Monday, March 29, 2021

Ruby off the Rails: Code library yanked over license blunder

Updated On Wednesday, Bastien Nocera, the maintainer of a software library called shared-mime-info, informed Daniel Mendler, maintainer of a Ruby library called mimemagic, which incorporates Nocera's code, that he was shipping mimemagic under an incompatible software license.

The shared-mime-info library is licensed under the GPLv2 license and mimemagic was listed as an MIT licensed project.

"Using a GPL file as a source makes your whole codebase a derived work, making it all GPL, so I think it's pretty important that this problem gets corrected before somebody uses it in a pure MIT codebase, or a closed-source application," wrote Nocera in an Issues post.

"You will also need to re-add the GPL header to the shared-mime-info XML file as a matter of urgency. It was stripped in release tarballs by the tool used to merge translations, but is visible in the .in version of the same file."

Mendler thanked Nocera for letting him know and promptly moved the latest version, 0.4.0, and version 0.3.6 under GPLv2, and withdrew prior versions from distribution on RubyGems.org, the package registry used by Ruby developers. He then archived the mimemagic GitHub repo, meaning it's no longer being actively developed.

A lot of people face palming

And just like that, Amazon Web Services forked Elasticsearch, Kibana. Was that part of the plan, Elastic?

READ MORE

This had the unfortunate effect of breaking the popular web development framework Ruby on Rails, which includes mimemagic 0.3.5 as a dependency. It also affects 172 other packages, which between them touch 577,148 different software repositories.

Not all of these projects are immediately affected, though any sort of build process that tries to fetch a withdrawn version of mimemagic from RubyGems.org will fail unless dependency caching has been implemented.

Software projects that incorporate mimemagic must now consider the implications of incorporating GPLv2 licensed code, which may not be acceptable in some cases. If that's legally and practically viable, they can switch to either the 0.3.6 or the 0.4.0 version of the library, though not without some effort.

Projects like a web app run by the UK government's Department for Business, Energy and Industrial Strategy, the Ruby SDK for the FileStack CMS, and Rails-based taggable image app Danbooru are pondering workarounds for a situation that recalls the left-pad incident of 2016.

Since mimemagic is mostly a database of mime type data mappings, the Rails team is looking into replacement options, including 2-clause BSD–licensed libmagic or a Ruby translation of the mime data. But there's a non-trivial amount of work required to make this happen.

As for everyone else, Sergey Alekseev, founder of Shopify app maker ASoft, asked Mendler to keep the mimemagic repo active to provide a place for the other affected projects to discuss their options.

But Mendler disagreed, stating, "The Rails dependency is certainly the most impactful one. It is best if we find a solution which works for Rails and which is sanctioned by the Rails team."

Paul Berg, an open-source licensing consultant, told The Register in an email that while this is a difficult situation, the developers involved appear to be handling it well.

"Since the maintainers of the dependent mimemagic library discovered that it contained GPL code, they moved to a GPL license," he said. "The admirable thing is that they reacted once the issue was noticed rather than keeping silent about it and letting the issue persist."

"It does cause a major issue for Rails though," Berg said. "Rails is widely used under the MIT license which is a permissive license. Since so many applications are authored using Rails under the assumption that those applications are not copyleft under the GPL, it is likely that a great many of those apps would not be complying with the terms of the GPL since they were not deployed with those terms in mind."

"As a consequence of that, relicensing Rails to GPL for rails to be in compliance is likely to be a massive change for thousands of teams and really is not a tenable solution. Unfortunately, other solutions are likely not simple."

Berg said mimemagic could try to replace GPL portions of the code and retain its MIT license. Another option, he said, would be for Rails to replace mimemagic altogether, assuming a suitable replacement exists.

"In any event, resolving this issue is likely going to be a non-trivial amount of work in a short time frame given the critical nature of Rails to the industry because of its popularity," he said. "I do not envy their predicament."

"This illustrates why being diligent in enumerating all dependencies and reused code whenever they are introduced and working to ensure that the licensing of those dependencies is compatible with your intent is so important." ®

Updated to add

On Thursday 26 March, mimemagic was updated again to v0.4.1, which restored the MIT license and removed the GPL covered code – theFreedesktop.org Shared Mime Types database. Users must now provide that themselves. Versions 0.3.6 and 4.0 have been yanked, to the dismay of many.



from Hacker News https://ift.tt/3rn3xJy

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.