[onli]

> If the previous version contains GPL code, it’s GPL. It doesn’t matter if you slap an MIT license file on it, or used it in “good faith” presuming it was MIT license.

This depends.

Rails used a gem by a different developer, a gem that had its own MIT license. The Rails project and all others using Rails can not be expected that they ought to have known the license is invalid, so usually the GPL does not count for their usage back then.

You can in general never retroactively change a license, so their usage back then was certainly valid. You can [be forced to] stop using a license and re-license future versions of an artefact, and also possibly have to stop distributing the old versions. But that's on the gem's author, not Rails, and would likely not even impact future usage of the old, already obtained versions.

If the original author wanted to claim damages under GPL from Rails, he would have to do so via the gem's author. And even then: What damages? And would the projects have had to know? None and no is the likely answer, safe juridical incompetence/corruption like in the Oracle-API case.

It would be further be complicated by the file in question being a database file. You typically can not license databases in a meaningful way under GPL. Even if you could, reading a GPL'd database has no chance of carrying GPL code obligations over to the consuming program.

As always with those questions, this might depend on your specific jurisdiction. Also, it means in no way that it is not the ethically right thing to swap the dependency to one that does not have this issue.

PS: Also consider that in most uses of Rails, GPL or MIT does not change much, as accessing a server running GPL software does not trigger GPL's distribution clause (you want the AGPL for that). This already limits the impact here. The Github thread has comments in the direction of all Rails projects having to be open source now if the license changed to GPL. Not only can the license of old versions not change, this is also not the effect GPL would have.

[btilly]

"You can in general never retroactively change a license, so their usage back then was certainly valid."

No, it wasn't. It was reasonable, but not valid.

They were using copyrighted code without permission from the copyright holder, relying on a false claim. The false claim gave them no right to use the copyrighted code, and will not protect them if the copyright holder sues them. However the fact that they were acting in good faith and had no idea is likely to help them when it comes to damages. And furthermore if they got sued, then they would have the right to sue the author of the gem whose false claim got them in trouble.

If the original author wanted to claim damages under GPL from Rails, he would have to do so via the gem's author. And even then: What damages?

I have no idea why you think that the copyright holder would have to go to the gem's author to sue about a copyright violation. Furthermore damages are not the only thing you can sue for. See https://www.lib.purdue.edu/uco/CopyrightBasics/penalties.htm... for a list. That statutory minimum of $200 per infringement can add up really fast when you're generating copies electronically.

[smarx007]

I think MIT license only claims the code I wrote is provided under MIT (that's why you also have to include a NOTICES file listing other library licenceses in addition to the LICENSE file). It's not like they put MIT header and their name on that XML file.

> then they would have the right to sue the author of the gem whose false claim got them in trouble

I think this is where a useless all-caps text comes handy:

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND [...] AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Noninfringement is mentioned right there. It literally says that I DO NOT promise you that my code that I license to you under MIT (in good faith, ofc) does not infringe anyone's rights.

[btilly]

You have a point, but it is not as absolute as the license suggests.

The problem is that a license is overridden by local law if there is a conflict. For example suppose that there is a law saying there is an implied warranty that goods sold are yours to sell, and you sold a stolen good "as is". In that case the law wins and the buyer can still sue you for having sold tem stolen goods.

And as https://www.klemchuk.com/legal-insights/warranty-against-inf... explains, a common local law is an implied warranty against infringement on others' intellectual property. Which a copyright violation would qualify as.

As always, I am not a lawyer, and this is not legal advice. If something like this arises in practice, you should consult a lawyer familiar with the laws of the venue that the case will be decided in to find out whether any laws apply, and to what extent the generic liability disclaimer won't actually provide protection.

[onli]

> They were using copyrighted code without permission from the copyright holder, relying on a false claim.

Again, that does not seem to have been the case here.

> I have no idea why you think that the copyright holder would have to go to the gem's author to sue about a copyright violation.

1. It depends where you are, which jurisdiction gets applied. Might explain the different expectation. 2. It'd be the gem author that created an unlicensed derivative work, not anyone else directly. Have fun claiming damages, copyright infringement or anything for indirect usage in such a good faith situation. I really think that wouldn't fly, but again, might depend where you are.

[btilly]

Again, that does not seem to have been the case here.

Again? Not sure where you said it. But the copyright holders in question are the authors of shared-mime-info, and they certainly never gave permission for their work to be used by Rails in the way that it was.

It depends where you are, which jurisdiction gets applied. Might explain the different expectation.

I'm in the USA. But I'm pretty sure that what I said is generically true.

It'd be the gem author that created an unlicensed derivative work, not anyone else directly.

Copyright is triggered by downloading unlicensed copies. And lots of people other than the gem author did that.

An unlicensed derivative was created by anyone who used Rails and wrote code that did mime detection - for example they were handling uploaded files.

It is an open question whether these cases are worth litigating, and what would be decided in court. They might well decide that there isn't enough creative work in the compilation for the file in question to have copyright protection at all. But in the meantime it would be a generally good idea to treat the issue seriously, and to accept that lots of people are potentially liable here. (Even if, in all probability, none will suffer more than a temporary inconvenience as the dependency is removed.)

[onli]

> Again? Not sure where you said it

Here, it was in the comment (and not an edit :) ):

> It would be further be complicated by the file in question being a database file. You typically can not license databases in a meaningful way under GPL. Even if you could, reading a GPL'd database has no chance of carrying GPL code obligations over to the consuming program.

But I actually just wrote again because I made that point in another subthread, no criticism implied.

[btilly]

Not so fast in that claim.

First of all the infringing file is https://github.com/minad/mimemagic/blob/master/script/freede.... Sure, it is in XML. But it contains a tremendous amount of free-form text, specific sets of pattern matching rules for the data types, and so on. It is a compilation of sometimes original research on the best ways to detect file types. Ruby has other mime libraries. The reason why this one was chosen is that its detection algorithms make better choices. And the reason that they make better choices is that they copied the decision rules from a GPLed project.

But even if it were a simple compilation, it still is not guaranteed that there is no copyright. See https://en.wikipedia.org/wiki/Copyright_in_compilation for an introductory article on what can and can't be copyrighted about a compilation. And one of the elements that matters is creativity in the selection of the material. A set of rules with a lot of "look for this" while leaving out various reasonable thats that don't work so well shows considerable creativity.

That said, a judge may decide otherwise. You never know until a judge decides. But I would not presume that there is no copyright interest to be had here.

[tsbinz]

> Rails used a gem by a different developer, a gem that had its own MIT license. The Rails project and all others using Rails can not be expected that they ought to have known the license is invalid, so usually the GPL does not count for their usage back then.

> You can in general never retroactively change a license, so their usage back then was certainly valid.

I would ask a lawyer about that. As it has been explained to me, the original author didn't have the right to distribute it under the MIT license, so they (rails) never had a valid license. It's similar with images, even when you grab it off flickr or another page and it specifies a license you like, that does not mean that whoever posted it there actually had the right to do that, and if they didn't, you can get sued.

[onli]

You are right, that's a shaky part and where insecurity is coming from - and sure, get a lawyer if you want more certainty. Depends where you are anyway. Better answers to that are already here. Just one thing:

> the original author didn't have the right to distribute it under the MIT license, so they (rails) never had a valid license.

Thing is, if it's really about a databasefile that was not copyrightable the gem author did have the right to distribute it. That's a happy circumstance of this specific case, making all of this less severe either way.

[JMTQp8lwXL]

How is one supposed to reasonably know, when downloading a package from a public repository, that the included license is authoritative? Are we supposed to research every package we use, and scour all software in existence to maybe trace back true ownership to someplace else? Seems like an auditing nightmare.

[lamontcg]

You can't. If you're notified then you need to promptly fix the issue with the complainant. When it comes to being sued for damages you can point at the the fact that there was no reasonable way for you to know that the license you trusted was invalid and at the author who was presumably negligent. If you've cooperated fully and mitigated it quickly that should protect you. Ignorance in this case is an excuse when it is reasonable and defensible ignorance, and not negligence on your part.

[johannes1234321]

> Seems like an auditing nightmare.

Yes and that's why large companies are often extremely reluctant to take in 3rd party code without auditing and estimating the risk.

[yebyen]

In fact they even sell insurance for this, and companies that want you to use their software can offer indemnity protection with the same effect.

"What if somebody sues me because my use of your software constitutes a violation of their intellectual property rights?" – "Don't worry, we will protect you. Since you pay so much money and are a valued customer of XYZcorp, we don't want you to worry about such things. You'll be covered by our umbrella policy."

This conversation certainly happens, (although it almost certainly wouldn't have happened between any of "Rails" customers and the Rails core team.)

[JMTQp8lwXL]

This has not been my experience. Getting the work done fast is prioritized more highly than the (small) compliance risk. Unless the company wants to pay you to invent a bespoke in-house version of React.

[johannes1234321]

For using open source stuff while working on your machine there are often pre approved licenses. But for production use and even more for software being distributed any serious place I have seen, there is paperwork. (Sometimes of better quality, sometimes more of a rubber stamp process)