[TomOwens]

This just bit me.

The first thing that I noticed was that some people are not understanding the GPL. It's far more impactful to Rails than the vast majority of web applications built using Rails. The use of GPL'd files means that the gem itself has to be released under the GPL. Since the gem is now under the GPL, dependencies are also under the GPL. That would include Rails. However, even if Rails was under the GPL, organizations could still build closed-source web applications using Rails since network access is not distribution. That's the whole point of the AGPL.

However, it does raise a lot of questions about when someone is allowed to yank a gem (or any library, really). It's been a while since I took a deep dive, but I was under the general impression that there was some leeway around not breaking the world when rectifying license issues. I would think that releasing new versions under the correct license and giving everyone notice and time (30 days?) to update would be fine for most copyright holders. I'd suspect that most open source developers wouldn't want to break the world. The sudden yanking with no warning caused builds to fail everywhere.

The absolute worst thing, though, was that changing a license should not be a minor (or a major) version number increase. It should be a patch. The breaking was simply because Rails is pinned to 0.3.x, but the first release under the new license was 0.4.x. Fortunately, the author released a 0.3.6 patch with the correct license, so it's just a matter of a bundle update to get the latest version. But if he hadn't, Rails would have had to release a new version and anyone on legacy/unsupported Rails versions would be hosed if they had to rebuild and redeploy.

This is a really good reason to stand up your own artifact repository and put all of your third-party dependencies in it, especially if you're a business.

[Denvercoder9]

> The absolute worst thing, though, was that changing a license should not be a minor (or a major) version number increase.

The license didn't change. It was always already GPL, due to the usage of GPL-licensed code, regardless of what the metadata said. The change just made the metadata correctly reflect reality.

[EDIT: I should clarify that technically mimemagic wasn't already GPL, but the only legal way to use it was by satisfying your obligations under the GPL, making it effectively GPL. The author did relicense his own code to be GPL instead of MIT.]

To me it seems like making your downstreams aware of that ASAP is pretty important, since this has important legal implications for them as well. Yanking the old versions and releasing an update with an incompatible version number is a way to do that, albeit one that's quite disruptive.

[TomOwens]

Yeah. That's a better way of putting it. The author didn't opt to change the license. He corrected a licensing error.

I do agree that making the downstream users aware is important, I just don't agree that immediately yanking is the right solution. Putting out a new version would have been nice. Adding a post-install message to the new versions would have been good to start to get the word out. Not sure how far to take it, but opening issues with dependencies (RubyGems provides this information) would have also been nice, giving the major dependencies a good notice before yanking.

[freedomben]

After the "left-pad" fiasco, and a similar event on the Ruby side, I started vendoring my dependencies as standard practice. I have not been sorry yet, in fact I feel vindicated in that approach.

[imhoguy]

Whoever has missed the event: https://www.theregister.com/2016/03/23/npm_left_pad_chaos/

[JamesSwift]

Vendoring in ruby land is a double edged sword. It is much safer as you said. However if you _do_ vendor, be sure to be running containerized first. Otherwise you will be in a very frustrating spot of having to handle all sorts of native gem issues when trying to run on various computers during dev/test/prod.

[freedomben]

Yes this is a real problem. We primarily use docker which solves the issue, but there are people that hate docker and want to run native. For the mac users that doesn't go too well.

[JamesSwift]

Ive lost countless work days to figuring out gem build issues on mac when everyone else on the team was running on linux/vagrant.

[TomOwens]

Vendoring is a good first step, too. As long as you have a local copy of all the dependencies, you're better off than needing to go pull them from the Internet every time you want them and risk having them gone. Potentially worse is having the same version but with modifications.

[graywh]

we get a form of this with our two-stage image building process -- the first stage installs all dependencies and we only update it when dependencies change

[crazypython]

> The use of GPL'd files means that the gem itself has to be released under the GPL. Since the gem is now under the GPL, dependencies are also under the GPL.

No, that's not true. You can dual-license dependent software under GPL and MIT. The GPL merely requires a license at least as permissive as it.

[Denvercoder9]

> The GPL merely requires a license at least as permissive as it.

No, it requires a license that's at least as permissive as it AND that imposes the same obligations (i.e. source distribution, etc.) on the licensee.

Dual-licensing dependent software under the GPL and MIT only ensures that you can rip out the GPL dependency, and then use the (formerly) dependent software under MIT. The whole package is still GPL and imposes the same obligations on derivatives of the package.

[crazypython]

Yes, that's what I'm saying.

[eek04_]

You can dual-license if you own the full copyright ownership but if you include GPLed stuff (and don't have the full copyright ownership) you'll have to GPL the result.

As for "at least as permissive" - it requires no further restrictions, but it adds a bunch of restrictions itself. And there's no other license that doesn't add restrictions - MIT adds restrictions to reproduce the MIT license, which is an extra restriction. The restrictions are attempted excused by the FSF under the "attribution" clause of the GPL, but it is not clear to me that is valid and it has not tested by any court.

[crazypython]

I am fairly sure MIT's license is considered an "appropriate legal notice."