[aur-general] Copyrighted source on https://aur.archlinux.org/
Hi There is a package hosted on https://aur.archlinux.org/ that is copyrighted and not open source. How do I get it removed? Thanks Philip ----------------- Siemens Industry Software Limited is a limited company registered in England and Wales. Registered number: 3476850. Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
On Tue, 25 Jun 2019 at 07:42, Jones, Philip via aur-general <aur-general@archlinux.org> wrote:
Hi
There is a package hosted on https://aur.archlinux.org/ that is copyrighted and not open source. How do I get it removed?
Thanks
Philip
----------------- Siemens Industry Software Limited is a limited company registered in England and Wales. Registered number: 3476850. Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
Are you sure the package is hosted there and not simply a PKGBUILD which is essentially a set of instructions on how to create a package?
On 25/06/2019 06:42, Jones, Philip via aur-general wrote> There is a package hosted on https://aur.archlinux.org/ that is copyrighted and not open source. How do I get it removed? On every package page there is a "Submit Request" link; that link can be used to file a deletion request. However, I suspect the PKGBUILD itself is not copyrighted. All PKGBUILD files should list the correct License for the upstream software. For example, https://aur.archlinux.org/packages/hopper/ is a PKGBUILD which allows easy installation of some commercial software. It uses the upstream package archive, lists it as having a Commercial license, and includes the details of the license itself (https://aur.archlinux.org/cgit/aur.git/tree/LICENSE?h=hopper). The software itself is not hosted on the AUR and the AUR does not redistribute the software package.
Hi Philip, Just to be very clear: The AUR at https://aur.archlinux.org/ does not host packages. There are (or should be) no binaries hosted by the Arch Linux team, thus no redistribution issues. Unless the software in question is quite literally under a non-disclosure agreement, or some other type of license that forbids redistribution of links towards the software, it's unlikely there's ground for its removal. If there are actual binaries being rehosted somewhere however, that is something we may want to know about. What is the package in question? J. Leclanche On Tue, Jun 25, 2019 at 8:42 AM Jones, Philip via aur-general <aur-general@archlinux.org> wrote:
Hi
There is a package hosted on https://aur.archlinux.org/ that is copyrighted and not open source. How do I get it removed?
Thanks
Philip
----------------- Siemens Industry Software Limited is a limited company registered in England and Wales. Registered number: 3476850. Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
Jerome I appreciate that the package (https://aur.archlinux.org/packages/libccmio/) is not hosted on the site but if you Google " libccmio-2.6.1.tar.gz" it is the top hit. The source has a copyright that states “The unauthorized use, distribution, or duplication of this program is prohibited.” I don’t want to enter into a legal argument if the link is distribution or not, all I ask is that the listing be removed as a matter of courtesy. The material is clearly not designed to be publicly distributed. Philip ----------------- Siemens Industry Software Limited is a limited company registered in England and Wales. Registered number: 3476850. Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
Hi Phillip. I also don't want to enter a legal battle, and I certainly don't speak for the rest of the Arch Linux team. However, it appears to me that there's plenty going on here: 1) The distribution website is the first hit if you google libccmio-2.6.1-.tar.gz, I wonder if your searches are being directed to the AUR given your previous search history (i.e., filter-bubble). 2) It appears that the copyright owner is Adapco, not siemens. IIUC Siemens bought Adapco on 2016. Did you guys forget to update the copyright notice or is this an old tarball that was distributed before? 3) It appears this is hosted on a US .gov website, under a portal for distribution of scientific code. I'm sure would like to know if they are distributed copyrighted information. I can't seem to find a disclaimer noting they are able to distribute this tarball. 4) It also appears the tarball is distributing GPL-licensed code, which makes me wonder if this tarball itself is in violation of the GPL license (or was, and that's why the tarball is publicly available now). Either way, I do agree that deleting the package until this matter is settled is a reasonable way forward. Thanks, -Santiago. On Tue, Jun 25, 2019 at 02:53:36PM +0000, Jones, Philip via aur-general wrote:
Jerome
I appreciate that the package (https://aur.archlinux.org/packages/libccmio/) is not hosted on the site but if you Google " libccmio-2.6.1.tar.gz" it is the top hit.
The source has a copyright that states “The unauthorized use, distribution, or duplication of this program is prohibited.”
I don’t want to enter into a legal argument if the link is distribution or not, all I ask is that the listing be removed as a matter of courtesy. The material is clearly not designed to be publicly distributed.
Philip
----------------- Siemens Industry Software Limited is a limited company registered in England and Wales. Registered number: 3476850. Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
Hi Santiago, all, I'm very new to Arch and I don't know if the package I'm going to put forward as an example violates itself any AUR rule, but for instance 'ufsd-pro-dkms' [1] depends on a file that is not freely distributable, and the PKGBUILD has a file:// URL, so the user has to procure the file herself to build it; maybe this solution is more reasonable than deleting the package altogether, so that users that do want to install it don't have to create their own PKGBUILD needlessly. Cheers, Daniel [1]: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=ufsd-pro-dkms On Tue, 25 Jun 2019 at 17:14, Santiago Torres-Arias via aur-general < aur-general@archlinux.org> wrote:
Hi Phillip.
I also don't want to enter a legal battle, and I certainly don't speak for the rest of the Arch Linux team. However, it appears to me that there's plenty going on here:
1) The distribution website is the first hit if you google libccmio-2.6.1-.tar.gz, I wonder if your searches are being directed to the AUR given your previous search history (i.e., filter-bubble). 2) It appears that the copyright owner is Adapco, not siemens. IIUC Siemens bought Adapco on 2016. Did you guys forget to update the copyright notice or is this an old tarball that was distributed before? 3) It appears this is hosted on a US .gov website, under a portal for distribution of scientific code. I'm sure would like to know if they are distributed copyrighted information. I can't seem to find a disclaimer noting they are able to distribute this tarball. 4) It also appears the tarball is distributing GPL-licensed code, which makes me wonder if this tarball itself is in violation of the GPL license (or was, and that's why the tarball is publicly available now).
Either way, I do agree that deleting the package until this matter is settled is a reasonable way forward.
Thanks, -Santiago.
On Tue, Jun 25, 2019 at 02:53:36PM +0000, Jones, Philip via aur-general wrote:
Jerome
I appreciate that the package ( https://aur.archlinux.org/packages/libccmio/) is not hosted on the site but if you Google " libccmio-2.6.1.tar.gz" it is the top hit.
The source has a copyright that states “The unauthorized use, distribution, or duplication of this program is prohibited.”
I don’t want to enter into a legal argument if the link is distribution or not, all I ask is that the listing be removed as a matter of courtesy. The material is clearly not designed to be publicly distributed.
Philip
----------------- Siemens Industry Software Limited is a limited company registered in England and Wales. Registered number: 3476850. Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
Thank you all for your replies. A quick summary form my viewpoint: 1) Yes, the copyright is CD-adapco and they are old files from many years ago and we were since acquired by Siemens and they acquired the copyright. 2) The tarball is a mix of our copyright code and GPL open source (ADF which was part of CGNS which later became HDF5). GPL source can be distributed, no problems with that, the issue is with our own IP. 3) I am in contact with the US .gov site to get them to take down the original tarball which is obviously the definitive action but that will then leave you with a dangling link. If it is as popular as indicate that may not be an issue 😉 Philip ----------------- Siemens Industry Software Limited is a limited company registered in England and Wales. Registered number: 3476850. Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
On 6/25/19 1:20 PM, Jones, Philip via aur-general wrote:
3) I am in contact with the US .gov site to get them to take down the original tarball which is obviously the definitive action but that will then leave you with a dangling link. If it is as popular as indicate that may not be an issue 😉
OK -- from our end, we would then recommend that the person who uploaded the AUR package will use a local://libccmio-2.6.1.tar.gz link and users who wish to install libccmio will have to (legally) acquire it from the copyright holders somehow. -- Eli Schwartz Bug Wrangler and Trusted User
It sounds like we'll likely delete the package on the aur regardless, seeing as it's unofficial, mostly unknown and unused. But your real problem does seem to be with the gov website in question. On Tue, Jun 25, 2019, 19:21 Jones, Philip via aur-general < aur-general@archlinux.org> wrote:
Thank you all for your replies. A quick summary form my viewpoint:
1) Yes, the copyright is CD-adapco and they are old files from many years ago and we were since acquired by Siemens and they acquired the copyright. 2) The tarball is a mix of our copyright code and GPL open source (ADF which was part of CGNS which later became HDF5). GPL source can be distributed, no problems with that, the issue is with our own IP. 3) I am in contact with the US .gov site to get them to take down the original tarball which is obviously the definitive action but that will then leave you with a dangling link. If it is as popular as indicate that may not be an issue 😉
Philip ----------------- Siemens Industry Software Limited is a limited company registered in England and Wales. Registered number: 3476850. Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
not smart guy hehe freely available file from government website and he has issues do you have problem with Google too? they distribute this code by their search results if you could find it using their searcher wt., 25.06.2019, 19:38 użytkownik Jerome Leclanche <jerome@leclan.ch> napisał:
It sounds like we'll likely delete the package on the aur regardless, seeing as it's unofficial, mostly unknown and unused. But your real problem does seem to be with the gov website in question.
On Tue, Jun 25, 2019, 19:21 Jones, Philip via aur-general < aur-general@archlinux.org> wrote:
Thank you all for your replies. A quick summary form my viewpoint:
1) Yes, the copyright is CD-adapco and they are old files from many years ago and we were since acquired by Siemens and they acquired the copyright. 2) The tarball is a mix of our copyright code and GPL open source (ADF which was part of CGNS which later became HDF5). GPL source can be distributed, no problems with that, the issue is with our own IP. 3) I am in contact with the US .gov site to get them to take down the original tarball which is obviously the definitive action but that will then leave you with a dangling link. If it is as popular as indicate that may not be an issue 😉
Philip ----------------- Siemens Industry Software Limited is a limited company registered in England and Wales. Registered number: 3476850. Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
On 06/25/19 at 07:41pm, Adam Maram via aur-general wrote:
not smart guy hehe
Please refrain from insulting and treat each other nicely. Also see the CoC [1]
freely available file from government website and he has issues
Links to obtain illegal copies of software can also be deemed to be illegal in some countries, so this request isn't special or strange.
do you have problem with Google too? they distribute this code by their search results if you could find it using their searcher
Yes, people can have a problem with that too and request removal. [2] [1] https://wiki.archlinux.org/index.php/Code_of_conduct#Respect_other_users [2] https://support.google.com/legal/answer/3110420?hl=en Greetings, Jelle van der Waa
On 6/25/19 12:09 PM, Daniel Berjón Díez via aur-general wrote:
Hi Santiago, all,
I'm very new to Arch and I don't know if the package I'm going to put forward as an example violates itself any AUR rule, but for instance 'ufsd-pro-dkms' [1] depends on a file that is not freely distributable, and the PKGBUILD has a file:// URL, so the user has to procure the file herself to build it; maybe this solution is more reasonable than deleting the package altogether, so that users that do want to install it don't have to create their own PKGBUILD needlessly.
Cheers, Daniel
[1]: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=ufsd-pro-dkms
The package you just linked is actually a perfect example of our official policy. :) Packages with source code that is not publicly available are supposed to be described using just the filename, and typically come with instructions to obtain the file manually and save it to the same directory as the PKGBUILD. That being said, ufsd-pro-dkms and other packages like it should really be using "local://" not "file://", as the former is special cased in makepkg as "you need to obtain this yourself", while the latter is a type of link that /usr/bin/curl understands and will try to download from the local filesystem. -- Eli Schwartz Bug Wrangler and Trusted User
On Tue, 25 Jun 2019 at 17:14, Santiago Torres-Arias via aur-general < aur-general@archlinux.org> wrote:
2) It appears that the copyright owner is Adapco, not siemens. IIUC Siemens bought Adapco on 2016. Did you guys forget to update the copyright notice or is this an old tarball that was distributed before?
Apparently the link comes from the SVN of VisIt [1], a visualisation and analysis software by the Department of Energy of the US Government. According to the building notes of version 1.9.0 of VisIt [2], it is apparent that the disputed library could be freely accessed from the FTP server of Adapco [3] back then. I am not a lawyer, so I don't know if this holds any weight, but it doesn't appear like someone stole the code, it looks plausible that the VisIt developers secured permission to redistribute it at some point. [1]: https://wci.llnl.gov/simulation/computer-codes/visit/ [2]: http://visit.ilight.com/svn/visit/tags/1.9.0/src/BUILD_NOTES [3]: ftp://ftp.adapco.com/pub/outgoing/libccmio-2.6.1.tar.gz
On Tue, Jun 25, 2019 at 02:53:36PM +0000, Jones, Philip via aur-general wrote:
Jerome
I appreciate that the package ( https://aur.archlinux.org/packages/libccmio/) is not hosted on the site but if you Google " libccmio-2.6.1.tar.gz" it is the top hit.
The source has a copyright that states “The unauthorized use, distribution, or duplication of this program is prohibited.”
The key word to me seems "unauthorized". Do we know for a fact that the US Gov. did not secure permission to redistribute this code?
On Tue, 25 Jun 2019 14:53:36 +0000, Jones, Philip via aur-general wrote:
I appreciate that the package (https://aur.archlinux.org/packages/libccmio/) is not hosted on the site but if you Google " libccmio-2.6.1.tar.gz" it is the top hit.
The source has a copyright that states “The unauthorized use, distribution, or duplication of this program is prohibited.”
I don’t want to enter into a legal argument if the link is distribution or not, all I ask is that the listing be removed as a matter of courtesy. The material is clearly not designed to be publicly distributed.
The AUR doesn't distribute it. It's published by http://portal.nersc.gov/ as you can see, if you download the tarball, extract it and inspect the content: [rocketmouse@archlinux ~]$ cd /tmp/ [rocketmouse@archlinux tmp]$ wget -q https://aur.archlinux.org/cgit/aur.git/snapshot/libccmio.tar.gz [rocketmouse@archlinux tmp]$ tar xf libccmio.tar.gz [rocketmouse@archlinux tmp]$ ls -hl libccmio/ total 8.0K -rw-r--r-- 1 rocketmouse rocketmouse 828 Jul 10 2017 libccmio-2.6.1.patch -rw-r--r-- 1 rocketmouse rocketmouse 1.1K Jul 10 2017 PKGBUILD [rocketmouse@archlinux tmp]$ cat libccmio/libccmio-2.6.1.patch diff -ruN libccmio-2.6.1_orig/libadf/adf.pro libccmio-2.6.1/libadf/adf.pro --- libccmio-2.6.1_orig/libadf/adf.pro 2006-06-30 14:00:17.000000000 -0400 +++ libccmio-2.6.1/libadf/adf.pro 2010-12-18 13:32:43.000000000 -0500 @@ -1,7 +1,7 @@ TEMPLATE = lib windows-vc.net:TEMPLATE = vclib windows-vc.net:config += release -TARGET = adf +TARGET = adf_ccmio PATHTOSRC = ../ include($$PATHTOSRC/config/ccm.pro) diff -ruN libccmio-2.6.1_orig/libcgns/cgns.pro libccmio-2.6.1/libcgns/cgns.pro --- libccmio-2.6.1_orig/libcgns/cgns.pro 2006-06-30 14:00:18.000000000 -0400 +++ libccmio-2.6.1/libcgns/cgns.pro 2010-12-18 13:33:29.000000000 -0500 @@ -1,7 +1,7 @@ TEMPLATE = lib windows-vc.net:TEMPLATE = vclib windows-vc.net:config += release -TARGET = cgns +TARGET = cgns_ccmio PATHTOSRC = ../ include($$PATHTOSRC/config/ccm.pro) [rocketmouse@archlinux tmp]$ cat libccmio/PKGBUILD # Maintainer: <gucong@gc-desktop> pkgname=libccmio pkgver=2.6.1 pkgrel=1 pkgdesc="CD-adapco CCM file I/O library" arch=('i686' 'x86_64') url="http://portal.nersc.gov/svn/visit/trunk/third_party/$pkgname-$pkgver.tar.gz" license=('unknown') makedepends=('qt5-base') source=(http://portal.nersc.gov/svn/visit/trunk/third_party/$pkgname-$pkgver.tar.gz $pkgname-$pkgver.patch) md5sums=('f81fbdfb960b1a4f3bcc7feee491efe4' 'da5fa4446ca71b23d15f8df8b0f5a2ec') prepare() { cd "$srcdir/$pkgname-$pkgver" patch -p1 -i "$srcdir/$pkgname-$pkgver.patch" } build() { cd "$srcdir/$pkgname-$pkgver" if [ -d libadf ]; then ( cd libadf; RELEASE=1 SHARED=1 make -f Makefile.qmake all; ) fi if [ -d libccmio ]; then ( cd libccmio; RELEASE=1 SHARED=1 make -f Makefile.qmake all; ) fi } package() { cd "$srcdir/$pkgname-$pkgver" libsdir=`find ./lib -name release-shared` install -d "$pkgdir/usr/lib" "$pkgdir/usr/include/libccmio" cp -vP ${libsdir}/* "$pkgdir/usr/lib" cp -vP libccmio/*.h "$pkgdir/usr/include/libccmio" } # vim:set ts=2 sw=2 et:
FWIW Votes: 0 Popularity: 0.000000 First Submitted: 2017-07-10 02:05 Last Updated: 2017-07-10 02:05 ;)
On 6/25/19 10:53 AM, Jones, Philip via aur-general wrote:
Jerome
I appreciate that the package (https://aur.archlinux.org/packages/libccmio/) is not hosted on the site but if you Google " libccmio-2.6.1.tar.gz" it is the top hit.
This sounds like an SEO problem, have you tried contacting Google to discuss why your brand is being diluted by links to some unofficial website? I'm afraid we don't have any power over this, though. Note that the Google SEO ranking is an unrelated matter -- it does not have an impact on the legality of the use of the package. If the package is hosting copyright-infringing content, then the package is illegal to distribute, regardless of its SEO ranking. If the package is *not* hosting copyright-infringing content, then the package is completely legal to distribute, again regardless of its SEO ranking.
The source has a copyright that states “The unauthorized use, distribution, or duplication of this program is prohibited.”
And indeed, we do not use, distribute, or duplicate the libccmio program. We do, however, host a tutorial (in script form) that teaches people how they can, on their own, acquire and use the program. As far as I am aware, this tutorial is legal. One potential concern is the link itself: is the https://portal.nersc.gov/ website illegally redistributing this source code? If so, have you tried talking to them about it?
I don’t want to enter into a legal argument if the link is distribution or not, all I ask is that the listing be removed as a matter of courtesy. The material is clearly not designed to be publicly distributed.
There is no legal argument if the link is distribution -- it may be advocacy (or "contributory copyright infringement"), but distribution is a whole 'nother kettle of fish. :/ But as far as I can tell, it all boils down to whether that link is legally distributing the product. It is plainly distributing it in some manner... If I look at the google search links following the AUR search result, I see many search results all pointing to the OpenFOAM developer resources and source code repositories. For example, https://github.com/OpenFOAM/ThirdParty-6#miscellaneous Since the libccmio source code linked in the AUR build tutorial/script is also used all over by the OpenFOAM project, it seems that it is being publicly distributed for the sake of many people. Is this infringement as well? Have you discussed this with them? The AUR package is only used by the AUR build tutorial/script for OpenFOAM, so my guess is that this primarily impacts OpenFOAM users -- one of whom has converted existing OpenFOAM documentation into AUR-compatible documentation. The OpenFOAM documentation exists irrespective of the existence of this AUR package, and if the latter is removed, the former will graduate to being the top Google search result anyway, so it is probably worth looking into that either way (and fixing the root of the problem, which is the distribution by https://portal.nersc.gov/ which may or may not have the right to do so). -- Eli Schwartz Bug Wrangler and Trusted User
participants (10)
-
Adam Maram
-
Daniel Berjón Díez
-
Eli Schwartz
-
Jelle van der Waa
-
Jerome Leclanche
-
Jonathon Fernyhough
-
Jones, Philip
-
Morgan Adamiec
-
Ralf Mardorf
-
Santiago Torres-Arias