SoylentNews is people
SoylentNews
posted by
martyb
on Thursday March 25 2021, @10:57AM
from the check-for-dependencies-of-dependencies dept.
from the check-for-dependencies-of-dependencies dept.
A 15 year old XML file created a stir in the Ruby on Rails world today as it was discovered that freedesktop.org.xml which is GPL 2 licensed was included improperly in the mimemagic project which was MIT licensed. The author accepted this notification as valid, pulled prior versions, and switched licenses but as this was a dependency of Rails it promptly got the attention of programmers worldwide that rely on the Rails gem for their applications.
Since Rails itself is MIT licensed this makes for a difficult day of sorting out licensing options for many people.
This discussion has been archived.
No new comments can be posted.
Dependency Yanked Over Licensing Mishap Breaks Rails Worldwide
|
Log In/Create an Account
| Top
| 53 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
squatcho, n.:
The button at the top of a baseball cap.
-- "Sniglets", Rich Hall & Friends
(Score: 4, Interesting) by pendorbound on Thursday March 25 2021, @01:19PM (14 children)
Does anyone know of a compiled list anywhere of, “externally hosted dependency bites projects” kind of reports? Currently dealing with coworkers being okay with relying on external NuGet repos when we’ve had 100% internally mirrored Java deps for about 10 years. I’d love to back a dump truck full of receipts up to the argument and shout, “This is why!” as I spike the mic and walk out...
(Score: 2) by Immerman on Thursday March 25 2021, @02:40PM (13 children)
Of course in this case, and many others, that internally mirrored dependency would mean that you were now knowingly engaging in copyright infringement, and thus vulnerable for triple damages, etc.
Though it would at least mean that you had control over when your software shuts down, and could maybe replace the offending library before anyone came after you.
(Score: 0) by Anonymous Coward on Thursday March 25 2021, @02:57PM
Let's be realistic. Who is going to chase you down? It's not Microsoft software. Realistically, hosting your own buys you time to continue until "the community" comes up with some sort of "fix."
(Score: 0) by Anonymous Coward on Thursday March 25 2021, @03:54PM (11 children)
(Score: 2) by Immerman on Thursday March 25 2021, @04:24PM (10 children)
Hmmm... it seems you might you're right. Possibly I was thinking of *patent* infringement, which is legally unrelated.
Still, it becomes willful infringement, and continuing to infringe once a case is brought against you is unlikely to go well for you. You'd also better hope your business doesn't depend on distributing that software, since that $150,000 maximum is *per instance*
Also, GPL software is NOT given away for free - it's traded for consideration in the form of any source code you write that incorporates it. And that's been held up in *every single case* that's ever gone to court - the license is very simple and explicit, with no wiggle room even for extremely competent and well-funded legal teams like those of Microsoft's sock puppet SCO. Though the copyright holders are usually quite reasonable and willing to settle for the removal of the infringing code, usually not even demanding the release of the source code they are legally entitled to, much less any statutory damages.
Though it does bear mentioning that if you're talking about GPL 2 licensed code used in-house, you are not infringing by using it within proprietary software, provided you have never distributed that software. Even if the person you got it from *was* infringing by distributing it integrated into incompatibly licensed code. GPL 3 removes most of such "loopholes" though.
(Score: 2) by FatPhil on Thursday March 25 2021, @05:08PM (9 children)
[citation needed]
AFAIK, consideration's never been under discussion, as, in the GPL-2 example you mention, it simply doesn't exist.
And secondly, on the matter of whether the GPL's even a contract (which would be the only context in which consideration would be relevant), that hasn't been held up in court in the high profile cases that I remember. The most high profile one, Hancom, merely came to the conclusion that a contract *might* exist. Might, not do. UFOs might exist. Sterile neutrinos might exist. These sentences in no way declare that the antecedents do exist, merely affirm that non-existence has not been proved.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Immerman on Thursday March 25 2021, @05:31PM (1 child)
If there was no agreement for consideration given (in the legal sense), then you have no contract, and the GPL would be unenforceable (as I recall, IANAL, etc). You want specific references, dig through the legal documents yourself, you wouldn't believe me anyway.
Hancom? Never heard of the case, can't have been a big one. The defining case for GPL validity was IBM versus SCO (as funded by Microsoft) in attempting to prove that Linux was guilty of violating Unix copyrights. The battle raged for years, with SCO's high-dollar legal team leveling every attack they could dream up against the GPL.
Groklaw.org is still available to browse, and went into exhaustive detail analyzing pretty much every document filed and argument made in the longest, most well-funded, and most vigorously fought GPL battle in history, in terms most anyone can understand. It's widely believed their analysis may even have helped determine the outcome of the trial as they did a wonderful job of translating both legal and technical concepts into something the other side could clearly understand.
And yes, that case well established the GPL's validity as both a license and a contract. There are no doubt less lengthy cases that decided it as well, but never before or since has the GPL come under such a masterful attack - and it emerged unscathed in every respect.
(Score: 2) by FatPhil on Friday March 26 2021, @08:57AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Informative) by pendorbound on Thursday March 25 2021, @11:28PM (1 child)
The GPL is not and never has been a contract. It’s a grant of copyright license. Exchange of valuable consideration only applies to contract law. A copyright license grants you permission to use a copyrighted work if and only if you accept all terms that the grant is contingent on. If you don’t accept the terms, you don’t get a license and can’t use the work. No exchange of consideration is needed. The license is take it or leave it. Accept the terms or don’t use the work. Violate the terms and use the work anyways, and you’re infringing the copyright.
(Score: 2) by FatPhil on Friday March 26 2021, @08:57AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Friday March 26 2021, @01:01AM (2 children)
NeXT created Objetive C compiler based on GCC, so FSF contacted them. After checking with their lawyers, NeXT provided the code, instead of going to court. The lawyer's advice was that they would lose with high probability.
GPLv3 and AGPL are even more strict about not sharing back... which explains why corporations avoid them and are so in love with BSD, MIT and similar licenses. They keep all the control, and share anything as PR stunts, but can close for any reason. macos only ships the last bash that was GPLv2, for example, as the copyright is not theirs. Latest Sony consoles run BSD code writen by someone else... and no source given at all.
(Score: 0) by Anonymous Coward on Friday March 26 2021, @01:29AM (1 child)
Doesn't this just show that (except maybe for the Linux OS), we don't actually NEED GPL software? We can do without it just fine. GPL is no threat if you have truly free alternatives.
(Score: 3, Informative) by maxwell demon on Friday March 26 2021, @08:45AM
Define “need”. That verb only makes sense if connected to a goal; what is the goal you are thinking of?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by maxwell demon on Friday March 26 2021, @08:37AM (1 child)
Under copyright law, you are not entitled to use the copyrighted code at all unless you've obtained a valid license. And if the only valid license is the GPL, it's either accept the conditions of the GPL or don't use the code at all.
Were the GPL found to be invalid, that would not mean that you're now allowed to use the code any way you like; rather it would mean that you are no longer allowed to use the code at all unless you obtain a new, valid license.
In any case, using the code against the rules of the GPL is a copyright violation unless you obtained a valid license to do so from the copyright owner. That holds whether or not the GPL is actually a valid license.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by FatPhil on Friday March 26 2021, @08:46AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves