On Thu, May 16, 2024 at 04:31:14PM +0200, Jakub Kadlcik wrote: > Hello Fedora Legal, > a piece of software was recently discovered in Fedora Copr and it is now > causing a contention about whether it should be allowed to be there or not. > I am kindly asking for your ruling. > > The project in question is here: > https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/ > > And its upstream: > https://github.com/yuezk/GlobalProtect-openconnect > > Both the upstream project and the package that is built in Copr claim to be > under the GPLv3 license. > > The package provides several executables: > > /usr/bin/gpauth > /usr/bin/gpclient > /usr/bin/gpgui-helper > /usr/bin/gpservice > > All of these seem to be compiled from the mentioned upstream sources. So > far, no problem. However, when executing some of them (with the exception > of gpclient) the following tarball is being downloaded to the user machine: > > INFO gpgui_helper::updater] Downloading file: > https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1.4/gpgui_x86_64.bin.tar.xz > > It contains just a single binary called gpgui which is licensed under a > proprietary license and developed in a private repository, according to the > author: > https://github.com/yuezk/GlobalProtect-openconnect/issues/296#issuecomment-1905168220 The README in the github repo you linked earlier also clearly states the GUI part of the project is proprietary code: "The GUI version is partially open source. Its background service is open sourced in this repo as gpservice. The GUI part is a wrapper of the background service, which is not open sourced." > When running the program, it says it is a 10-day trial and prompts for > buying a license here > https://yuezk.lemonsqueezy.com/checkout > > I would like to ask you whether this is just a shady practice (but OK from > a legal perspective) or whether this is a violation of either GPLv3 or Copr > conditions > https://docs.pagure.org/copr.copr/user_documentation.html#what-i-can-build-in-copr Ordinarily I'd say the GUI download helper program would be clearly inadmissible in main Fedora repos due to this packaging guideline: https://docs.fedoraproject.org/en-US/packaging-guidelines/what-can-be-packaged/#_packages_which_are_not_useful_without_external_code "Some software is not functional or useful without the presence of external code dependencies in the runtime operating system environment. When those external code dependencies are non-free, legally unacceptable, or binary-only (with the exception of permissible firmware), then the dependent software is not acceptable for inclusion in Fedora. " The copr docs linked above require compliance with Fedora legal policies, but grant an exception from packaging guidelines compliance: "Packages in Copr do not need to follow the Fedora Packaging Guidelines, though they are recommended to do so." This it could potentially be argued this is permissible. Copr is often a staging ground for inclusion into Fedora. Thus packages will often be a work in progress with known guideline compliance problems, which are gradually being resolved prior to submission for review in Fedora. Typically such problems will be fairly benign things, such that non-compliance is harmless and doesn't reflect badly on Fedora, nor are contrary to Fedora's mission. I wouldn't class the use of a shim to download a proprietary binary to be beign or harmless though. Especially not when it then nags for payment. IMHO this project is taking advantage of Fedora's services and reputation to promote use of and payment for proprietary software. This is contrary to what Fedora stands for. If such an approach is indeed permitted via a (unintended) technicality of the way the rules are written, we should consider explicitly forbidding this situation in Copr. Possibly the above rule about "software not useful without external code" should be moved from being a packaging guideline, to being a legal guideline ? With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
