[tsbinz]

> Rails used a gem by a different developer, a gem that had its own MIT license. The Rails project and all others using Rails can not be expected that they ought to have known the license is invalid, so usually the GPL does not count for their usage back then.

> You can in general never retroactively change a license, so their usage back then was certainly valid.

I would ask a lawyer about that. As it has been explained to me, the original author didn't have the right to distribute it under the MIT license, so they (rails) never had a valid license. It's similar with images, even when you grab it off flickr or another page and it specifies a license you like, that does not mean that whoever posted it there actually had the right to do that, and if they didn't, you can get sued.

[onli]

You are right, that's a shaky part and where insecurity is coming from - and sure, get a lawyer if you want more certainty. Depends where you are anyway. Better answers to that are already here. Just one thing:

> the original author didn't have the right to distribute it under the MIT license, so they (rails) never had a valid license.

Thing is, if it's really about a databasefile that was not copyrightable the gem author did have the right to distribute it. That's a happy circumstance of this specific case, making all of this less severe either way.

[JMTQp8lwXL]

How is one supposed to reasonably know, when downloading a package from a public repository, that the included license is authoritative? Are we supposed to research every package we use, and scour all software in existence to maybe trace back true ownership to someplace else? Seems like an auditing nightmare.

[lamontcg]

You can't. If you're notified then you need to promptly fix the issue with the complainant. When it comes to being sued for damages you can point at the the fact that there was no reasonable way for you to know that the license you trusted was invalid and at the author who was presumably negligent. If you've cooperated fully and mitigated it quickly that should protect you. Ignorance in this case is an excuse when it is reasonable and defensible ignorance, and not negligence on your part.

[johannes1234321]

> Seems like an auditing nightmare.

Yes and that's why large companies are often extremely reluctant to take in 3rd party code without auditing and estimating the risk.

[yebyen]

In fact they even sell insurance for this, and companies that want you to use their software can offer indemnity protection with the same effect.

"What if somebody sues me because my use of your software constitutes a violation of their intellectual property rights?" – "Don't worry, we will protect you. Since you pay so much money and are a valued customer of XYZcorp, we don't want you to worry about such things. You'll be covered by our umbrella policy."

This conversation certainly happens, (although it almost certainly wouldn't have happened between any of "Rails" customers and the Rails core team.)

[JMTQp8lwXL]

This has not been my experience. Getting the work done fast is prioritized more highly than the (small) compliance risk. Unless the company wants to pay you to invent a bespoke in-house version of React.

[johannes1234321]

For using open source stuff while working on your machine there are often pre approved licenses. But for production use and even more for software being distributed any serious place I have seen, there is paperwork. (Sometimes of better quality, sometimes more of a rubber stamp process)