On Thu, May 16, 2024 at 04:31:14PM +0200, Jakub Kadlcik wrote:
Hello Fedora Legal,
a piece of software was recently discovered in Fedora Copr and it is now
causing a contention about whether it should be allowed to be there or not.
I am kindly asking for your ruling.
The project in question is here:
https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/
And its upstream:
https://github.com/yuezk/GlobalProtect-openconnect
Both the upstream project and the package that is built in Copr claim to be
under the GPLv3 license.
The package provides several executables:
/usr/bin/gpauth
/usr/bin/gpclient
/usr/bin/gpgui-helper
/usr/bin/gpservice
All of these seem to be compiled from the mentioned upstream sources. So
far, no problem. However, when executing some of them (with the exception
of gpclient) the following tarball is being downloaded to the user machine:
INFO gpgui_helper::updater] Downloading file:
https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1...
It contains just a single binary called gpgui which is licensed under a
proprietary license and developed in a private repository, according to the
author:
https://github.com/yuezk/GlobalProtect-openconnect/issues/296#issuecommen...
The README in the github repo you linked earlier also clearly states
the GUI part of the project is proprietary code:
"The GUI version is partially open source. Its background service is
open sourced in this repo as gpservice. The GUI part is a wrapper of
the background service, which is not open sourced."
When running the program, it says it is a 10-day trial and prompts
for
buying a license here
https://yuezk.lemonsqueezy.com/checkout
I would like to ask you whether this is just a shady practice (but OK from
a legal perspective) or whether this is a violation of either GPLv3 or Copr
conditions
https://docs.pagure.org/copr.copr/user_documentation.html#what-i-can-buil...
Ordinarily I'd say the GUI download helper program would be clearly
inadmissible in main Fedora repos due to this packaging guideline:
https://docs.fedoraproject.org/en-US/packaging-guidelines/what-can-be-pac...
"Some software is not functional or useful without the presence
of external code dependencies in the runtime operating system
environment. When those external code dependencies are non-free,
legally unacceptable, or binary-only (with the exception of
permissible firmware), then the dependent software is not
acceptable for inclusion in Fedora. "
The copr docs linked above require compliance with Fedora legal policies,
but grant an exception from packaging guidelines compliance:
"Packages in Copr do not need to follow the Fedora Packaging
Guidelines, though they are recommended to do so."
This it could potentially be argued this is permissible.
Copr is often a staging ground for inclusion into Fedora. Thus packages
will often be a work in progress with known guideline compliance problems,
which are gradually being resolved prior to submission for review in
Fedora. Typically such problems will be fairly benign things, such that
non-compliance is harmless and doesn't reflect badly on Fedora, nor are
contrary to Fedora's mission.
I wouldn't class the use of a shim to download a proprietary binary
to be beign or harmless though. Especially not when it then nags for
payment.
IMHO this project is taking advantage of Fedora's services and reputation
to promote use of and payment for proprietary software. This is contrary
to what Fedora stands for.
If such an approach is indeed permitted via a (unintended) technicality
of the way the rules are written, we should consider explicitly forbidding
this situation in Copr. Possibly the above rule about "software not useful
without external code" should be moved from being a packaging guideline,
to being a legal guideline ?
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|