this post was submitted on 26 Jun 2023
94 points (96.1% liked)

Open Source

31366 readers
53 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

I found two apps that seem to be violating the AGPL license. They both use the AGPL-licensed lemmy-js-client library, which means the apps themselves should also use the same license (which is the whole purpose of Copyleft). But they aren't. I don't know if Lemmy developers and contributors are aware of this.

The apps:

https://github.com/ando818/lemmy-ui-svelte - Apache license

https://github.com/aeharding/wefwef - MIT license

What should we do about this as a community? I informed one of the app's developers about this and it doesn't seem like they care. I wonder if some of the proprietary apps that are being developed right now also rely on this library.

top 18 comments
sorted by: hot top controversial new old
[–] [email protected] 46 points 1 year ago* (last edited 1 year ago) (1 children)

Looks like you are correct, these projects are required to be AGPL: https://opensource.stackexchange.com/questions/2684/monetizing-and-licensing-with-agpl-libraries

When your program uses an AGPL library, then your whole program must be licensed under the AGPL.

I would simply create an issue in the relevant repositories and let them know.

[–] [email protected] 32 points 1 year ago (1 children)

After reviewing this, I’ve updated the license for Memmy. Frankly had no idea, good idea to let people know like you said and just kindly inform them through GitHub or otherwise.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

Thanks for changing it so quickly :). Your app looks very cool, btw. I don't use iOS, but I will start recommending it to others.

Edit: just noticed that it's for Android too. But I assume it's not in the store yet?

[–] [email protected] 3 points 1 year ago (1 children)

I think I got stuck in review hell. I resubmitted a build today.

[–] [email protected] 5 points 1 year ago

Could you submit it to fdroid too since it is GPL now ;)

[–] [email protected] 28 points 1 year ago (1 children)

File an issue in their repos, sometimes people (understandably) do not understand licencing very well — or it might be they were granted an exception.

If that fails you can contact the library author and the repositories who host the code.

[–] [email protected] 12 points 1 year ago (1 children)

This.

Not all violations are ill-intended, and most amaetur devs aren't specialists in licensing.

[–] [email protected] 13 points 1 year ago (1 children)

Most professional developers aren't either. Many companies employ people and/or deploy software to detect license violations

[–] [email protected] 4 points 1 year ago

Oracle has entered the chat.

[–] [email protected] 16 points 1 year ago
[–] [email protected] 13 points 1 year ago* (last edited 1 year ago) (1 children)

They are loading this library via NPM AFAIK, so it is not included in the repo. Of course the final compiled release should be AGPL, but they are free to use a more liberal license in their own repo as long as it allows combining with AGPL software.

MIT for sure, but I think also Apache license (one way?) allows this so I think on license grounds this is ok. But IANAL.

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (1 children)

That's what I thought as well.

If you just clone the repo there will not be any sources from the AGPL:ed source within the project, only a text mentioning the name.

However if you build it locally, it will pull in the third party libraries. So as long as they aren't distributing any built packages without a AGPL-compatible license, I don't think they are doing anything wrong.

(IANAL)

[–] [email protected] 3 points 1 year ago

Agreed, I think this is a misunderstanding as well of the AGPL but IANAL

[–] [email protected] 13 points 1 year ago

Here's the relevant section of the GPL FAQ:

https://www.gnu.org/licenses/gpl-faq.html#IfLibraryIsGPL

If a library is released under the GPL (not the LGPL), does that mean that any software which uses it has to be under the GPL or a GPL-compatible license? (#IfLibraryIsGPL)

Yes, because the program actually links to the library. As such, the terms of the GPL apply to the entire combination. The software modules that link with the library may be under various GPL compatible licenses, but the work as a whole must be licensed under the GPL. See also: What does it mean to say a license is “compatible with the GPL”?

[–] [email protected] 10 points 1 year ago (1 children)

I believe it's up to the license holder to enforce it.

So notifying the respective projects can't hurt, but if they refuse to comply, and the copyright owner of lemmy-js-client doesn't care, then the code is probably licensed incorrectly

[–] [email protected] 9 points 1 year ago* (last edited 1 year ago)

I mean if you really wanted to enforce it, anyone who contributed to Lemmy-js-client can submit a DMCA takedown. But that would be beyond silly, since most people are just trying to build cool things and don't want to enter a licensing drama.

Best course of action is to point out the license error and let downstream figure it out.

[–] [email protected] 4 points 1 year ago

The Free Software Foundation is a good place to learn about open source licensing and they can assist with enforcement if needed.

[–] [email protected] 2 points 1 year ago

I'm just a bystander here, but I would recommend to take this very seriously. The free-software-writing community already gets a certain amount of license abuse from the corporate side (RHEL being a recent example). If we are being lax about license violations internally, that puts us in a much weaker position in the face of whatever is inevitably coming in the future.

E.g., maybe Meta grabs the MIT-licensed app, adds additional technology to it that makes life difficult for the existing Fediverse community, and deploys it, refuses to share their changes. They could do that anyway, and we might have to figure out how to respond to it, but it puts us on a lot firmer ground legally and PR-wise if we've been on point about our internal licensing up until that point vs. if no one's really been bothered about license violations in the past.

It doesn't mean that someone from the community who's just trying to contribute something good and doesn't share that viewpoint suddenly needs to become "the enemy." We can just have an open discussion about the technical details of licensing and why they're important. But I wouldn't take it lightly.

load more comments
view more: next ›