from the check-for-dependencies-of-dependencies dept.
A 15 year old XML file created a stir in the Ruby on Rails world today as it was discovered that freedesktop.org.xml which is GPL 2 licensed was included improperly in the mimemagic project which was MIT licensed. The author accepted this notification as valid, pulled prior versions, and switched licenses but as this was a dependency of Rails it promptly got the attention of programmers worldwide that rely on the Rails gem for their applications.
Since Rails itself is MIT licensed this makes for a difficult day of sorting out licensing options for many people.
Related Stories
Backdoor in public repository used new form of attack to target big firms:
A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients' resilience against a new class of attacks that exploit public repositories used by millions of software projects worldwide. But it could have been bad. Very bad.
[...] A few weeks later, a different researcher uncovered evidence that showed that Amazon, Slack, Lyft, Zillow, and other companies had been targeted in attacks that used the same technique. The release of more than 200 malicious packages into the wild indicated the attack Birsan devised appealed to real-world threat actors.
Dependency confusion exploits companies' reliance on open source code available from repositories such as NPM, PyPI, or RubyGems. In some cases, the company software will automatically connect to these sources to retrieve the code libraries required for the application to function. Other times, developers store these so-called dependencies internally. As the name suggests, dependency confusion works by tricking a target into downloading the library from the wrong place—a public source rather than an internal one.
To pull this off, hackers scour JavaScript code, accidentally published internal packages, and other sources to discover the names of internally stored code dependencies by the targeted organization. The hackers then create a malicious dependency and host it on one of the public repositories. By giving the malicious package the same name as the internal one and using a higher version number, some targets will automatically download it and update the software. With that, the hackers have succeeded in infecting the software supply chain the targets rely on and getting the target or its users to run malicious code.
Previously:
Open-Source Security: It's Too Easy to Upload 'Devastating' Malicious Packages, Warns Google
Dependency Yanked Over Licensing Mishap Breaks Rails Worldwide
More Than 75% of All Vulnerabilities Reside in Indirect Dependencies
(Score: 0, Touché) by Anonymous Coward on Thursday March 25 2021, @01:07PM (16 children)
Viral, makes things sick. Then again, derailing rails might be a good thing if only to get people to consider alternatives.
(Score: 5, Informative) by Anonymous Coward on Thursday March 25 2021, @03:10PM (14 children)
The license is viral. But the fault is not with GPL, it's with people that take other's work and publish as their own work under a different license hoping no one will find out. The infection happens as consequence of copyright infringement, not accidentally drive-by GPL'ing
(Score: 0, Interesting) by Anonymous Coward on Thursday March 25 2021, @03:41PM (5 children)
The problem is strictly with the GPL. Nobody is taking truly freely licensed code such as MIT or BSD and “claiming it as their own.”
They’re free to use the code in ways the GPL prohibits, because the GPL has fewer freedoms. The GPL was never intended to be a free licence - hence Stallman’s “Gnu Manifesto.” Wannabe control freaks issue manifestos. Stall man wanted to force users to conform to his ideals. He failed, and it’s way past time to abandon the GPL, Gnu, and the FSF.
Because that’s what’s happening anyway. Or did you miss the petition demanding the whole FSF board be dismissed? Bunch of navel-gazing cronies who produce nothing of value unless you count calls to make Windows 7 open source (something everyone knows is impossible because Microsoft licenses code from 3rd parties) as “valuable.” They knew it was legally impossible, they were trolling to raise their profile and increase donations. You’ve been had.
IBM controls Linux via owning RedHat. This explains systemd. And the continuing dominance of the shit UI called GNOME.
You’ve been pOwned. And since IBM doesn’t care about the desktop or non-corporate users, the packages available to most users are going to be more and more best characterized as abandonware. Nobody’s going to put serious money into user programs. Even Mozilla cut back by firing all the Firefox developers.
The app stores are doing almost 100 billion a year. People are still earning a living developing for the Windows and OSX desktops, instead of or alongside SaaS. The only money developers get for Linux is SaaS. And that’s the domain of advertising, because that’s where the money comes from -advertising.
There are truly free systems available - FreeBSD is one, and will soon be (if it isn’t already) possible to have it completely gnu-free.
(Score: 1, Informative) by Anonymous Coward on Thursday March 25 2021, @04:00PM (3 children)
The BSDs need better or same hardware support to take over Linux...
(Score: 1, Interesting) by Anonymous Coward on Thursday March 25 2021, @04:33PM (2 children)
(Score: 3, Informative) by Mojibake Tengu on Thursday March 25 2021, @05:29PM (1 child)
If you mean MacOS, then you should know the BSD layer in it is already deprecated, for years. No future for true syscalls, for one example. It's only a matter of time before complete demolition.
Look what iOS is now, users cannot stop or even control processes. This is where Apple is heading fast by intention.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 0) by Anonymous Coward on Thursday March 25 2021, @06:20PM
It's still the BSD layer that panics mostly for me.
(Score: 1, Interesting) by Anonymous Coward on Friday March 26 2021, @12:38AM
BSD source can become binary only, with a pretty sticker mentioning from where the code comes. GPL source will never go that way, if you get binaries, you must be able to also get source.
Which is more free? BSD of course, because the corporations are free to bitch slap you. /s And you seem happy they do.
No, code under GPL is more free for everyone... and also capitalistic. If you do not like GPL, you negotiate an alternative licensing deal. Probably by means of transfer of capital.
(Score: 2) by Rosco P. Coltrane on Thursday March 25 2021, @04:07PM (3 children)
On the other hand, you gotta love it when something technically works, and then it doesn't work because of fucking license issues.
Human beings are real skillful at creating artificial problems for themselves...
(Score: 2) by FatPhil on Thursday March 25 2021, @04:41PM (2 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by sjames on Friday March 26 2021, @03:25AM (1 child)
He owned his mistake within hours of being notified and he cured the breech of the GPL immediately.
Now it's up to Rails to adjust accordingly.
(Score: 2) by FatPhil on Friday March 26 2021, @08:48AM
Oh, I already said that.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by FatPhil on Thursday March 25 2021, @04:36PM (3 children)
For those too lazy to follow the links:
"... script/freedesktop.org.xml looks like it's a copy of the database shipped with shared-mime-info [... with] the GPL header removed."
There's no way out of that hole, the guy who did that initially was either a fraudster or a total ignoramus. Maybe both.
Thank you, GPL supporters, for uncovering this fraud!
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by KilroySmith on Thursday March 25 2021, @06:42PM (1 child)
A bit more complicated than that, from the same FA:
"It was stripped in release tarballs by the tool used to merge translations, but is visible in the .in version of the same file."
(Score: 2) by FatPhil on Friday March 26 2021, @09:01AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Thursday March 25 2021, @09:51PM
Or Microsoft...
(Score: 2) by maxwell demon on Friday March 26 2021, @08:25AM
What do you think would have happened if the file had instead been under a proprietary license? Basically the same, except that possibly every user would now be sued for money by the copyright owner.
So this is not about the GPL being viral, this is about a library author doing copyright infringement, and that being found out only after this library has been in heavy use.
Note that this is independent of whether the file should have been under the GPL in the first place; I'm firmly convinced that it shouldn't. The GPL is made for programs; the file in question, on the other hand, is just a compilation of publicly available data in XML formal. It's IMHO not what the GPL was made for.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Interesting) by pendorbound on Thursday March 25 2021, @01:19PM (14 children)
Does anyone know of a compiled list anywhere of, “externally hosted dependency bites projects” kind of reports? Currently dealing with coworkers being okay with relying on external NuGet repos when we’ve had 100% internally mirrored Java deps for about 10 years. I’d love to back a dump truck full of receipts up to the argument and shout, “This is why!” as I spike the mic and walk out...
(Score: 2) by Immerman on Thursday March 25 2021, @02:40PM (13 children)
Of course in this case, and many others, that internally mirrored dependency would mean that you were now knowingly engaging in copyright infringement, and thus vulnerable for triple damages, etc.
Though it would at least mean that you had control over when your software shuts down, and could maybe replace the offending library before anyone came after you.
(Score: 0) by Anonymous Coward on Thursday March 25 2021, @02:57PM
Let's be realistic. Who is going to chase you down? It's not Microsoft software. Realistically, hosting your own buys you time to continue until "the community" comes up with some sort of "fix."
(Score: 0) by Anonymous Coward on Thursday March 25 2021, @03:54PM (11 children)
(Score: 2) by Immerman on Thursday March 25 2021, @04:24PM (10 children)
Hmmm... it seems you might you're right. Possibly I was thinking of *patent* infringement, which is legally unrelated.
Still, it becomes willful infringement, and continuing to infringe once a case is brought against you is unlikely to go well for you. You'd also better hope your business doesn't depend on distributing that software, since that $150,000 maximum is *per instance*
Also, GPL software is NOT given away for free - it's traded for consideration in the form of any source code you write that incorporates it. And that's been held up in *every single case* that's ever gone to court - the license is very simple and explicit, with no wiggle room even for extremely competent and well-funded legal teams like those of Microsoft's sock puppet SCO. Though the copyright holders are usually quite reasonable and willing to settle for the removal of the infringing code, usually not even demanding the release of the source code they are legally entitled to, much less any statutory damages.
Though it does bear mentioning that if you're talking about GPL 2 licensed code used in-house, you are not infringing by using it within proprietary software, provided you have never distributed that software. Even if the person you got it from *was* infringing by distributing it integrated into incompatibly licensed code. GPL 3 removes most of such "loopholes" though.
(Score: 2) by FatPhil on Thursday March 25 2021, @05:08PM (9 children)
[citation needed]
AFAIK, consideration's never been under discussion, as, in the GPL-2 example you mention, it simply doesn't exist.
And secondly, on the matter of whether the GPL's even a contract (which would be the only context in which consideration would be relevant), that hasn't been held up in court in the high profile cases that I remember. The most high profile one, Hancom, merely came to the conclusion that a contract *might* exist. Might, not do. UFOs might exist. Sterile neutrinos might exist. These sentences in no way declare that the antecedents do exist, merely affirm that non-existence has not been proved.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Immerman on Thursday March 25 2021, @05:31PM (1 child)
If there was no agreement for consideration given (in the legal sense), then you have no contract, and the GPL would be unenforceable (as I recall, IANAL, etc). You want specific references, dig through the legal documents yourself, you wouldn't believe me anyway.
Hancom? Never heard of the case, can't have been a big one. The defining case for GPL validity was IBM versus SCO (as funded by Microsoft) in attempting to prove that Linux was guilty of violating Unix copyrights. The battle raged for years, with SCO's high-dollar legal team leveling every attack they could dream up against the GPL.
Groklaw.org is still available to browse, and went into exhaustive detail analyzing pretty much every document filed and argument made in the longest, most well-funded, and most vigorously fought GPL battle in history, in terms most anyone can understand. It's widely believed their analysis may even have helped determine the outcome of the trial as they did a wonderful job of translating both legal and technical concepts into something the other side could clearly understand.
And yes, that case well established the GPL's validity as both a license and a contract. There are no doubt less lengthy cases that decided it as well, but never before or since has the GPL come under such a masterful attack - and it emerged unscathed in every respect.
(Score: 2) by FatPhil on Friday March 26 2021, @08:57AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Informative) by pendorbound on Thursday March 25 2021, @11:28PM (1 child)
The GPL is not and never has been a contract. It’s a grant of copyright license. Exchange of valuable consideration only applies to contract law. A copyright license grants you permission to use a copyrighted work if and only if you accept all terms that the grant is contingent on. If you don’t accept the terms, you don’t get a license and can’t use the work. No exchange of consideration is needed. The license is take it or leave it. Accept the terms or don’t use the work. Violate the terms and use the work anyways, and you’re infringing the copyright.
(Score: 2) by FatPhil on Friday March 26 2021, @08:57AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Friday March 26 2021, @01:01AM (2 children)
NeXT created Objetive C compiler based on GCC, so FSF contacted them. After checking with their lawyers, NeXT provided the code, instead of going to court. The lawyer's advice was that they would lose with high probability.
GPLv3 and AGPL are even more strict about not sharing back... which explains why corporations avoid them and are so in love with BSD, MIT and similar licenses. They keep all the control, and share anything as PR stunts, but can close for any reason. macos only ships the last bash that was GPLv2, for example, as the copyright is not theirs. Latest Sony consoles run BSD code writen by someone else... and no source given at all.
(Score: 0) by Anonymous Coward on Friday March 26 2021, @01:29AM (1 child)
Doesn't this just show that (except maybe for the Linux OS), we don't actually NEED GPL software? We can do without it just fine. GPL is no threat if you have truly free alternatives.
(Score: 3, Informative) by maxwell demon on Friday March 26 2021, @08:45AM
Define “need”. That verb only makes sense if connected to a goal; what is the goal you are thinking of?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by maxwell demon on Friday March 26 2021, @08:37AM (1 child)
Under copyright law, you are not entitled to use the copyrighted code at all unless you've obtained a valid license. And if the only valid license is the GPL, it's either accept the conditions of the GPL or don't use the code at all.
Were the GPL found to be invalid, that would not mean that you're now allowed to use the code any way you like; rather it would mean that you are no longer allowed to use the code at all unless you obtain a new, valid license.
In any case, using the code against the rules of the GPL is a copyright violation unless you obtained a valid license to do so from the copyright owner. That holds whether or not the GPL is actually a valid license.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by FatPhil on Friday March 26 2021, @08:46AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Thursday March 25 2021, @02:12PM (1 child)
packages for other languages also bundled the file and are also working toward compliance
(Score: 0) by Anonymous Coward on Thursday March 25 2021, @02:36PM
for the most part the fix is easy on real operating systems, just load the version of the file already installed via the package manager
(Score: 2, Insightful) by Anonymous Coward on Thursday March 25 2021, @02:14PM (1 child)
If the morons used proper languages instead of stitching together bits and pieces of other people's work that they don't control, this wouldn't have been a story.
(Score: 3, Insightful) by Anonymous Coward on Thursday March 25 2021, @03:01PM
What you see is the result of allowing large numbers of people to enter the computer programming field. In any large population, the bell curve applies. Most people are going to be only as good as the average Joe off the street.
(Score: 0) by Anonymous Coward on Thursday March 25 2021, @03:03PM (2 children)
Who still uses that? It's a sure sign of an amateurish project.
(Score: 0) by Anonymous Coward on Thursday March 25 2021, @03:14PM (1 child)
So what's the current "professional" python framework?
(Score: 0) by Anonymous Coward on Thursday March 25 2021, @03:44PM
(Score: 2, Insightful) by ilsa on Thursday March 25 2021, @03:48PM (3 children)
Why in the world would something like this be a core dependency of an entire language?
This is yet another of example of how stupid it is to bundle libraries into a language as if they were one big product. First Java did it, and then most others blindly followed suit because they would rather copy something popular than use good sense.
There should _always_ be a separation between the core language and the libraries that language uses.
(Score: 3, Informative) by beernutz on Thursday March 25 2021, @04:11PM
It is NOT part of the language. Rails is not a language. Rails is a framework built around RUBY (which is a language).
(Score: 2) by istartedi on Thursday March 25 2021, @09:56PM
I don't see anything wrong with specifying libraries as part of the language as long as all the spec'd libraries ship with the implementation. It's the fact that the library is hosted by a 3rd party and under a license that's different causing problems here. If the libraries were shipped with the language, that wouldn't happen.
Appended to the end of comments you post. Max: 120 chars.
(Score: 0) by Anonymous Coward on Thursday March 25 2021, @10:50PM
"Why in the world would something like this be a core dependency of an entire language?"
It started at least from C, maybe good bit earlier. C as a language alone had no way to take input or produce output.
(Score: 3, Informative) by DannyB on Thursday March 25 2021, @08:42PM (8 children)
You can google for it. There are also videos where they explain how and why Twitter switched from Ruby to Java.
In a nutshell, for large scalability and performance. After all, a single tweet needs to be routed to potentially many destinations, through many different means (emails, apps, sms, live browser session, etc) -- and at the time of the rewrite they were already handling over a billion tweets per day. They had outgrown Ruby.
Last September, when Java 15 came out, they raised the maximum heap limit from a measly 4 Terabytes to a more reasonable 16 Terabytes. Now that Java 16 just came out, I cannot find, and I have looked, but can't find any mention of any memory limitation other than what your OS will allow to launch a process with. I can find some references to Linux limiting you to 128 TB because of address allocation of 128 TB user space and 128 TB kernel space. I think I saw that on an IBM website. I also can no longer find any stated limitation of max number of cpu cores. At one point I believed it was 768 cores.
As for GC, that 1 ms max GC pause time? That's now long gone. [malloc.se] On a machine with 3 TB of heap, 224 Hyper threads (Intel), running ~2100 Java threads, the MAXIMUM GC pause time is 1/2 ms (or 500 µs), and Average GC pause time is 0.05 ms (or 50 µs).
I wish Ruby, Python, JavaScript, and others had Java's industrial strength runtime system and GC specs.
The lower I set my standards the more accomplishments I have.
(Score: 2) by DannyB on Thursday March 25 2021, @08:45PM
Sorry, forgot a pertinent fact:
That machine is running benchmark: SPECjbb 2015.
The lower I set my standards the more accomplishments I have.
(Score: 2) by DannyB on Thursday March 25 2021, @09:18PM
https://www.youtube.com/watch?v=ohHdZXnsNi8 [youtube.com] @ 8:00 and 9:10
https://www.youtube.com/watch?v=uKDfMPRHNJ4 [youtube.com] @ 21:40 and 23:30
The lower I set my standards the more accomplishments I have.
(Score: 2) by takyon on Thursday March 25 2021, @09:20PM (4 children)
I don't like it. We need a new prefix to represent multiples of 1000 yottabytes.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Funny) by DannyB on Thursday March 25 2021, @09:49PM (1 child)
By some strange quirk of the universe, 1 attoparsec per microfortnight is 1.00433 inches per second. [google.com] That is less than 1/2 percent error!
The lower I set my standards the more accomplishments I have.
(Score: 2) by istartedi on Thursday March 25 2021, @10:01PM
It seems like there are enough available unit pair combinations that you would expect some to be that close.
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by maxwell demon on Friday March 26 2021, @08:59AM (1 child)
Maybe we should just start combining prefixes. Then 1000 yottabytes are a kiloyottabyte, 1000 kiloyottabytes are a megayottabyte, and so on, until we reach the zettayottabyte.
Instead of “yottayottabyte” (which would be 1024 yottabytes), I'd then go with “biyottabyte”. Then the same game again (kilobiyottabyte, megabiyottabyte, gigabiyottabyte, …, zettabiyottabyte). 1024 biyottabytes would then be a triyottabyte. The following powers of 10^24 woul then continue to mimic the -illion numbers (quadriyottabyte, quintiyottabyte, sexiyottabyte, septiyottabyte, …). That way, we'd not run out of prefixes easily.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by DannyB on Monday March 29 2021, @05:35PM
Nope. Never gonna happen. Not in a million microseconds.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Friday March 26 2021, @02:56AM
That is probably because with current releases of Java, you are only limited by the operating system. On Linux, that is 64 terabytes, which is well short of the 16 exabytes that the 64 bit space would allow absent the OS limit.
(Score: 2) by PinkyGigglebrain on Friday March 26 2021, @07:42AM
Dependence [xkcd.com]
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."