Many people will be screaming that this is action against the GPL, when it is actually action in spite of the GPL, a different thing entirely, right? Routing around <cough> brokenness...
The maintainers of Rails, a Ruby-based framework for making web apps, have released three new versions to resolve a software licensing conflict that surfaced last week. A Rails component called Active Storage included a dependency called mimemagic, which turned out to have been distributed under the wrong license. The …
Monday 29th March 2021 22:49 GMT sbt
Not an attack on the GNU GPL
It's worth pointing out that the author of shared-mime-info that raised the issue with mimemagic was open to modifications that avoided the need to relicence mimemagic (by using the XML from s-m-i at run-time rather than shipping it with mimemagic).
It was the mimemagic author that decided to relicence the code as GPL and then stop developing it, thus precipitating the forks, etc from folks looking for something that would be maintained. Including a fork that did precisely what the s-m-i author was willing to accept.
This situation arose purely because authors of code wanting the use the MIT licence (mimemagic wasn't the only project pinged over GPL violations of s-m-i) incorporated GPL source. And downstream users like RoR relied on the published licence and didn't audit the code. It's possible automated licence checking would have failed since the published XML in s-m-i's repo lacked the GPL notice due to a bug; that has been fixed.
If I wrote GPL'd code, I'd be happy for users to find alternatives with acceptable licences rather than violate my code's licence. A lot of the liberally licenced alternatives for MIME databases have significantly less useful matching data (i.e. the 'magic' contents part, beyond the file extensions); s-m-i considered one of the most complete and comprehensive available.
Monday 29th March 2021 22:38 GMT Gene Cash
Wednesday 31st March 2021 09:39 GMT TeeCee
Re: "in over half a million software repositories"
Yes. Reminds me of the Astrolabe / timezone database fracas not so long ago. Normally, you'd expect losing a single server, with no fault tolerance, run by one bloke as a hobby in his spare time to be no big deal.
However, you then add someone's free library wrapper on his service and world + dog taking same "as is" without even looking at how it worked. The end result being that the number of critical services that were dependant on the server was, frankly, terrifying.
This is something the free software / open source types really need to get a grip on. When you find something out there that does what you need, open it up, look at how it works, make sure you understand it and all its dependancies and that the whole shebang is suitable for your use before thinking of using it.
 ...and yes, all too often it does turn out to be turtles all the way down.
Tuesday 30th March 2021 12:36 GMT Frederic Bloggs
I am (as usual) confused
Isn't it the case that using a GPL2 library is different from incorporating the source of that library (and possibly modifying it) - thereby triggering the necessity of publishing the (modified) version of the library?
If it happens that using that library means actually "including" some source code (verbatim) as part of the startup of a script (which is also source code); bearing in mind that such libraries loadable packages as part of a distro or pulled in from a repo as part of the install process. How that is functionally different from linking in binary blobs instead?
If I have misunderstood this over the years, then there are some very large companies out there that are going to have a nasty shock - and may react sufficiently badly to shutdown "open source" altogether.