Retrospective license change heads-up: Roundcubemail changed to "GPLv3+ with exceptions and GPLv3+ and GPLv2 and LGPLv2+ and CC-BY-SA and (MIT or GPLv2)"

Tue Jun 18 03:32:37 UTC 2013

Hey, fun times!

I'm not the roundcubemail maintainer, but as a user and provenpackager I
more or less co-maintain it with Jon. I was just doing a 'routine' bump
to 0.9.2 and noticed the license situation was rather more complex than
appeared.

Up to 0.9.0 our package has claimed the license to be "GPLv2". This was
probably never strictly true, but never mind. It was the license on most
of the core code prior to version 0.8.0 beta. Upstream in fact changed
the license on the core code to "GPLv3+ with exceptions" at version
0.8.0 beta, something Jon and I presumably missed. That's the main
change here.

The exception in question is the following:

"This file forms part of the Roundcube Webmail Software for which the
following exception is added: Plugins and Skins which merely make
function calls to the Roundcube Webmail Software, and for that purpose
include it by reference shall not be considered modifications of
the software.

If you wish to use this file in another project or create a modified
version that will not be part of the Roundcube Webmail Software, you
may remove the exception above and use this source code under the
original version of the license."

Usually legal@ would have to review and approve this exception, but as
we've actually been distributing the code for some time, it seems better
to correct it immediately. I'm in the process of building and testing
0.9.2 with the license field corrected; if I don't hear otherwise I'll
just submit it as an update as usual. If legal thinks we need to do
anything drastic here, please advise: to me the exception doesn't seem
like a problem in any way, it's just intended to make sure plugins and
themes aren't automatically GPLv3+. Worst impact if it's invalid is that
plugins and themes are actually GPLv3+, which wouldn't be a problem for
us.

While checking that I noticed that the overall license situation of the
package is rather more complex. Several other Things are embedded in
Roundcube. None of them actually happens to constitute an embedding
violation, happily, but they do muddy the licensing waters.

It has embedded copies of the Javascript libraries jQueryUI and tinyMCE
(javascript is excepted from the embedding policy) and an old copy of
the Pear library Crypt_GPG - that would be a violation, only we don't
actually have a php-pear-Crypt-GPG package, so we're okay until it gets
packaged. I have raised a ticket with upstream -
http://trac.roundcube.net/ticket/1489182 - suggesting this should be
taken out of roundcube's "no-dependencies" tarball; if that happens
we'll have to package it ourselves and modify the roundcube package
appropriately. These are variously licensed as LGPLv2 (tinymce and
crypt_gpg) and "MIT or GPLv2" (jqueryui).

RC's plugins themselves are all licensed either GPLv2 or GPLv3+. As the
'exception' is specifically intended to apply to RC's *core code* and
let plugins *not* be versioned the same way if they don't want to be, it
seems odd to suggest the GPLv3+ plugins are actually under RC's "GPLv3+
with exceptions" license, so I'd hold them to be under pure GPLv3+,
hence "GPLv3+ with exceptions and GPLv3+". Finally, RC's themes are
licensed CC-BY-SA, which ultimately gives the final string "GPLv3+ with
exceptions and GPLv3+ and GPLv2 and LGPLv2+ and CC-BY-SA and (MIT or
GPLv2)" in all its glory. I may well have got the details a bit wrong
there, so please, corrections welcome: I'm always around on IRC to
discuss the details with reference to the source tarball, which is
available at
http://downloads.sourceforge.net/roundcubemail/roundcubemail-0.9.2-dep.tar.gz for anyone who wants to poke at it. CCing upstream's contact email address for feedback from them, in case I misunderstood anything. Upstream, our licensing guidelines are at https://fedoraproject.org/wiki/Packaging:LicensingGuidelines and https://fedoraproject.org/wiki/Licensing:Main , for your reference.

Yeesh, who'd be a webapp packager.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net