[arch-projects] [archweb] Licensing issues with JS code
Jelle van der Waa
jelle at vdwaa.nl
Mon Jan 15 10:01:39 UTC 2018
On 01/14/18 at 08:34pm, Luke Shumaker wrote:
> On Sun, 16 Jul 2017 23:46:01 -0400,
> Andrew Gregory via arch-projects wrote:
> >
> > On 07/09/17 at 11:21am, Jelle van der Waa wrote:
> > > Looking at the issue on the bugtracker, I'm not sure what you want to
> > > achieve? personally I don't see any point in upgrading to GPLv3.
> >
> > Presumably, the main thing they want to achieve license compliance.
> > GPLv2 is not compatible with GPLv3 or Apache 2.0. If archweb includes
> > components under those licenses, it may be in violation.
>
> Indeed. We believe that archweb is in violation.
>
> In the linked bug, I commented off-the-cuff that I didn't believe that
> the 1st-party GPLv2 code interacted with the 3rd-party GPLv3 or Apache
> 2.0 code in a way that required license compatibility.
>
> Upon further review of release_2017-01-02 (the last release that
> Parabola has merged, and thus the last that I am familiar enough with
> to speak confidently about), I no longer believe that to be true.
>
> ----
>
> A listing of all 3rd-party JS, and its license:
>
> - Bootstrap 2.1.1 (+change from Dan McGee) : Apache 2.0
> - jQuery 1.8.3 : MIT
> - tablesorter[1] 2.7 : MIT / GPL dual-license
> - D3 3.0.6 : 3-clause BSD
> - konami.js[2] c0f686e (+change from unknown author[3]) : GPLv3
>
> [1]: https://github.com/Mottie/tablesorter
> [2]: https://github.com/snaptortoise/konami-js
> [3]: https://git.parabola.nu/server/parabolaweb.git/plain/Makefile.d/konami.js.patch?h=archweb-generic
>
> Note that without even being concerned with license compatibility,
> archweb is currently in violation of konami.js, as it does not
> include, link to, or in any way provide instructions on how to obtain
> non-minified source code. This is especially grievous, as it includes
> (minor) changes that are not present in any non-minified version that
> I have found. (We already patch to fix this in Parabola's fork; after
> identifying the minifier used (UglifyJS 2.2), I backed-out to
> reproduce the source changes (which I linked above).)
>
> Now, as Andrew Gregory agreed, the GPLv3 and Apache 2.0 licenses of
> konami.js and Bootstrap are incompatible with archweb's GPLv2 license.
> The 3rd-party files of concern are:
>
> retro/static/2013/bootstrap-typeahead.min.1aacd3d7f4db.js
> retro/static/2013/konami.min.e165c814457d.js
> sitestatic/bootstrap-typeahead.js
> sitestatic/konami.min.js
>
> Additionally, the following file includes both 1st-party GPLv2 code,
> and minified versions of bootstrap-typeahead.js and konami.js:
>
> sitestatic/homepage.js
I'm happy to drop the whole konami.js code, it's a gimmick and doesn't
really serve a purpose.
The bootstrap stuff is harder, only required for typeahead and I
remember messing with an alternative which was MIT but that might
require a jQuery update.
That should fix all the issues I think.
>
> This 3rd-party code is called by GPLv2-licensed archweb code in the
> files:
>
> retro/templates/retro/index-2013-03-07.html
> templates/public/index.html
> sitestatic/homepage.js
>
> ----
>
> As Eli Schwartz noted elsewhere in the thread, after it was copied in
> to archweb, konami.js has since re-licensed to the MIT license.
> However, that does not cover the changes of unknown authorship that
> were present when konami.js was first add to archweb. There's a good
> chance that the author there is Dan McGee (who added the file to
> archweb), but I'm not certain of that.
>
> | Proposed path forward: Confirm with Dan that he is the author of
> | the changes, and that he agrees to license them under the MIT
> | license. From there, simply backport the license change from
> | upstream commit ece43a5.
>
> Bootstrap has also since re-licensed so that 3.1 and later are MIT
> licensed; however, bootstrap-typeahead.js was only ever present in
> Bootstrap 2.x; and was therefore not covered in the re-license.
>
> | Possible path forward (proposed by Jelle van der Waa): Modify
> | homepage.js and index-2013-03-07.html to use the MIT-licensed
> | horsey[4] instead of bootstrap-typeahead.js.
> |
> | [4]: https://github.com/bevacqua/horsey
>
> | Possible path forward: Contact the 7 authors of
> | bootstrap-typeahead.js and confirm that they agree to license it
> | under the MIT license. I believe all 7 of them agreed to this for
> | other Bootstrap code that they were authors of; so presumably this
> | is something they are agreeable to.
>
> --
> Happy hacking,
> ~ Luke Shumaker
--
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-projects/attachments/20180115/d1a103a5/attachment-0001.asc>
More information about the arch-projects
mailing list