.
Licensing is one of those out of band concerns that doesn't burn you until it does.
0: https://github.com/savant-build/savant-core
Denvercoder9|5 years ago
That wouldn't help here. Mimemagic declared itself to be MIT, and only turned out to be GPL because it embedded a file derived from GPL sources. That file didn't even have a license header specifying it as GPL.
Anyone importing it would mark it as MIT.
EDIT: Mimemagic didn't even turn out to be GPL, it turned out to be infringing on the GPL, and the author solved that by relicensing it to GPL.
Trasmatta|5 years ago
majewsky|5 years ago
sc00ty|5 years ago
Benjamin_Dobell|5 years ago
Github Enterprise licensees could try hit-up GitHub for source code!
EDIT: License in question is GPL, not Affero GPL. So github.com is not covered. However, Github Enterprise is.
In all likelihood, Github wouldn't comply, as Github Enterprise licensees have no such license/clause in effect with Github. It'd then be down to the shared-mime-info's copyright holders to take the matter to court.
Would be an interesting court case.
Some people in the Github issue commented that the XML "database" in question could be used under fair use. That'd be the logical defense. There's been many court cases where the "copyrighted material" is a representation of facts, as opposed to a "creative work", and thus has not been eligible for copyright protection.
It's probably also worth noting that "ignorance" is rarely an accepted defense in court.
crazypython|5 years ago
Not if your use of Rails is limited to your own/your company's own servers, which I imagine most Rails users are. Please don't fall for the flamebait.
If they were using GPLv3, they would have an entire month (30 days) to cure the violation.
GitHub Enterprise is in violation as it is distributed to third-parties.