back to article Ruby off the Rails: Code library yanked over license blunder, sparks chaos for half a million projects

On Wednesday, Bastien Nocera, the maintainer of a software library called shared-mime-info, informed Daniel Mendler, maintainer of a Ruby library called mimemagic, which incorporates Nocera's code, that he was shipping mimemagic under an incompatible software license. The shared-mime-info library is licensed under the GPLv2 …

  1. Philip Storry

    This won't even be the worst of it.

    At some point, someone's going to die and their estate will go to a relative that's an arsehole. The kind of arsehole that thinks free software and other community projects are communism.

    And that relative will seek to claim the copyright of that person's code, and pull it from all the projects. (Mostly in the mistaken belief that they can and should profit from this.) If it's widely used code, then all hell will break loose.

    This is why companies like Canonical had copyright assignment requirements. Many in the open source community don't like them, and think it's some kind of corporate trap. But legally, they're almost certainly the right thing to do. In fact the community should really think about setting up some kind of "clearing house" to process & store copyright assignments for its own protection.

    If you do contribute to open source, make sure you put a paragraph in your will about what you want done with your works when you're gone. Just in case...

    1. FeepingCreature

      I don't think you can revoke a license once granted if the license doesn't give you a right to do so. No matter if you hold the copyright or not.

      You can delete the code and stop licensing out new copies, but you can't de-license the code already licensed, and that code can be relicensed per its license terms.

      1. FeepingCreature
        Alert

        Correction: Uh oh. https://www.copyright.gov/docs/203.html

        > Section 203 of the Copyright Act permits authors (or, if the authors are not alive, their surviving spouses, children or grandchildren, or executors, administrators, personal representatives or trustees) to terminate grants of copyright assignments and licenses that were made on or after January 1, 1978 when certain conditions have been met. Notices of termination may be served no earlier than 25 years after the execution of the grant or, if the grant covers the right of publication, no earlier than 30 years after the execution of the grant ...

        I don't think this was written with software licenses in mind.

        This seems a good writeup on the topic: https://en.wikisource.org/wiki/Shrinking_the_Commons:_Termination_of_Copyright_Licenses_and_Transfers_for_the_Benefit_of_the_Public

        1. graeme leggett

          Surprisingly, some room to manoevre

          Looking at the text

          "Notices of termination may be served no earlier than 25 years after the execution of the grant...

          However, termination of a grant cannot be effective until 35 years after the execution of the grant"

          So best case situation is a ten year window.

          As to the writeup, it's probably better left to legal types to read because it's not written for easy reading.

        2. gerdesj Silver badge
          Mushroom

          "the Copyright Act"

          Who's Copyright Act?

          1. Anonymous Coward
            Anonymous Coward

            US copyright

            The original poster didn't mention it explicitly, but the document referred to is at copyright.gov, which appears to be run by the US Copyright Office. As it's a .gov domain I therefore surmise that it's the U.S. Copyright Act which is referred to.

            As you indirectly noted, the situation may well be different in other countries, and when talking about the law, it's worth specifying which jurisdiction you are talking about.

          2. Sven Coenye
            Flame

            Disney's

            The post is required, and must contain letters.

          3. ghp

            I don't think anyone is called "Copyright Act".

    2. cyberdemon Silver badge
      Devil

      surely not

      Even if I were still alive, I don't think I could tell people to cease and desist using or distributing code that I had released as GPL or MIT previously, could I?

      1. FeepingCreature

        Re: surely not

        Apparently, according to §203 USC, at least in the US you can. The law was originally created to allow authors to revoke overbroad copyright assignments to publishers.

        1. Short Fat Bald Hairy Man
          Unhappy

          Re: surely not

          There seem to be some licenses which say "to the detriment of our heirs and siccessors".

          I thought that was in the SQLite license but could not locate it there. Found it in the unlicense statement. Which claims it is derived from the SQLite license!

          So does this help in any way to remove the effects of heirs and successors? From what I read, not quite?

          Very depressing.

          1. Doctor Syntax Silver badge

            Re: surely not

            "Found it in the unlicense statement."

            Here: https://unlicense.org/

        2. Doctor Syntax Silver badge

          Re: surely not

          "The law was originally created to allow authors to revoke overbroad copyright assignments to publishers."

          I wonder if this has ever been invoked.

          1. General Purpose Bronze badge

            Famous revocations

            Copyright grants for YMCA, In The Navy, Go West and others were successfully revoked by one of the songwriters.

            The heirs of Jerry Siegel served DC Comics with notice of revocation of copyrights for Superman and Superboy. DC/Warner negotiated a deal that included $0.5m a year. There followed a massive series of lawsuits over whether that deal had been finalised, during which DC Comics kept reinventing Superboy so that they'd have a character that wasn't covered by the original copyright - the trademark being separate.

        3. Michael Wojcik Silver badge

          Re: surely not

          The Apache License has this clause:

          Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.

          [emphasis added]

          Whether that overrides the revocation clause in 17.203 is a question for the courts, I suppose. I'm kind of surprised that other FLOSS licenses don't include the "irrevocable" language (along with "perpetual" and "non-exclusive").

          1. Robert Carnegie Silver badge

            Re: surely not

            Yeah, I'm not a lawyer, but I'd reckon that if law says that there's no such thing as an irrevocable licence, then writing an irrevocable licence doesn't make it irrevocable.

    3. Marco van de Voort

      copyright assignments

      The problem with the copyright assignments is that it just shifts the weak point that goes rogue from the heir to Canonical.

      E.g. if Canonical would go bust and parts would be snapped up by someone seeking to exploit the portfolio anyway they can.

      This is an quite old discussion, since afaik GNU managed projects like gcc and gdb also require copyright assignment.

      1. Yet Another Anonymous coward Silver badge

        Re: copyright assignments

        >. if Canonical would go bust and parts would be snapped up by someone seeking to exploit the portfolio anyway they can.

        So we should worry about Redhat being bought up by a failing IT business turning into a patent troll ?

      2. General Purpose Bronze badge

        Re: copyright assignments

        Yes. Imagine if copyright had been assigned to Nominet.

    4. sreynolds

      I don't think that any bastard is going to say to his sprog. "And to my biggest prick of a child I charge thee with maintaining library x.y.z free of charge for the rest of you natural life, which huge corporations profit from your work, and all you get back is abuse from the thankless whining bastards that used your code"

  2. Anonymous Coward
    Anonymous Coward

    Last will

    Just make sure you add a clause in your will that says anything published can't be yanked.

    1. Anonymous Coward
      Anonymous Coward

      Re: Last will

      Would that be binding? It might be better in your will to grant any such relevant rights to revoke the past grants of copyrights to the specific project instead (I assume this sort of thing can be made to make sense..?).

      1. AMBxx Silver badge

        Re: Last will

        I think you could do it with a 'letter of wishes'. Not binding though

      2. katrinab Silver badge

        Re: Last will

        You can choose in your will who to leave your assets to. Donating some of them to a charity is quite common.

        1. ibmalone Silver badge

          Re: Last will

          It's also possible to waive most rights under copyright, IANAL, but I suspect this could be done in a will.

  3. Anonymous Coward
    Anonymous Coward

    As someone who doesn't follow FOSS very closely, this type of issue is frustrating. Up there with "we can't call Firefox 'Firefox' anymore because the logo uses a shade of orange that is not compatible with the left-handed metric academic license"

    Sure, licenses are important, and have side effects that need to be considered, but your average user (heck, your average administrator) just wants to get things working. Trying to explain to the boss that you're down because your free software was the wrong flavor of free won't go over well.

    1. unimaginative

      The same thing can happen with proprietary software. What happens if you use a proprietary library without licensing it properly? I suspect the consequences would be worse and harder to sort out.

      Its a nuisance, but most users can probably work around it - possibly installing will be more complex if you need to get this library separately from Rails.

      its also not going to magically shut down existing installs.

  4. Rich 2 Silver badge

    This is where GPL is bollocks

    “ Using a GPL file as a source makes your whole codebase a derived work, making it all GPL”

    The problem with the above is that if I make (say) a little program that does some mime type stuff and it uses a GPL library that implements most of that mime type stuff then fair enough - it’s clearly a derived work.

    If, however, I make an entire programming framework consisting of tens of thousands of lines of code that does loads of diverse things and it happens to link to the same GPL library then I would contest that that is NOT a derived work. The library provides some functionally, yes. But it’s not the majority or core of the functionally of the overall application and there’s a good chance that any one application built on the framework may not even make use of the library.

    I really really dislike GPL. Or rather I really really dislike people who have an unreasonable and rather sweeping idea of what “derived” means

    1. Anonymous Coward
      Anonymous Coward

      Re: This is where GPL is bollocks

      The GPL is specifically designed to take a sweeping idea of what derived means. It is designed to be a "viral" license that captures anything it touches because it comes from a section of the open-source community that believe that all "creative works" should be owned by society and not by individuals.

      1. katrinab Silver badge

        Re: This is where GPL is bollocks

        It doesn't override fair use though. Whether this example would be fair use is another question though.

      2. Anonymous Coward
        Anonymous Coward

        @AC - Re: This is where GPL is bollocks

        No, they are only against individuals like you who believe they can appropriate other people's creative works and own it individually. Don't just take my word, read the licence.

        Besides, a license is only a set of rules. If you like them then you play by them, if you don't like them then you move somewhere else.

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC - This is where GPL is bollocks

          Like me? Why do you think I am taking other people's creative works and owning them? You have no idea who I am or what I do.

          The position of RMS and others on the ownership of creative works is well documented, and I formed my conclusions from a discussion I had with him at a dinner table at a conference. I am an advocate of open source and have developed several open source libraries and contributed to many more. I just don't think that developers who don't want to release their code as open-source should be forced to do so, just because they used a library that I wrote.

    2. Apprentice of Tokenism

      Re: This is where GPL is bollocks

      Yup. This is a prime example why GPL has outlived itself. It was a brilliant idea in the beginning to get things going. Nowadays it is just a nuisance and hindering involvement. We have moved on and found licenses that work in the real world for everybody much better.

      1. Anonymous Coward
        Anonymous Coward

        @Apprentice of Tokenism - Re: This is where GPL is bollocks

        You mean you have moved to licences that allow using other people's work without giving anything back. So you're too lazy to write the code and you'd very much use something freely available on the Internet but you can't be bothered to read, understand and respect a licence contract because, hey if it's free it should be free. Who's the communist here ?

        1. James Hughes 1

          Re: @Apprentice of Tokenism - This is where GPL is bollocks

          The corollary is that if someone issued code under MIT or similar, rather than GPL, then they INTENDED for that work to be freely available. They WANT people who are too lazy to write their own to use it, they WANT it to be free.

          If they want GPL they should use GPL.

          1. Apprentice of Tokenism

            Re: @Apprentice of Tokenism - This is where GPL is bollocks

            Exactly. It is about a true choice and about admitting to the fact that in reality almost nobody - there are honourable exceptions - really can check on licence violations or pursue litigation unless being paid for it. So the sensible and reality matching approach that we took is Apache 2.0: want to make money with our source code and not contribute back? Go ahead, we are cool with it. The source got already developed and the developers got their pay check. Not a problem.

            Honestly, nobody is going to know if somebody is violating the GPL in a commercial product unless somebody happens to examine the binaries of the product. The question is then: do you really want to go down that road and spend your own free time on sifting through millions of products if your code is used elsewhere? If you do not or cannot spend your own time on that then good luck finding enough people who are able to spend the time to find GPL violations in binary code for you.

            Do you see now what the real issue is? Identification of GPL violations are the real issue at hand. GPL enforcement is simply not doable unless your are paid to do it. It is as simple as that.

            That is where one really needs to take a reality check and ask if GPL is a licence that stands for something that one wants to support and pursue or if it is just a boiler plate blah blah that one will not really support and hence not pursue until litigation.

            GPL was a brilliant dream of an ideal software and source code universe and it has worked for like ten years or so to get the open source idea going and for enterprises to pick up on it. Everybody should remember that. Before we had Public Domain but it somehow did not catch on.

            Nowadays GPL is just a niche license among other open source licenses. And the other open source licenses work just better in reality and allow for a much wider coexistence and use of source code. GPL has become too hot to touch for any enterprise that tries to make money off their IP. They are not going to release their source code if it contains their IP and instead will look elsewhere for an alternative solution than using GPL code.

            We, as a research facility - I know that we have it really easy because we have no "real" obligations - have decided on using Apache 2.0 as the default licence. There are times when collaborations cannot agree with us on using Apache 2.0 but that is dealt with on a case by case base. But the basic idea remains the same: We did already develop the code, we did already pay for it. So just go and take it, put it to good (or bad) use. You are free to do so.

          2. Michael Wojcik Silver badge

            Re: @Apprentice of Tokenism - This is where GPL is bollocks

            Exactly. I've released stuff under various licenses. None of them are GPL. I'm willing to contribute fixes to GPL products, but I'm not interested in doing significant free labor on them. When I work on open-source software, I want it to be under a permissive license.

            Others feel differently. That's their prerogative, but spare me the evangelism, thanks. I heard it from Stallman in the 1980s.

          3. Rich 2 Silver badge

            Re: @Apprentice of Tokenism - This is where GPL is bollocks

            That’s not what happens the vast majority of the time though. Take the example here - Rails is open source and completely free. They ARE “giving back”.

            The problem is, as far as GPL is concerned, is that they are “giving back” in the “wrong way”

            I myself have written several applications that use GPL libraries and bits of GPL code. I would be more than happy to publish them with no strings attached at all, to share them about. But there is no way I’m having my code labelled GPL, so I won’t be publishing them.

            The GPL is dogma - it’s not reasonable at all

        2. This post has been deleted by its author

    3. Doctor Syntax Silver badge

      Re: This is where GPL is bollocks

      If your tens of thousands of lines link to the library and it's GPL vX.0 then. yes. If you keep that little program using the GPL library and just pass stuff to it in some way, then no.

      It's not bollocks. It was designed to work that way. You want to work some other way; FSF might equally regard your way as bollocks. They're two different ways of looking at the world, both valid. Trying to use somebody else's code in a way they specifically don't allow you to - that's bollocks.

    4. martinusher Silver badge

      Re: This is where GPL is bollocks

      The LGPL variant is designed for libraries -- you shouldn't release libraries under GPL. GPL is for complete works.

      The GPL has been around long enough that generations of programmers have grown up without realizinhg why it exists in the first place. Back in the early(er) days it was common practice for companies to get hold of open source code, put their copyright banners on it and release it as their own. This was a relaviely harmless, if wrong, practice for mom-and-pop operations but as soon as those operations were aquired by MegaCorp Inc. the corporate lawyers started regarding this code as a valuable corporate asset and defending it as such. It was expensive and time consuming to unpick this, hence the GPL. There are other licenses you can use if you want -- just don't run down the GPL until you understand why it exists (even if it is rather irritating).

    5. drankinatty

      Re: This is where GPL is bollocks

      It's somewhat of a double-edge sword, but that is the way it has to be. Think of it from the other side, GPL code being included in a project that then loses its open-source protections. GPL is a really simple proposition, use our code freely in your project, but then your project is required to comply with GPL -- or go write the code yourself and not have to worry about the license. There is no ambiguity and there is nothing concealed in the terms.

      You can appreciate both sides of the issue. Open-source ensuring it remains open-source, and works derived from it remain open, while there will be projects that don't want to become open-source just by using open-source GPL2 licensed code. It's simple, they have that choice and licenses exist to help inform that choice.

      The fact here you have a competing MIT license and the GPL2 header for code used in that project being stripped during a "merge" process -- that is guaranteed to raise eyebrows and cause problems.

  5. Anonymous Coward
    Anonymous Coward

    People are still using RoR?

    Sooooo 2008, surely should be some javascript doing server things in the client monstrosity backed by activex 2.0 (web assembly) a websocket, a philosophy statement, a list of acceptable pronouns and some grass based vegan recipes written in haiku form in the tool tips to be current web dev problem in 2021?

    In all seriousness why RoR there are better MVC (MVVM) frameworks available these days, still at least it isnt PHP, had the misfortune to inherit maintenance on some PHP based apps and bugger me, never thought i would be wishing for it to be asp classic for the consistency in naming conventions and object model, honestly how have the last 20 odd years of language development passed that shitshow by???? even javascript is less cognitively impaired than the Pisspoor Hypertext Preprocessor as at least that has ok debug tools in the browser, xdebug is still as useless as its ever been

    1. ibmalone Silver badge

      Re: People are still using RoR?

      PHP is best thought of not as a language but a collection of macros that were found in the bin of a dot com round about 2000.

      1. Michael Wojcik Silver badge

        Re: People are still using RoR?

        PHP is best thought of not as a language but a collection of Lovecraftian madness-inducing incantations for summoning incomprehensible monstrous beings from outside the knowable universe.

        1. σύνβάλλω

          Re: People are still using RoR?

          As a php scripter I can assure that it is trying to become somewhat similar to Java and other aberrations. Lazy devs loading tens of megabytes of dependencies and creating world-big OOP objects inside a shitty mega IDE to output a text string, anyone?

          Typing and checking things without hand holding frameworks isn't that hard, once you know a language's boundaries...but it takes time and effort and few try that path. Finding people doing it properly without loading gazillions of deps 'cause they have to finish the project for yesterday? At least improbable. It just hurts having to admit that...

          I know little about RoR, wasn't it that thing you loaded on your Mac and talked to it wokely having a stylish moustache instead of programming?

          Now.. don't let my talk about Python's forced identations..

          They're gone, Sir, they're all gone.

          1. ibmalone Silver badge

            Re: People are still using RoR?

            It's not that PHP doesn't try to hold your hand, it's that it tries to turn your hand into some kind of squid creature, and before you know it it's wrapping its tentacles around your neck, and oh God, they're in my mouth, it's going down my throat, help I can't breathe...

          2. Anonymous Coward
            Anonymous Coward

            Re: People are still using RoR?

            I am pretty sure all coding in hell is written in PHP

  6. fredthe

    GPL and XML

    Ack! GPL! RMS! Run!

    OK, seriously, this looks like an issue of incorporating an XML file, and assuming that the inclusion of *data* requires subservience to the GPL virus. As far as I can tell, an XML dataset is NOT software. It is data. Perhaps subject to copyright, but the inclusion of GPL'd Data in your project doesn't mean your entire project needs to be under GPL. The data is still open, and if anyone asks you should provide the data, but it doesn't mean you need to yank you license and lock your code.

    Honestly, I'd like to see a large corporation take the developer to court over the change in terms, I don't care how much they want to be "nice" but the MIT license is non-revocable. Since he AFAIK only included XML'd data, all that was needed was notice that the data was under GPL.

    1. ibmalone Silver badge

      Re: GPL and XML

      No, 'data' is not specific enough. GPL says you're only licensed to use the work on another work if that work is made available under GPL too. You can't say, "It's only a little bit." Any more than you could use work available under any other license without following the license terms. What you may be trying to say is this is a collection of information that's copyright exempt, in the way telephone numbers are, but if we're in a world where library headers are copyrightable then I wouldn't be too sure about the status of a particular type of collection unless it has been tested in court.

      1. fredthe

        Re: GPL and XML

        *bzzt* wrong. Looking at GPLv2 (applicable in this case)

        1. You may copy and distribute verbatim copies of the Program's source code as you receive it

        OK, that's what's being done. As long as the license is included.

        2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program... required to locence under GPL

        There's no modification, it's being distributed as is. So the viral part doesn't apply.

        Sorry, including a GPL'd file is fine, and doesn't require the rest of your project be GPL'd.

        1. ibmalone Silver badge

          Re: GPL and XML

          Clarification for section 2

          "But when you

          distribute the same sections as part of a whole which is a work based

          on the Program, the distribution of the whole must be on the terms of

          this License, whose permissions for other licensees extend to the

          entire whole, and thus to each and every part regardless of who wrote it."

          Additionally condition of section 1:

          "appropriately publish on each copy an appropriate

          copyright notice and disclaimer of warranty; keep intact all the

          notices that refer to this License and to the absence of any warranty;

          and give any other recipients of the Program a copy of this License

          along with the Program."

          Plus the existence of the LGPL for such a purpose also makes the intent plain.

    2. katrinab Silver badge
      Meh

      Re: GPL and XML

      If the data affects how the program operates, and I believe it does, then legally it is "code".

  7. fredthe

    RoR is saved!

    Looks like the developer of mimemagic has seen reason, and has reverted to the MIT licence. He’s removed the offending GPL’d file from his distro, and requires it to be loaded separately.

    See: https://github.com/mimemagicrb/mimemagic/blob/master/README.md

    IMHO included GPL data, rather than code, doesn't trigger the GPL virus anyway. But this is a workable solution.

    1. chuBb. Silver badge

      Re: RoR is saved!

      And 10s of devs sighed in relief, and all the unmaintained but used RoR apps chugged along regardless

  8. vapoureal

    Sounds like Hotel California.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021