[spijdar]

This is the sort of thing that makes some people really wary of the GPL and other "viral" licenses, and I don't think you can blame them. The "blame" for this falls on someone for throwing in GPL'd code into an MIT project, but the headache drops onto a whole bunch more people down the line. It seems other commenters think this will probably be alright, but I bet this is a lot of corporate type's worst nightmare, that some underling added some segment of GPL code to their product, and now the entire thing is "technically" GPL.

One can only imagine if it was AGPL instead of GPL, and how people would debate if they should send source requests to all the sites running on rails ;-)

[judofyr]

> but I bet this is a lot of corporate type's worst nightmare, that some underling added some segment of GPL code to their product, and now the entire thing is "technically" GPL.

IANAL, but I'm pretty sure this is _not_ how it works. Your code doesn't magically "become" licensed under GPL if you use GPL code. Your code is now in _violation_ of the GPL and one way of fixing it is to re-license your code. Another way is to eliminate the dependency.

However, if you decide to re-license to GPL then you may still have to pay damages for the time you were violating GPL.

In practice I can't imagine that a court would make anyone pay anything for this incident.

[Benjamin_Dobell]

> Another way is to eliminate the dependency

That'll resolve the violation for future releases. However, all previous releases are still infringing.

For a violating company who really doesn't want to open source their project, their best bet would probably be to (remove the dependency and) pay damages for previous infringement.

You'd hope damages in a case like this would be small given it went unnoticed for so long. Considering the shared-mime-info project itself is not commercial software, there probably wasn't significant damage to the project or the authors.

[5560675260]

> you may still have to pay damages

This is probably a first time I've seen damages mentioned in relation to GPL violations. Did anyone try enforce this?

[hn8788]

IIRC, there was someone who had written some networking code in Linux and independently started sueing hardware vendors for GPL violations. The Software Freedom Conservancy said that he was doing more harm than good, and said that if someone is violating the GPL, lawsuits should first only require compliance with the GPL, then seek punitive damages if they fail to comply.

[raesene9]

There's a site here https://gpl-violations.org/news/ which has some cases where there have been legal actions related to GPL violations.

[ivanbakel]

There is at least one case[0] I can find. Probably it is exceedingly rare simply because companies are much more likely to settle, especially in the cheapest way possible i.e. stop distributing the tainted software.

[0]:https://wiki.fsfe.org/Migrated/GPL%20Enforcement%20Cases#Bus...

[phkahler]

To be clear, stop distributing is often "good enough" but technically damages could still be sought for copyright violation.

[toast0]

It's pretty clear that distributing without a license (or in violation of one) is copyright infringement, and that's subject to damages.

However, most non egrigious copyright infringement cases are more about stopping future infringement than damages. So I'd be surprised to see much GPL enforcement with damages.

[Tomte]

> and now the entire thing is "technically" GPL.

The "thing" doesn't become GPL, though.

They are in breach of the license, it's a major headache, and re-licensing the thing as GPL may be one way forward.

That's not an automatism, though, and no court would declare the thing GPL.

You may pay hefty "fictitious" licensing fees and (punitive) damages, you may have to stop distributing your thing, but you're not losing control.

[dathinab]

> You may pay hefty "fictitious" licensing fees and (punitive) damages,

Except in cases like this you likely won't.

As it's clearly a mistake you clearly fixed asap its unlikely you have to pay more than small punitive damages.

Wrt. license fees and (non punitive damages) it's a bit more tricky but it boils down to the damage done. But as this libraries are only distributed GPL licensed and non essential (can easily be replaced) you will have a hard time to show that any damage was done and that the software can be sold for any non negligent amount of money. And if no damage was done and there is no reasonable case for selling the software i.e. non negligible fictious license cost you can guess how the ruling will end.

If you would have intentionally/knowingly done the violation and/or it being essential non easily replaceable software which saved you a lot of money and/or gave you other benefits things are different.

But this isn't really the case in this case as far as I can tell.

[Wowfunhappy]

I don’t think this situation is inherently different from buying a proprietary library, and discovering that the vendor stole code from the Windows kernel. Or a musician buying a sample, and discovering it was copied from a Disney movie.

You’re responsible for the stuff you use. You should audit it as well as you can—but realize that crap always happens.

[Jiro]

It's a lot less likely that Windows kernel code or Disney music is going to be included by mistake, so your potential exposure is much less. In the case of the Windows kernel, it's a lot less likely that anyone is even going to have it because even the leaks of Windows code are distributed to orders of magnitude fewer people than GPL code.

[Wowfunhappy]

The Windows kernel was a random example and probably nit the best one. I don’t think it’s so crazy to think an employee at a vendor would copy paste some code they wrote for a previous vendor.

[Jiro]

My point generalizes, though.

As a rule, proprietary code isn't distributed widely, so there are few opportunities to include it, and as a rule, the harsher restrictions on distributing it make people less likely to not notice that they're not supposed to distribute it. It's much more likely that incompatibly licensed GPL code would be widely distributed and that it would be included by mistake.

Sure, you described a scenario where this can happen to proprietary code. It's not impossible, just less likely.

[Wowfunhappy]

That’s fair. I guess I just don’t see this is a failing of the GPL. If I want to share some code so others can read it (for education/interest/research/whatever) I should be able to do so—while reserving all rights to reuse the code if I so choose.

[sergiotapia]

So what is a good license for "everybody can use this 100% free of charge but please don't change one line and call it yours"? What about a company like Amazon copying your codebase, throwing millions at it and then leaving you in the dust?

MIT seems far too permissible now and I'm looking for a default license for my projects.

[dashwav]

I have been a big fan of the Mozilla Public License 2.0 [1]. I find it is the best combination of "if you use this and improve or modify, those changes need to go to the original code" while not restricting overall usage.

IMO there really isn't anything you can do to prevent people from making a product out of your work if it is open source, but what you can do is make sure that if someone makes improvements to your work, those improvements need to be publicly available under the MPL2.0 license as well.

This has the effect that if someone wants to make a product by just 'adding one line' that line needs to be published and you could add it upstream, making it publicly available again(thus making it harder to make a product solely from your code).

[1] https://choosealicense.com/licenses/mpl-2.0/

[SilverRed]

Isn't that the same as lgpl?

[protomyth]

What about a company like Amazon copying your codebase, throwing millions at it and then leaving you in the dust?

Well, they can do that with the GPL thus spawned the AGPL which didn't fix the problem either thus MongoDB and companies licenses.

"everybody can use this 100% free of charge but please don't change one line and call it yours"

Well, the BSD licenses require redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms

I know some GPL advocates tend to feel they can remove the copyright statement, but BSD code is BSD code and requires your copyright statement to be preserved.

[mey]

Different generations of the BSD and Apache licenses have had attribution clauses to various levels of strictness. (Older ones were more strict). Neither are copyleft (Like GPL/CDDL) forcing future improvements to be open sourced. CDDL may be interesting as a way to preventing improvements to a code base from going "dark" but still being non-copyleft compatible. (Hello Sun/Oracle). Another commenter mentioned MDL which CDDL was based on for Sun's needs, that is also worth looking at.

[dspillett]

> This is the sort of thing that makes some people really wary of the GPL and other "viral" licenses

True, though the people most concerned about GPL & related licenses are usually commercial users and commercial licenses that include code access are no less "viral" then the GPL.

[tinus_hn]

Exactly the same thing happens with non open source, proprietary code which leaks into open projects.

[misnome]

> makes some people really wary of the GPL and other "viral" licenses

It's worse than that surely - as in this case avoiding GPL doesn't prevent the problem. This sounds like for a medium-paranoid-legal perspective, that it would "prove" that even non-GPL code isn't safe, thus discouraging from usage of any open source software [edit: dependencies]

> One can only imagine if it was AGPL instead of GPL

Right, that seems like the only saving grace that avoids this being an potentially apocalyptic event.

[qotgalaxy]

Why would closed source software be safe? Say I copy shared-mime-info completely, compile it, sell it to you as MimeWizardPRO2000, you include it as part of your closed source web framework and sell that. You're still distributing GPL code without making your source available.

[rocqua]

I think it's different if you are re-using source (with GPL notices) or binaries (which don't have them)

[bobbylarrybobby]

> the GPL and other "viral" licenses

I really hope someone writes an article with the title "what color is your license?"

[teddyh]

> GPL and other "viral" licenses

“When others hurt me, I try to defend myself. But some tell me that this makes them sick. They tell me that I should permit people to rob me of my work. They tell me that I should never try to defend myself.

They tell me that I should stop using the GNU General Public License, a license that vaccinates me against hurt. Instead, I should adopt a license that permits other people to rob me with impunity. They want me to adopt a license that forbids me from fighting back. They want me to give up my right to benefit from a derivative of my own work, a right I possess under current copyright law.

Of course, the language is a little less feverish than this. Usually, I myself am not called “infectious”. Rather, the legal defense that I use is called “infectious”. The license I choose is called “viral”.

In every day language, words such as “infect” and “virus” describe disease. The rhetoric is metaphorical. A legal tool is not a disease organism; but it is popular to think of the law as an illness, so the metaphor has impact.

The people who want to rob me use language that says I make them sick when I stop them from robbing me. They do not want to draw attention to the so-called “disease” that makes them ill: my health and my rights, and the health and rights of other people. Instead, they choose metaphor to twist people's thinking. They do not want anyone to think that I am a good citizen for stopping crime. They want the metaphor to fool others into thinking that I am a disease agent.

The GNU General Public License protects me. The connotation of “virus” and “infect” is that my choice of defense gives an illness to those who want to rob me. I want freedom from their robbery; but they want the power to hurt me. They get sick when they cannot hurt me.

To use another health and illness-related metaphor, the GNU General Public License vaccinates me; it protects me from theft.

Note that the theft about which I am talking is entirely legal in some situations: if you license your work under a modified BSD license, or a similar license, then others may legally take your work, make fixes or improvements to it, and forbid you from using that code. I personally dislike this arrangement, but it exists.”

— Robert J. Chassell, Viral Code and Vaccination, https://www.gnu.org/philosophy/vaccination.html