[arch-projects] [archweb] Licensing issues with JS code

Jelle van der Waa jelle at vdwaa.nl
Mon Jan 15 10:01:39 UTC 2018 

On 01/14/18 at 08:34pm, Luke Shumaker wrote:
> On Sun, 16 Jul 2017 23:46:01 -0400,
> Andrew Gregory via arch-projects wrote:
> > 
> > On 07/09/17 at 11:21am, Jelle van der Waa wrote:
> > > Looking at the issue on the bugtracker, I'm not sure what you want to
> > > achieve? personally I don't see any point in upgrading to GPLv3.
> > 
> > Presumably, the main thing they want to achieve license compliance.
> > GPLv2 is not compatible with GPLv3 or Apache 2.0.  If archweb includes
> > components under those licenses, it may be in violation.
> 
> Indeed.  We believe that archweb is in violation.
> 
> In the linked bug, I commented off-the-cuff that I didn't believe that
> the 1st-party GPLv2 code interacted with the 3rd-party GPLv3 or Apache
> 2.0 code in a way that required license compatibility.
> 
> Upon further review of release_2017-01-02 (the last release that
> Parabola has merged, and thus the last that I am familiar enough with
> to speak confidently about), I no longer believe that to be true.
> 
> ----
> 
> A listing of all 3rd-party JS, and its license:
> 
>  - Bootstrap 2.1.1 (+change from Dan McGee)              : Apache 2.0
>  - jQuery 1.8.3                                          : MIT
>  - tablesorter[1] 2.7                                    : MIT / GPL dual-license
>  - D3 3.0.6                                              : 3-clause BSD
>  - konami.js[2] c0f686e (+change from unknown author[3]) : GPLv3
> 
>  [1]: https://github.com/Mottie/tablesorter
>  [2]: https://github.com/snaptortoise/konami-js
>  [3]: https://git.parabola.nu/server/parabolaweb.git/plain/Makefile.d/konami.js.patch?h=archweb-generic
> 
> Note that without even being concerned with license compatibility,
> archweb is currently in violation of konami.js, as it does not
> include, link to, or in any way provide instructions on how to obtain
> non-minified source code.  This is especially grievous, as it includes
> (minor) changes that are not present in any non-minified version that
> I have found.  (We already patch to fix this in Parabola's fork; after
> identifying the minifier used (UglifyJS 2.2), I backed-out to
> reproduce the source changes (which I linked above).)
> 
> Now, as Andrew Gregory agreed, the GPLv3 and Apache 2.0 licenses of
> konami.js and Bootstrap are incompatible with archweb's GPLv2 license.
> The 3rd-party files of concern are:
> 
>     retro/static/2013/bootstrap-typeahead.min.1aacd3d7f4db.js
>     retro/static/2013/konami.min.e165c814457d.js
>     sitestatic/bootstrap-typeahead.js
>     sitestatic/konami.min.js
> 
> Additionally, the following file includes both 1st-party GPLv2 code,
> and minified versions of bootstrap-typeahead.js and konami.js:
> 
>     sitestatic/homepage.js

I'm happy to drop the whole konami.js code, it's a gimmick and doesn't
really serve a purpose.

The bootstrap stuff is harder, only required for typeahead and I
remember messing with an alternative which was MIT but that might
require a jQuery update.

That should fix all the issues I think.

> 
> This 3rd-party code is called by GPLv2-licensed archweb code in the
> files:
> 
>     retro/templates/retro/index-2013-03-07.html
>     templates/public/index.html
>     sitestatic/homepage.js
> 
> ----
> 
> As Eli Schwartz noted elsewhere in the thread, after it was copied in
> to archweb, konami.js has since re-licensed to the MIT license.
> However, that does not cover the changes of unknown authorship that
> were present when konami.js was first add to archweb.  There's a good
> chance that the author there is Dan McGee (who added the file to
> archweb), but I'm not certain of that.
> 
>  | Proposed path forward: Confirm with Dan that he is the author of
>  | the changes, and that he agrees to license them under the MIT
>  | license.  From there, simply backport the license change from
>  | upstream commit ece43a5.
> 
> Bootstrap has also since re-licensed so that 3.1 and later are MIT
> licensed; however, bootstrap-typeahead.js was only ever present in
> Bootstrap 2.x; and was therefore not covered in the re-license.
> 
>  | Possible path forward (proposed by Jelle van der Waa): Modify
>  | homepage.js and index-2013-03-07.html to use the MIT-licensed
>  | horsey[4] instead of bootstrap-typeahead.js.
>  |
>  | [4]: https://github.com/bevacqua/horsey
> 
>  | Possible path forward: Contact the 7 authors of
>  | bootstrap-typeahead.js and confirm that they agree to license it
>  | under the MIT license.  I believe all 7 of them agreed to this for
>  | other Bootstrap code that they were authors of; so presumably this
>  | is something they are agreeable to.
> 
> -- 
> Happy hacking,
> ~ Luke Shumaker

-- 
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-projects/attachments/20180115/d1a103a5/attachment-0001.asc>

More information about the arch-projects mailing list