9:31 a.m.
Hello Fedora Legal,
a piece of software was recently discovered in Fedora Copr and it is now
causing a contention about whether it should be allowed to be there or not.
I am kindly asking for your ruling.
The project in question is here:
https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/
And its upstream:
https://github.com/yuezk/GlobalProtect-openconnect
Both the upstream project and the package that is built in Copr claim to be
under the GPLv3 license.
The package provides several executables:
/usr/bin/gpauth
/usr/bin/gpclient
/usr/bin/gpgui-helper
/usr/bin/gpservice
All of these seem to be compiled from the mentioned upstream sources. So
far, no problem. However, when executing some of them (with the exception
of gpclient) the following tarball is being downloaded to the user machine:
INFO gpgui_helper::updater] Downloading file:
https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1...
It contains just a single binary called gpgui which is licensed under a
proprietary license and developed in a private repository, according to the
author:
https://github.com/yuezk/GlobalProtect-openconnect/issues/296#issuecommen...
When running the program, it says it is a 10-day trial and prompts for
buying a license here
https://yuezk.lemonsqueezy.com/checkout
I would like to ask you whether this is just a shady practice (but OK from
a legal perspective) or whether this is a violation of either GPLv3 or Copr
conditions
https://docs.pagure.org/copr.copr/user_documentation.html#what-i-can-buil...
Thank you very much for your help,
Jakub
10:11 a.m.
New subject: GlobalProtect-openconnect - License violation or not?
On Thu, May 16, 2024 at 10:31 AM Jakub Kadlcik <jkadlcik(a)redhat.com> wrote:
Hello Fedora Legal,
a piece of software was recently discovered in Fedora Copr and it is now causing a
contention about whether it should be allowed to be there or not. I am kindly asking for
your ruling.
The project in question is here:
https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/
And its upstream:
https://github.com/yuezk/GlobalProtect-openconnect
Both the upstream project and the package that is built in Copr claim to be under the
GPLv3 license.
The package provides several executables:
/usr/bin/gpauth
/usr/bin/gpclient
/usr/bin/gpgui-helper
/usr/bin/gpservice
All of these seem to be compiled from the mentioned upstream sources. So far, no problem.
However, when executing some of them (with the exception of gpclient) the following
tarball is being downloaded to the user machine:
INFO gpgui_helper::updater] Downloading file:
https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1...
It contains just a single binary called gpgui which is licensed under a proprietary
license and developed in a private repository, according to the author:
https://github.com/yuezk/GlobalProtect-openconnect/issues/296#issuecommen...
When running the program, it says it is a 10-day trial and prompts for buying a license
here
https://yuezk.lemonsqueezy.com/checkout
I would like to ask you whether this is just a shady practice (but OK from a legal
perspective) or whether this is a violation of either GPLv3 or Copr conditions
https://docs.pagure.org/copr.copr/user_documentation.html#what-i-can-buil...
I think the Copr conditions side of this is kind of unclear and it
relates to an issue that came up in the thread about packaging machine
learning models. If something distributed by Fedora (including through
a copr repository) is entirely compliant with Fedora technical and
licensing standards, but when you run it it downloads some additional
proprietary software, does that violate Fedora policy, even if there's
no issue of license noncompliance? As to the GPLv3 issue, I can't
speculate just on the facts you've stated, other than to say it is
probably not inherently a GPLv3 violation.
So I don't know if this should be seen as conformant to Fedora legal
and packaging policy, even leaving aside the issue of how much Copr
repositories can deviate from those policies, which seems itself to be
unclear.
Richard
10:58 a.m.
New subject: GlobalProtect-openconnect - License violation or not?
On Thu, May 16, 2024 at 04:31:14PM +0200, Jakub Kadlcik wrote:
Hello Fedora Legal,
a piece of software was recently discovered in Fedora Copr and it is now
causing a contention about whether it should be allowed to be there or not.
I am kindly asking for your ruling.
The project in question is here:
https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/
And its upstream:
https://github.com/yuezk/GlobalProtect-openconnect
Both the upstream project and the package that is built in Copr claim to be
under the GPLv3 license.
The package provides several executables:
/usr/bin/gpauth
/usr/bin/gpclient
/usr/bin/gpgui-helper
/usr/bin/gpservice
All of these seem to be compiled from the mentioned upstream sources. So
far, no problem. However, when executing some of them (with the exception
of gpclient) the following tarball is being downloaded to the user machine:
INFO gpgui_helper::updater] Downloading file:
https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1...
It contains just a single binary called gpgui which is licensed under a
proprietary license and developed in a private repository, according to the
author:
https://github.com/yuezk/GlobalProtect-openconnect/issues/296#issuecommen...
The README in the github repo you linked earlier also clearly states
the GUI part of the project is proprietary code:
"The GUI version is partially open source. Its background service is
open sourced in this repo as gpservice. The GUI part is a wrapper of
the background service, which is not open sourced."
When running the program, it says it is a 10-day trial and prompts
for
buying a license here
https://yuezk.lemonsqueezy.com/checkout
I would like to ask you whether this is just a shady practice (but OK from
a legal perspective) or whether this is a violation of either GPLv3 or Copr
conditions
https://docs.pagure.org/copr.copr/user_documentation.html#what-i-can-buil...
Ordinarily I'd say the GUI download helper program would be clearly
inadmissible in main Fedora repos due to this packaging guideline:
https://docs.fedoraproject.org/en-US/packaging-guidelines/what-can-be-pac...
"Some software is not functional or useful without the presence
of external code dependencies in the runtime operating system
environment. When those external code dependencies are non-free,
legally unacceptable, or binary-only (with the exception of
permissible firmware), then the dependent software is not
acceptable for inclusion in Fedora. "
The copr docs linked above require compliance with Fedora legal policies,
but grant an exception from packaging guidelines compliance:
"Packages in Copr do not need to follow the Fedora Packaging
Guidelines, though they are recommended to do so."
This it could potentially be argued this is permissible.
Copr is often a staging ground for inclusion into Fedora. Thus packages
will often be a work in progress with known guideline compliance problems,
which are gradually being resolved prior to submission for review in
Fedora. Typically such problems will be fairly benign things, such that
non-compliance is harmless and doesn't reflect badly on Fedora, nor are
contrary to Fedora's mission.
I wouldn't class the use of a shim to download a proprietary binary
to be beign or harmless though. Especially not when it then nags for
payment.
IMHO this project is taking advantage of Fedora's services and reputation
to promote use of and payment for proprietary software. This is contrary
to what Fedora stands for.
If such an approach is indeed permitted via a (unintended) technicality
of the way the rules are written, we should consider explicitly forbidding
this situation in Copr. Possibly the above rule about "software not useful
without external code" should be moved from being a packaging guideline,
to being a legal guideline ?
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
18
days inactive
18
days old
2 comments
3 participants
participants (3)
-
Daniel P. Berrangé -
Jakub Kadlcik -
Richard Fontana