[misnome]

Ah, right, so it doesn't make it automatically GPL2 unless they want to continue to distribute it - and presumably only the original GPL2 licence-holder(s) are in the position to raise the issue of past infringement-via-distribution.

And so presumably unless rails was actively distributing bundles with it they'd would not be counted as "distributing" this GPL dependency.

It does sound like exactly the sort of hole that AGPL is designed to close is the saving grace here?

[dathinab]

Somewhat, but the thing is even if they sue, as long as the offender (rails? rails user?) does stop distributing the software until they replaced the code in question the amount of damages you can sue for can be surprisingly little.

If it would be a "essential" component like e.g. Linux it's a bit of a different matter. But as long as it's a non essential easy to replace library the cost of suing might noticable outclass the any money you can get out of it.

This is not a given thing, but at least it's not unlikely as far as I can tell.

IMHO using GPL for anything but full blown Applications, System Components or very large/complex/tricky libraries is kinda pointless.

And for them GPL isn't good enough in the current ecosystem, so you might need to go with AGPL or SSPL. Both which are noticeable less liked then GPL by many.