[wokwokwok]

The reason this is happening is not obvious without reading https://github.com/minad/mimemagic/issues/97

> I've historically been the maintainer of shared-mime-info for around 15 years, and script/freedesktop.org.xml looks like it's a copy of the database shipped with shared-mime-info, which is released under the GPL, with shared-mime-info's translators work merged in, and the GPL header removed.

> The license that you're shipping mimemagic under (MIT) isn't compatible with shared-mime-info's.

Seems like quite a reasonable request, even if folk don’t like the results.

..and to be clear, I’m quite sure that rolling back to the commit before the license change does exactly nothing to address the issue.

You don’t magically get your MIT license back by forking before the license change was added, that’s not how it works.

If the previous version contains GPL code, it’s GPL. It doesn’t matter if you slap an MIT license file on it, or used it in “good faith” presuming it was MIT license.

[smarx007]

One thing I am not sure is why such a radical action was taken so quickly without thinking carefully first? It's not like a lawsuit was threatened or something. The original request in https://github.com/minad/mimemagic/issues/97 that you linked to was very polite and professional.

1) A time extension to remove the GPLed code could be politely requested. I know that the copyright belongs to all contributors but getting on good terms with the maintainer could be a solid first step. I think just opening a PR with that file deleted (and tests failing) could have been interpreted as a willingness to comply with the request in good faith.

2) A request to relicense the XML file in question under LGPL could have been sent to the original project (could be problem without CLAs, but still worth a try). Then the library could have been relicensed under LGPL.

3) Gem users could have been notified. Some prominent people from those projects could have helped with (1) and joined a kind request (2) to the original project.

At least that's how we'd (try to) handle it on our project under Eclipse Foundation (though we used to have a GPL code scanning for releases in the first place until very recently) if such situation arose. Anyway, talking to people first before doing something quickly is often a good idea.

[CaliforniaKarl]

> One thing I am not sure is why such a radical action was taken so quickly without thinking carefully first?

I think this can be answered by considering the following:

> At least that's how we'd (try to) handle it on our project under Eclipse Foundation…

Looking at https://github.com/minad/mimemagic, I did not get the impression that the software was backed by any organization, let alone one on the scale of the Eclipse Foundation. If indeed the software is essentially one person, imagine it from their perspective.

> Anyway, talking to people first before doing something quickly is often a good idea.

Assuming that this was not intentional (see Hanlon's razor), you could quickly have groups like the gpl-violations.org project taking notice, and things snowballing from there. I'm not calling out gpl-violations.org specifically here, instead I'm noting that there are other people who _would_ do something quickly.

Another thing to note is that u/minad is (per their GitHub profile) in Germany. That will also affect their opinion on things related to licensing.

[ericbarrett]

> One thing I am not sure is why such a radical action was taken so quickly without thinking carefully first? It's not like a lawsuit was threatened or something.

Once you've been informed of a violation, you have a legal duty to act, no? Regardless of whether counter-action is immediately threatened. (Not a lawyer, not legal advice)

[ysavir]

At the end of the day, it's people involved, and people have the capacity for understanding and empathy.

A safe course of action would be for the maintainer to respond with a message like "thank you for bringing this to my attention. Many products and services depend on this package and would be disrupted by any immediate action. I will bring this to their attention and work with them to remove the dependency as swiftly as possible and then remove all available versions of this package from where they are hosted."

If someone brings lawyers to the table due to lack of immediate action, maybe then we can proceed to a more immediate, if disruptive, course. But no need to rush there if there's no external pressure to act that fast.

[ericbarrett]

I completely agree with you in principle. However, if there are potential damages involved, it's hard to argue that you're not increasing your exposure by delaying or deferring the correction. (Again IANAL and this ain't legal advice.) Lawsuits aren't to be taken on a whim. Even if you ultimately prevail, the affair can change your life, and not for the better. So I can't blame anybody who wants to skip the lawyer and minimize their exposure, even if doing so angers a large number of developers—to whom they have no formal obligation.

[cwyers]

The question is, what act do you take? It's possible to negotiate and get a grace period to get into compliance, for instance.

[onli]

> If the previous version contains GPL code, it’s GPL. It doesn’t matter if you slap an MIT license file on it, or used it in “good faith” presuming it was MIT license.

This depends.

Rails used a gem by a different developer, a gem that had its own MIT license. The Rails project and all others using Rails can not be expected that they ought to have known the license is invalid, so usually the GPL does not count for their usage back then.

You can in general never retroactively change a license, so their usage back then was certainly valid. You can [be forced to] stop using a license and re-license future versions of an artefact, and also possibly have to stop distributing the old versions. But that's on the gem's author, not Rails, and would likely not even impact future usage of the old, already obtained versions.

If the original author wanted to claim damages under GPL from Rails, he would have to do so via the gem's author. And even then: What damages? And would the projects have had to know? None and no is the likely answer, safe juridical incompetence/corruption like in the Oracle-API case.

It would be further be complicated by the file in question being a database file. You typically can not license databases in a meaningful way under GPL. Even if you could, reading a GPL'd database has no chance of carrying GPL code obligations over to the consuming program.

As always with those questions, this might depend on your specific jurisdiction. Also, it means in no way that it is not the ethically right thing to swap the dependency to one that does not have this issue.

PS: Also consider that in most uses of Rails, GPL or MIT does not change much, as accessing a server running GPL software does not trigger GPL's distribution clause (you want the AGPL for that). This already limits the impact here. The Github thread has comments in the direction of all Rails projects having to be open source now if the license changed to GPL. Not only can the license of old versions not change, this is also not the effect GPL would have.

[btilly]

"You can in general never retroactively change a license, so their usage back then was certainly valid."

No, it wasn't. It was reasonable, but not valid.

They were using copyrighted code without permission from the copyright holder, relying on a false claim. The false claim gave them no right to use the copyrighted code, and will not protect them if the copyright holder sues them. However the fact that they were acting in good faith and had no idea is likely to help them when it comes to damages. And furthermore if they got sued, then they would have the right to sue the author of the gem whose false claim got them in trouble.

If the original author wanted to claim damages under GPL from Rails, he would have to do so via the gem's author. And even then: What damages?

I have no idea why you think that the copyright holder would have to go to the gem's author to sue about a copyright violation. Furthermore damages are not the only thing you can sue for. See https://www.lib.purdue.edu/uco/CopyrightBasics/penalties.htm... for a list. That statutory minimum of $200 per infringement can add up really fast when you're generating copies electronically.

[smarx007]

I think MIT license only claims the code I wrote is provided under MIT (that's why you also have to include a NOTICES file listing other library licenceses in addition to the LICENSE file). It's not like they put MIT header and their name on that XML file.

> then they would have the right to sue the author of the gem whose false claim got them in trouble

I think this is where a useless all-caps text comes handy:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND [...] AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Noninfringement is mentioned right there. It literally says that I DO NOT promise you that my code that I license to you under MIT (in good faith, ofc) does not infringe anyone's rights.

[btilly]

You have a point, but it is not as absolute as the license suggests.

The problem is that a license is overridden by local law if there is a conflict. For example suppose that there is a law saying there is an implied warranty that goods sold are yours to sell, and you sold a stolen good "as is". In that case the law wins and the buyer can still sue you for having sold tem stolen goods.

And as https://www.klemchuk.com/legal-insights/warranty-against-inf... explains, a common local law is an implied warranty against infringement on others' intellectual property. Which a copyright violation would qualify as.

As always, I am not a lawyer, and this is not legal advice. If something like this arises in practice, you should consult a lawyer familiar with the laws of the venue that the case will be decided in to find out whether any laws apply, and to what extent the generic liability disclaimer won't actually provide protection.

[onli]

> They were using copyrighted code without permission from the copyright holder, relying on a false claim.

Again, that does not seem to have been the case here.

> I have no idea why you think that the copyright holder would have to go to the gem's author to sue about a copyright violation.

1. It depends where you are, which jurisdiction gets applied. Might explain the different expectation. 2. It'd be the gem author that created an unlicensed derivative work, not anyone else directly. Have fun claiming damages, copyright infringement or anything for indirect usage in such a good faith situation. I really think that wouldn't fly, but again, might depend where you are.

[btilly]

Again, that does not seem to have been the case here.

Again? Not sure where you said it. But the copyright holders in question are the authors of shared-mime-info, and they certainly never gave permission for their work to be used by Rails in the way that it was.

It depends where you are, which jurisdiction gets applied. Might explain the different expectation.

I'm in the USA. But I'm pretty sure that what I said is generically true.

It'd be the gem author that created an unlicensed derivative work, not anyone else directly.

Copyright is triggered by downloading unlicensed copies. And lots of people other than the gem author did that.

An unlicensed derivative was created by anyone who used Rails and wrote code that did mime detection - for example they were handling uploaded files.

It is an open question whether these cases are worth litigating, and what would be decided in court. They might well decide that there isn't enough creative work in the compilation for the file in question to have copyright protection at all. But in the meantime it would be a generally good idea to treat the issue seriously, and to accept that lots of people are potentially liable here. (Even if, in all probability, none will suffer more than a temporary inconvenience as the dependency is removed.)

[onli]

> Again? Not sure where you said it

Here, it was in the comment (and not an edit :) ):

> It would be further be complicated by the file in question being a database file. You typically can not license databases in a meaningful way under GPL. Even if you could, reading a GPL'd database has no chance of carrying GPL code obligations over to the consuming program.

But I actually just wrote again because I made that point in another subthread, no criticism implied.

[btilly]

Not so fast in that claim.

First of all the infringing file is https://github.com/minad/mimemagic/blob/master/script/freede.... Sure, it is in XML. But it contains a tremendous amount of free-form text, specific sets of pattern matching rules for the data types, and so on. It is a compilation of sometimes original research on the best ways to detect file types. Ruby has other mime libraries. The reason why this one was chosen is that its detection algorithms make better choices. And the reason that they make better choices is that they copied the decision rules from a GPLed project.

But even if it were a simple compilation, it still is not guaranteed that there is no copyright. See https://en.wikipedia.org/wiki/Copyright_in_compilation for an introductory article on what can and can't be copyrighted about a compilation. And one of the elements that matters is creativity in the selection of the material. A set of rules with a lot of "look for this" while leaving out various reasonable thats that don't work so well shows considerable creativity.

That said, a judge may decide otherwise. You never know until a judge decides. But I would not presume that there is no copyright interest to be had here.

[tsbinz]

> Rails used a gem by a different developer, a gem that had its own MIT license. The Rails project and all others using Rails can not be expected that they ought to have known the license is invalid, so usually the GPL does not count for their usage back then.

> You can in general never retroactively change a license, so their usage back then was certainly valid.

I would ask a lawyer about that. As it has been explained to me, the original author didn't have the right to distribute it under the MIT license, so they (rails) never had a valid license. It's similar with images, even when you grab it off flickr or another page and it specifies a license you like, that does not mean that whoever posted it there actually had the right to do that, and if they didn't, you can get sued.

[onli]

You are right, that's a shaky part and where insecurity is coming from - and sure, get a lawyer if you want more certainty. Depends where you are anyway. Better answers to that are already here. Just one thing:

> the original author didn't have the right to distribute it under the MIT license, so they (rails) never had a valid license.

Thing is, if it's really about a databasefile that was not copyrightable the gem author did have the right to distribute it. That's a happy circumstance of this specific case, making all of this less severe either way.

[JMTQp8lwXL]

How is one supposed to reasonably know, when downloading a package from a public repository, that the included license is authoritative? Are we supposed to research every package we use, and scour all software in existence to maybe trace back true ownership to someplace else? Seems like an auditing nightmare.

[lamontcg]

You can't. If you're notified then you need to promptly fix the issue with the complainant. When it comes to being sued for damages you can point at the the fact that there was no reasonable way for you to know that the license you trusted was invalid and at the author who was presumably negligent. If you've cooperated fully and mitigated it quickly that should protect you. Ignorance in this case is an excuse when it is reasonable and defensible ignorance, and not negligence on your part.

[johannes1234321]

> Seems like an auditing nightmare.

Yes and that's why large companies are often extremely reluctant to take in 3rd party code without auditing and estimating the risk.

[yebyen]

In fact they even sell insurance for this, and companies that want you to use their software can offer indemnity protection with the same effect.

"What if somebody sues me because my use of your software constitutes a violation of their intellectual property rights?" – "Don't worry, we will protect you. Since you pay so much money and are a valued customer of XYZcorp, we don't want you to worry about such things. You'll be covered by our umbrella policy."

This conversation certainly happens, (although it almost certainly wouldn't have happened between any of "Rails" customers and the Rails core team.)

[JMTQp8lwXL]

This has not been my experience. Getting the work done fast is prioritized more highly than the (small) compliance risk. Unless the company wants to pay you to invent a bespoke in-house version of React.

[johannes1234321]

For using open source stuff while working on your machine there are often pre approved licenses. But for production use and even more for software being distributed any serious place I have seen, there is paperwork. (Sometimes of better quality, sometimes more of a rubber stamp process)

[gedy]

I guess this is subjective (though maybe not legally), but this lookup table of extensions to mimetypes doesn't feel like GPL "software". It's just a description of other software's conventions using the GPLed source as a reference: https://github.com/minad/mimemagic/blob/master/lib/mimemagic...

To create a non-GPL version, you would have to do what? Research extensions without letting your eyes see this GPLed list?

[Denvercoder9]

> this lookup table of extensions to mimetypes doesn't feel like GPL "software".

Copyright nor the GPL are limited to software, collections of data are copyrightable as well; and thus they can fall under the GPL as well.

> To create a non-GPL version, you would have to do what? Research extensions without letting your eyes see this GPLed list?

Yes.

[murderfs]

Data in and of itself cannot be copyrighted under U.S. copyright law: "creative arrangement" of it can be, but given that the data in question was generated from XML file, I don't think you could make a claim that the arrangement was copied.

[whimsicalism]

? I don't follow - it seems pretty clear that this falls under the GPL from my reading of what is copyrightable, ie. they can't copy your compilation of the data.

[rst]

Your reading of what is copyrightable may not be entirely in accord with the US Supreme Court's, which has ruled that mere compilations of factual data (a telephone directory in the case that set the precedent) are not copyrightable.

https://en.wikipedia.org/wiki/Feist_Publications,_Inc.,_v._R....

If someone is trying to apply the GPL to stuff which isn't legally copyrightable in the first place (as may be the case here), then their copyright isn't enforceable, and neither is the GPL.

[vertis]

There are definitely jurisdictions where this has been found not to be the case. In Australia the protection of databases is incredibly murky[1].

Telstra, the privatized government telecom company, failed to protect the White Pages data from another company that, if I remember correctly, had put it on CD (ah those were the days).

[1]: https://www.mondaq.com/australia/copyright/290668/can-a-data...

[toast0]

> collections of data are copyrightable as well

Collections of data are sometimes copyrightable. Depending on the jurisdiction, it may depend on the details of the collection.

[jahewson]

I agree. Lists of facts are not eligible for copyright in the US, most famously phone books. It’s debatable as to whether or not this file is pure facts but I’m having a hard time seeing it as a “creative expression”.

[boleary-gl]

Or use another source that is non-GPL - that's proposed here: https://github.com/rails/rails/issues/41750#issuecomment-805...

[imhoguy]

vs this https://gitlab.freedesktop.org/xdg/shared-mime-info/-/blob/m...

[Xylakant]

In a twist of irony, the software for which the copyright claim breaking rails was made is hosted on the free edition of gitlab, which is based on rails.

[Deradon]

And according to the twitter-bio of the individual, who brought this up, he's related to Red Hat, which are also affected [^1].

[^1]https://github.com/RedHatInsights/compliance-backend/pull/79...

[hartator]

> You don’t magically get your MIT license back by forking before the license change was added, that’s not how it works.

And all RoR apps don't magically became open source because one of the depencies got contaminated by GPL. It's up to the courts to decide not parties who don't haven't standing.

[alberth]

> "You don’t magically get your MIT license back by forking before the license change"

Am I understanding this correctly. If for example, 15 years you have an MIT code base with only MIT code. Then yesterday, you add a few lines of GPL code. Then today, you remove 100% of the GPL code you just previously added in order to revert back your codebase to be only MIT code ... it's no longer "MIT"? The GPL has now tainted their entire existing codebase?

[terramex]

No, in this hypothetical case you would be fine. Mimemagic case is more like 15 years ago you had a MIT codebase that contained hidden GPL-derived code. One day you are notified about that violation and relicense whole codebase to GPL, but the code that was already in the repository before has never been truly MIT - it was always violating GPL. To fix this you can either relicense whole codebase to GPL (what mimemagic chose) or remove GPL code from codebase, stop distribution of older versions and continue your project as MIT.

Going back to older version of code does not change anything as now everybody is aware of violation so you don't even have plausible deniability. You would need to fork from commit before adding GPL code, but this is impossible for mimemagic as it contained this code since day one.

[psanford]

No.

[rocqua]

This is what I personally dislike about GPL it is a viral license, without any 'cure'. Especially the more aggressive licenses feel like a ransom. Either accept gpl, or spend the rest of time trying to quarantine gpl from your projects.

This is a huge unilateral attempt to make FOSS a certain way. And I don't think this kind of unilateral action does anything but set bad blood.

[jakelazaroff]

IANAL but I don't think it works like that. Using GPL code in non-GPL project doesn't mean your code is automatically licensed under the GPL, it just means you're violating the license of the original code. How that shakes out — whether you have to re-license your project or just remove the offending code — ultimately depends on the two parties and the court system.