Re: GlobalProtect-openconnect - License violation or not?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 16, 2024 at 10:31 AM Jakub Kadlcik <jkadlcik@xxxxxxxxxx> wrote:
>
> Hello Fedora Legal,
> a piece of software was recently discovered in Fedora Copr and it is now causing a contention about whether it should be allowed to be there or not. I am kindly asking for your ruling.
>
> The project in question is here:
> https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/
>
> And its upstream:
> https://github.com/yuezk/GlobalProtect-openconnect
>
> Both the upstream project and the package that is built in Copr claim to be under the GPLv3 license.
>
> The package provides several executables:
>
>     /usr/bin/gpauth
>     /usr/bin/gpclient
>     /usr/bin/gpgui-helper
>     /usr/bin/gpservice
>
> All of these seem to be compiled from the mentioned upstream sources. So far, no problem. However, when executing some of them (with the exception of gpclient) the following tarball is being downloaded to the user machine:
>
>     INFO  gpgui_helper::updater] Downloading file: https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1.4/gpgui_x86_64.bin.tar.xz
>
> It contains just a single binary called gpgui which is licensed under a proprietary license and developed in a private repository, according to the author:
> https://github.com/yuezk/GlobalProtect-openconnect/issues/296#issuecomment-1905168220
>
> When running the program, it says it is a 10-day trial and prompts for buying a license here
> https://yuezk.lemonsqueezy.com/checkout
>
> I would like to ask you whether this is just a shady practice (but OK from a legal perspective) or whether this is a violation of either GPLv3 or Copr conditions
> https://docs.pagure.org/copr.copr/user_documentation.html#what-i-can-build-in-copr

I think the Copr conditions side of this is kind of unclear and it
relates to an issue that came up in the thread about packaging machine
learning models. If something distributed by Fedora (including through
a copr repository) is entirely compliant with Fedora technical and
licensing standards, but when you run it it downloads some additional
proprietary software, does that violate Fedora policy, even if there's
no issue of license noncompliance? As to the GPLv3 issue, I can't
speculate just on the facts you've stated, other than to say it is
probably not inherently a GPLv3 violation.

So I don't know if this should be seen as conformant to Fedora legal
and packaging policy, even leaving aside the issue of how much Copr
repositories can deviate from those policies, which seems itself to be
unclear.

Richard
--
_______________________________________________
legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Gnome Users]     [KDE Users]

  Powered by Linux