New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please clarify Apache 2.0 license and if it applies to older versions of CUPS as well #5174

Open
joshgay opened this Issue Nov 16, 2017 · 11 comments

Comments

@joshgay
Copy link

joshgay commented Nov 16, 2017

I know that older versions of CUPS that have already been published under the terms of LGPLv2/GPLv2 are going to remain available for use under those same terms.

However, I am wondering, if we are now also permitted to use older versions of CUPS under the terms of the Apache 2.0 license separately and instead of the LGPLv2/GPLv2 licensing terms?

For example, hypothetically, if I have a project that includes code that was taken from release-2.0.0 but that code no longer appears in the newer versions of the CUPS code base (which is licensed under the terms of Apache 2.0), do I now have permission to use those files (the release-2.0.0 code) under the terms of the Apache 2.0 license or does that code remain exclusively for use under the terms of LGPLv2/GPLv2?

Since Apache 2.0 and LGPLv2/GPLv2 are apparently incompatible licenses, this creates a hypothetical conundrum for me, since it means I could not patch older versions of the CUPS code base (or derivative works of the older code base) with code taken from newer versions of the code base.

Your clarification and guidance on this matter is greatly appreciated and I thank you in advance for your time.

@Conan-Kudo

This comment has been minimized.

Copy link

Conan-Kudo commented Nov 26, 2017

@joshgay The obvious answer is obvious. You can't as the code before e310189 is GNU GPL, and code from that point onward is ASL 2.0.

It's the end of the line, bucko! 🤠

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator

michaelrsweet commented Nov 27, 2017

@Conan-Kudo I know you are joking, but please let me respond... :) Thanks!

@joshgay I've made my boss and our legal folks aware of your concerns; not sure what will come of it, but will update you as soon as I have an official answer about what we'll do for backporting/back-licensing bug fixes for previous versions of CUPS. As for making prior versions of CUPS available under the ASL2, Apple will not be doing that...

Generally speaking, any security patches we publish, e.g., for CERT advisories, are provided for multiple versions of CUPS and under the terms of the license for each version of CUPS. I don't see that changing, but that would mean GPL2/LGPL2 for earlier versions of CUPS and ASL2 for CUPS 2.3 and beyond.

Non-security bug fixes are currently just pushed to master (ASL2). While we don't post separate patch files to bug reports for specific CUPS versions, often the same changes will apply to older CUPS releases and those bug fixes are typically changes to a few lines of code and not major new content. I will try to get clarification from Apple legal on this situation so that we can clearly communicate which changes are available for use in older CUPS releases (under the GPL2/LGPL2) and which ones are considered new content/features.

@joshgay

This comment has been minimized.

Copy link

joshgay commented Nov 27, 2017

@michaelrsweet and @Conan-Kudo thank you both for your replies and also for escalating my concerns upward. The information you have provided is very helpful and I imagine any additional clarifications you can provide in the future on licensing of backports will also be appreciated by GNU/Linux distro developers and other CUPS package maintainers/distributors.

@zdohnal

This comment has been minimized.

Copy link
Contributor

zdohnal commented Jan 3, 2018

Hi Mike,
I see there is beta of CUPS 2.3.0, is there any update to this license matter from Apple side?

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator

michaelrsweet commented Jan 8, 2018

@zdohnal Sorry, not yet. I will ping the people involved to see if we can make some progress now that the holidays are behind us...

@zdohnal

This comment has been minimized.

Copy link
Contributor

zdohnal commented Jan 9, 2018

@michaelrsweet Thank you Mike! I hope we can find solution which makes everyone happy!

@zdohnal

This comment has been minimized.

Copy link
Contributor

zdohnal commented Feb 22, 2018

@michaelrsweet Just adding proposition of solution from cups-devel mailing list - same solution use LLVM and I hope it is acceptable for Debian too (it is acceptable for Fedora).

LLVM uses exception of Apache license for GPLv2 [1] and adds this paragraph to license file:

In addition, if you combine or link compiled forms of this Software with software that is licensed under the GPLv2 (“Combined Software”) and if a court of competent jurisdiction determines that the patent provision (Section 3), the indemnity provision (Section 9) or other Section of the License conflicts with the conditions of the GPLv2, you may retroactively and prospectively choose to deem waived or otherwise exclude such Section(s) of the License, but only in their entirety and only with respect to the Combined Software.[2]

Just to mention, I cannot package CUPS 2.3 for Fedora until this licensing issue isn't solved :( .

[1] https://blog.gerv.net/2016/09/gplv2-combination-exception-for-the-apache-2-license/
[2] http://lists.llvm.org/pipermail/llvm-dev/2016-September/104778.html

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator

michaelrsweet commented Feb 26, 2018

@zdohnal Just a status update - we haven't forgotten about this issue and are still working it... :) FWIW, we're not going to release a 2.3.0 until the licensing issues are settled.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator

michaelrsweet commented Nov 8, 2018

Still waiting... :/

@dankm

This comment has been minimized.

Copy link

dankm commented Dec 21, 2018

Still waiting... :/

Still waiting? I have a related technical and legal question. Are there now any plans to replace the GnuTLS dependency with something licensed Apache-2.0 or even more permissive, such as mbedTLS?

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator

michaelrsweet commented Dec 22, 2018

Yes. still waiting... :/

There are no plans to replace GNU TLS with anything else at this point. As for mbedTLS (PKA PolarSSL), I can't see us adopting it since the license options are Apache 2.0 without exceptions and GNU GPL (not LGPL), making it incompatible with a lot of existing code linking against libcups.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment