On Thu, May 16, 2024 at 10:31 AM Jakub Kadlcik <jkadlcik@xxxxxxxxxx> wrote: > > Hello Fedora Legal, > a piece of software was recently discovered in Fedora Copr and it is now causing a contention about whether it should be allowed to be there or not. I am kindly asking for your ruling. > > The project in question is here: > https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/ > > And its upstream: > https://github.com/yuezk/GlobalProtect-openconnect > > Both the upstream project and the package that is built in Copr claim to be under the GPLv3 license. > > The package provides several executables: > > /usr/bin/gpauth > /usr/bin/gpclient > /usr/bin/gpgui-helper > /usr/bin/gpservice > > All of these seem to be compiled from the mentioned upstream sources. So far, no problem. However, when executing some of them (with the exception of gpclient) the following tarball is being downloaded to the user machine: > > INFO gpgui_helper::updater] Downloading file: https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1.4/gpgui_x86_64.bin.tar.xz > > It contains just a single binary called gpgui which is licensed under a proprietary license and developed in a private repository, according to the author: > https://github.com/yuezk/GlobalProtect-openconnect/issues/296#issuecomment-1905168220 > > When running the program, it says it is a 10-day trial and prompts for buying a license here > https://yuezk.lemonsqueezy.com/checkout > > I would like to ask you whether this is just a shady practice (but OK from a legal perspective) or whether this is a violation of either GPLv3 or Copr conditions > https://docs.pagure.org/copr.copr/user_documentation.html#what-i-can-build-in-copr I think the Copr conditions side of this is kind of unclear and it relates to an issue that came up in the thread about packaging machine learning models. If something distributed by Fedora (including through a copr repository) is entirely compliant with Fedora technical and licensing standards, but when you run it it downloads some additional proprietary software, does that violate Fedora policy, even if there's no issue of license noncompliance? As to the GPLv3 issue, I can't speculate just on the facts you've stated, other than to say it is probably not inherently a GPLv3 violation. So I don't know if this should be seen as conformant to Fedora legal and packaging policy, even leaving aside the issue of how much Copr repositories can deviate from those policies, which seems itself to be unclear. Richard -- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
