-
Notifications
You must be signed in to change notification settings - Fork 899
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GPL License compatibility issues #527
Comments
It is not that easy. See the compatibility matrix in https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility
This is not a problem but is to be expected in open source development. There are many authors in a project and everyone can choose the license conditions for his/her piece of code.
There is one license for the proxmark project. See LICENSE.txt. The Proxmark3 repository is currently licensed under GPLv2. The README.md allows distribution under GPLv2 or later.
I AM interested. I am not a lawyer but I would think that repository admin @W8M2Hg9lLmWqXSGC and even more those merging code are accountable and responsible for license violations. Therefore checking license conditions is part of my code reviews. Coming back to the original question, see https://www.gnu.org/licenses/license-list.en.html
|
So pm3 project allows for GPL3.0 with the current statement of allowing later ones. Introducing new code under a laxer license, well, that might not work as you already suspect. However, sadly, as I mentioned, the licenses is not that easy going in pm3. For example the loclass source code is only GPL2.0 without the extra notion "of any later version", effectivly blocking everything down to GPL2.0. https://github.com/Proxmark/proxmark3/blob/41f08b7c08928060a8dd84916fddf294fab7f26c/client/loclass/cipher.h Then we have roel license here, I am sure there are more, maybe compile a list of the different licenses used already in PM3 would actually be helpful in your task of finding compatible licenses for new source code to be added. |
And I also belive you have to compile a list of all copyright owners in the project, in order to know which ones to contact when the violations occure, which also needs to be maintained. And there are public domain code aswell. This will a busy Christmas. |
My approach is that the indivual copyright holders are responisble to keep track of when violations are made and notify according to the license used in order for compliancy. Its none of my business. You can also start complaining to RyscCorp for breaking the PM3 GPL2.0, by not sharing their source code for their pm3 firmware they make / sell their devices with. We have seen posts on the forum about non-working firmware, Not to mention those obscure chinese firmware which other pm3 devices are sold with. So, are the maintainers responsible for that too? In my view no. You might have different view of it. |
as I see:
so we can do anything with this code except of deleting copyright in the files. as for code written by contributors - if someone writes code into repository with license - he(she) accepted this license. if he dont write his license into PR messages. |
If you show me a legal predujacte stating that the legal acceptans of a code-commit overrules your own license, I will belive it. Still, that would be only valid in one country and might as well be different in other countries. This makes the open-sourced idea quite funny, it was suppose to take away closed-source and enable end users to own the right to change the source code themself, but it turned out to be a more complex legal matter than before. Every time ppl talk about their concerns of open-source makes me chuckle inside. The real complexity in the legal perspective is huge. Try to claim your rights, as the original open source license holder against companies in different countries, try taking them to court. It can and most likely take years of effort and costs. But it also gives the original holder the possibilty to say, I don't have to offer support, you do it yourself. We are not even talking about a software patent either. |
https://en.wikipedia.org/wiki/MIT_License so its ok |
We already have MIT-licensed source code in PM3.. https://github.com/promark/proxmark3/blob/master/liblua/lua.h |
The idea that liblua now would be accepted as GPL2.0 because it was commited into PM3 is clearly not valid. |
@iceman1001 wrote:
No, I don't think that the maintainers are responsible if other people violate the PM3 license conditions. And I didn't say that. I said that I think that maintainers are responsible if they merge code written by other authors and thereby violate the other author's license conditions. Therefore it is absolutely correct to assess the JSON libraries license conditions. I agree with @merlokk that @akheron's code can be legally included because its MIT license is compatible with GPLv2.
Indeed, this is not valid. liblua still remains licensed under MIT license. But the MIT license allows to use the code in a GPLv2 licensed program. |
Correct. We cannot choose the "or later" option for PM3 any more without getting rid of the loclass code or the author's explicit permission.
Not only since that code. Even without that code we cannot add GPLv3 code to PM3 because GPLV3 code it is not compatible with the PM3's GPLv2. |
I ran a reporting tool (scancode-toolkit), but this doesn't seem to pick up some of the GPLv2 only vs. GPLv2+ distinction in many cases. It will reduce the sample size a fair bit when auditing this stuff. However, This also identifies all the files that are missing license/copyright headers. I've taken the action for now to remove all the offending ( There are some bitwise operations used from that I think that bitwise operations and IClass support are two separate concerns, so it would be good if we can at least get the license changed to GPLv2+ for at least the bitwise operations.
|
I have spoken with @holiman and he is willing to modify his license for the proxmark3 project, to use the term "any later version". At least his part will not lock down the pm3. Very kind of him. |
Done, LMK if that's alright. Also, fwiw, I hereby grant the proxmark project perpetual license on all the loclass stuff. |
@micolous: thanks for the analysis. Didn't notice the reveng issue yet. After loclass has been sorted out I do see reveng as remaining issue and the following options to mitigate:
|
I doubt reveng is a widely used option inside the pm3 client, so I see nothing wrong with removing it. The second option would be a nice option but then the binary would have to be present. |
Not really finished with iClass. |
I never build armsrc bits in my fork. It's only relevant for the firmware,
which is not distributed in the APK.
…On Tue., 2 Jan. 2018, 21:08 Iceman, ***@***.***> wrote:
Not really finished with iClass.
@holiman <https://github.com/holiman> it turns out you have the
armsrc/optimized_cipher.c / .h files also as GPL2..
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#527 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAPEP3AK08KqoNRTDf83viPLtSh22cT-ks5tGgAHgaJpZM4RKrm2>
.
|
(its license was not compatible with PM3 license, see issue Proxmark#527)
not yet, see my previous post. |
Updated armsrc/optimized_cypher.[ch] as well (PR #554). |
not really... |
It is not my own. It is holiman's. |
No, its not. Holimn didn't change that file, hence it follows its licens gpl2.0 |
Please have a closer look at loclass/d04d51a. |
Yes, I read it. Where do you see holiman changed those files you changed license for? |
And I don't see any text stating that we are granted the right to change license anywhere. |
Edited my last post. See holiman's commit. |
link not working. |
Mobile travelling. Check holimans loclass github repository. |
The idea of editing posts is also interesting, it makes whole conversations quite hard to follow, since the answers/comments now are totally out of context. Still, in the commit on loclass, nothing that I have asked about has been answered. |
That's because you are too fast with reading and answering. 😄 Will answer when back at PC. |
To recapture: holiman/loclass@d04d51a Where in that commit do you:
|
Speaking of changing licenses, remember this one? http://www.proxmark.org/forum/viewtopic.php?pid=19460#p19460 |
Hey! See holiman/loclass#1 and the commit: holiman/loclass@d04d51a#diff-6d4aaeff70a9b9ed500a162854a5355b . |
@holiman you need to merge that PR so we can put this one to the history books. |
I did, on December 26. Don't know what all the confusion is about... The license update covered all files. |
So
holiman/loclass@d04d51a#diff-6d4aaeff70a9b9ed500a162854a5355b .
None were forgotten :) |
Well, if you conside your file under "loclass/folder" , to be the ones related to armsrc/ ones, we almost be fine, with a message saying "Swapped to the files with updated license from holiman/loclass/ folder, given refence [insert link here]." However, since those two files doesn't exist in PM3 client/loclass folder, the PR #554 just look like we are changing licenses without granted rights. About finding the granted right under a closed issue where posts can be edited, is less optimal than what I would prefer. As I see it, possible solutions is:
I'm fine with any of them. The last one is the simplest one. |
Copied from #520:
@merlokk wrote:
@iceman1001 wrote:
@pwpiwi wrote:
@iceman1001 wrote:
@pwpiwi wrote:
@iceman1001 wrote:
The text was updated successfully, but these errors were encountered: