[arch-projects] [archweb] Licensing issues with JS code

Luke Shumaker lukeshu at lukeshu.com
Mon Jan 15 01:34:58 UTC 2018

On Sun, 16 Jul 2017 23:46:01 -0400,
Andrew Gregory via arch-projects wrote:
> On 07/09/17 at 11:21am, Jelle van der Waa wrote:
> > Looking at the issue on the bugtracker, I'm not sure what you want to
> > achieve? personally I don't see any point in upgrading to GPLv3.
> Presumably, the main thing they want to achieve license compliance.
> GPLv2 is not compatible with GPLv3 or Apache 2.0.  If archweb includes
> components under those licenses, it may be in violation.

Indeed.  We believe that archweb is in violation.

In the linked bug, I commented off-the-cuff that I didn't believe that
the 1st-party GPLv2 code interacted with the 3rd-party GPLv3 or Apache
2.0 code in a way that required license compatibility.

Upon further review of release_2017-01-02 (the last release that
Parabola has merged, and thus the last that I am familiar enough with
to speak confidently about), I no longer believe that to be true.


A listing of all 3rd-party JS, and its license:

 - Bootstrap 2.1.1 (+change from Dan McGee)              : Apache 2.0
 - jQuery 1.8.3                                          : MIT
 - tablesorter[1] 2.7                                    : MIT / GPL dual-license
 - D3 3.0.6                                              : 3-clause BSD
 - konami.js[2] c0f686e (+change from unknown author[3]) : GPLv3

 [1]: https://github.com/Mottie/tablesorter
 [2]: https://github.com/snaptortoise/konami-js
 [3]: https://git.parabola.nu/server/parabolaweb.git/plain/Makefile.d/konami.js.patch?h=archweb-generic

Note that without even being concerned with license compatibility,
archweb is currently in violation of konami.js, as it does not
include, link to, or in any way provide instructions on how to obtain
non-minified source code.  This is especially grievous, as it includes
(minor) changes that are not present in any non-minified version that
I have found.  (We already patch to fix this in Parabola's fork; after
identifying the minifier used (UglifyJS 2.2), I backed-out to
reproduce the source changes (which I linked above).)

Now, as Andrew Gregory agreed, the GPLv3 and Apache 2.0 licenses of
konami.js and Bootstrap are incompatible with archweb's GPLv2 license.
The 3rd-party files of concern are:


Additionally, the following file includes both 1st-party GPLv2 code,
and minified versions of bootstrap-typeahead.js and konami.js:


This 3rd-party code is called by GPLv2-licensed archweb code in the



As Eli Schwartz noted elsewhere in the thread, after it was copied in
to archweb, konami.js has since re-licensed to the MIT license.
However, that does not cover the changes of unknown authorship that
were present when konami.js was first add to archweb.  There's a good
chance that the author there is Dan McGee (who added the file to
archweb), but I'm not certain of that.

 | Proposed path forward: Confirm with Dan that he is the author of
 | the changes, and that he agrees to license them under the MIT
 | license.  From there, simply backport the license change from
 | upstream commit ece43a5.

Bootstrap has also since re-licensed so that 3.1 and later are MIT
licensed; however, bootstrap-typeahead.js was only ever present in
Bootstrap 2.x; and was therefore not covered in the re-license.

 | Possible path forward (proposed by Jelle van der Waa): Modify
 | homepage.js and index-2013-03-07.html to use the MIT-licensed
 | horsey[4] instead of bootstrap-typeahead.js.
 | [4]: https://github.com/bevacqua/horsey

 | Possible path forward: Contact the 7 authors of
 | bootstrap-typeahead.js and confirm that they agree to license it
 | under the MIT license.  I believe all 7 of them agreed to this for
 | other Bootstrap code that they were authors of; so presumably this
 | is something they are agreeable to.

Happy hacking,
~ Luke Shumaker

More information about the arch-projects mailing list