Hello Fedora Legal, a piece of software was recently discovered in Fedora Copr and it is now causing a contention about whether it should be allowed to be there or not. I am kindly asking for your ruling.
The project in question is here: https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/
And its upstream: https://github.com/yuezk/GlobalProtect-openconnect
Both the upstream project and the package that is built in Copr claim to be under the GPLv3 license.
The package provides several executables:
/usr/bin/gpauth /usr/bin/gpclient /usr/bin/gpgui-helper /usr/bin/gpservice
All of these seem to be compiled from the mentioned upstream sources. So far, no problem. However, when executing some of them (with the exception of gpclient) the following tarball is being downloaded to the user machine:
INFO gpgui_helper::updater] Downloading file: https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1.4/...
It contains just a single binary called gpgui which is licensed under a proprietary license and developed in a private repository, according to the author: https://github.com/yuezk/GlobalProtect-openconnect/issues/296#issuecomment-1...
When running the program, it says it is a 10-day trial and prompts for buying a license here https://yuezk.lemonsqueezy.com/checkout
I would like to ask you whether this is just a shady practice (but OK from a legal perspective) or whether this is a violation of either GPLv3 or Copr conditions https://docs.pagure.org/copr.copr/user_documentation.html#what-i-can-build-i...
Thank you very much for your help, Jakub
On Thu, May 16, 2024 at 10:31 AM Jakub Kadlcik jkadlcik@redhat.com wrote:
Hello Fedora Legal, a piece of software was recently discovered in Fedora Copr and it is now causing a contention about whether it should be allowed to be there or not. I am kindly asking for your ruling.
The project in question is here: https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/
And its upstream: https://github.com/yuezk/GlobalProtect-openconnect
Both the upstream project and the package that is built in Copr claim to be under the GPLv3 license.
The package provides several executables:
/usr/bin/gpauth /usr/bin/gpclient /usr/bin/gpgui-helper /usr/bin/gpserviceAll of these seem to be compiled from the mentioned upstream sources. So far, no problem. However, when executing some of them (with the exception of gpclient) the following tarball is being downloaded to the user machine:
INFO gpgui_helper::updater] Downloading file: https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1.4/gpgui_x86_64.bin.tar.xzIt contains just a single binary called gpgui which is licensed under a proprietary license and developed in a private repository, according to the author: https://github.com/yuezk/GlobalProtect-openconnect/issues/296#issuecomment-1...
When running the program, it says it is a 10-day trial and prompts for buying a license here https://yuezk.lemonsqueezy.com/checkout
I would like to ask you whether this is just a shady practice (but OK from a legal perspective) or whether this is a violation of either GPLv3 or Copr conditions https://docs.pagure.org/copr.copr/user_documentation.html#what-i-can-build-i...
I think the Copr conditions side of this is kind of unclear and it relates to an issue that came up in the thread about packaging machine learning models. If something distributed by Fedora (including through a copr repository) is entirely compliant with Fedora technical and licensing standards, but when you run it it downloads some additional proprietary software, does that violate Fedora policy, even if there's no issue of license noncompliance? As to the GPLv3 issue, I can't speculate just on the facts you've stated, other than to say it is probably not inherently a GPLv3 violation.
So I don't know if this should be seen as conformant to Fedora legal and packaging policy, even leaving aside the issue of how much Copr repositories can deviate from those policies, which seems itself to be unclear.
Richard
On Thu, May 16, 2024 at 04:31:14PM +0200, Jakub Kadlcik wrote:
Hello Fedora Legal, a piece of software was recently discovered in Fedora Copr and it is now causing a contention about whether it should be allowed to be there or not. I am kindly asking for your ruling.
The project in question is here: https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/
And its upstream: https://github.com/yuezk/GlobalProtect-openconnect
Both the upstream project and the package that is built in Copr claim to be under the GPLv3 license.
The package provides several executables:
/usr/bin/gpauth /usr/bin/gpclient /usr/bin/gpgui-helper /usr/bin/gpserviceAll of these seem to be compiled from the mentioned upstream sources. So far, no problem. However, when executing some of them (with the exception of gpclient) the following tarball is being downloaded to the user machine:
INFO gpgui_helper::updater] Downloading file:https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1.4/...
It contains just a single binary called gpgui which is licensed under a proprietary license and developed in a private repository, according to the author: https://github.com/yuezk/GlobalProtect-openconnect/issues/296#issuecomment-1...
The README in the github repo you linked earlier also clearly states the GUI part of the project is proprietary code:
"The GUI version is partially open source. Its background service is open sourced in this repo as gpservice. The GUI part is a wrapper of the background service, which is not open sourced."
When running the program, it says it is a 10-day trial and prompts for buying a license here https://yuezk.lemonsqueezy.com/checkout
I would like to ask you whether this is just a shady practice (but OK from a legal perspective) or whether this is a violation of either GPLv3 or Copr conditions https://docs.pagure.org/copr.copr/user_documentation.html#what-i-can-build-i...
Ordinarily I'd say the GUI download helper program would be clearly inadmissible in main Fedora repos due to this packaging guideline:
https://docs.fedoraproject.org/en-US/packaging-guidelines/what-can-be-packag...
"Some software is not functional or useful without the presence of external code dependencies in the runtime operating system environment. When those external code dependencies are non-free, legally unacceptable, or binary-only (with the exception of permissible firmware), then the dependent software is not acceptable for inclusion in Fedora. "
The copr docs linked above require compliance with Fedora legal policies, but grant an exception from packaging guidelines compliance:
"Packages in Copr do not need to follow the Fedora Packaging Guidelines, though they are recommended to do so."
This it could potentially be argued this is permissible.
Copr is often a staging ground for inclusion into Fedora. Thus packages will often be a work in progress with known guideline compliance problems, which are gradually being resolved prior to submission for review in Fedora. Typically such problems will be fairly benign things, such that non-compliance is harmless and doesn't reflect badly on Fedora, nor are contrary to Fedora's mission.
I wouldn't class the use of a shim to download a proprietary binary to be beign or harmless though. Especially not when it then nags for payment.
IMHO this project is taking advantage of Fedora's services and reputation to promote use of and payment for proprietary software. This is contrary to what Fedora stands for.
If such an approach is indeed permitted via a (unintended) technicality of the way the rules are written, we should consider explicitly forbidding this situation in Copr. Possibly the above rule about "software not useful without external code" should be moved from being a packaging guideline, to being a legal guideline ?
With regards, Daniel
-
Daniel P. Berrangé -
Jakub Kadlcik -
Richard Fontana