https://bugzilla.redhat.com/show_bug.cgi?id=1448778 --- Comment #4 from Link Dupont <link@xxxxxxxxxxx> --- (In reply to Tom "spot" Callaway from comment #1) > I'm not sure why you flagged this against FE-Legal, but I took a quick look > at it nevertheless. Tom, Thank you for taking the time to review. I meant to comment with my reason but got distracted. I wanted to flag this for legal review because of content this software makes use of. It does not distribute this content; instead it relies on a utility distributed with the program that, at run time, can download content from an external URL and load up a local database of content that is then accessed by the program at run time. Essentially this package distributes a program called "oracle" that downloads a JSON file hosted externally (defaulting to a URL hosted on http://mtgjson.com). That JSON file is parsed and loaded into a local database for use by the main program. Additionally, while cards are accessed by the program, images of the image are downloaded from the website of the images' copyright holder. My question is around the licensing concerns over this content. Are the copyrights on the images or the content of the JSON file of concern in this case? Or since they are downloaded at runtime, does that not come into the scenario of whether this is considered free software. > License wise, this has: > > ***** > > * Public Domain (cockatrice/resources/countries/*.svg) > * GPLv2+ (most of the code) > * BSD (cockatrice/src/qt-json/, common/sfmt/, > * GPLv2 (oracle/src/zip/) > * CPL or LGPLv2 (servatrice/src/smtp/) > # Webclient code (not included?) > * ASL 2.0 (webclient/js/protobuf.js, webclient/js/long.js, > webclient/js/bytebuffer.js) > * MIT (webclient/js/jquery-*.js) > > ***** > > I feel like I should stop and point out here that these versions of > jquery/jquery-ui are VERY VERY OLD. They are vulnerable to at least > https://www.cvedetails.com/cve/CVE-2016-7103/. I strongly strongly recommend > that you update them to the "final" releases of the v1 code for both, and > have upstream make that change as well. Thank you for pointing this out. I will discuss this with upstream. > Back to the licensing, CPL is GPLv2 incompatible, so we choose the LGPLv2 > option there. ASL 2.0 is also GPLv2 incompatible, but that code is not being > compiled into or linked with GPLv2 code, so it is not a compatibility > concern. > > In fact, it does not look like any of the code in webclient is packaged up > or used. Unsure if this is intentional (aka, this code is not useful > anymore) or accidental (forgot to make a -webclient subpackage). If you do > end up including the webclient bits, add this to the end of the license tag: > > ASL 2.0 and MIT > > However, I'm going to assume for now that you do not plan to include the > webclient bits. Correct. The way I've built the package, it does not include any webclient code. > You can choose to update the license tag in two ways: > > * The long and absolutely correct way: > License: GPLv2+ and GPLv2 and BSD and (CPL or LGPLv2) and Public Domain > > * The simplified way > License: GPLv2 and Public Domain > > The reason you can do this is because: > 1) We choose LGPLv2 for the smtp code. > 2) GPLv2+ + GPLv2 = GPLv2 > 3) LGPLv2 + GPLv2 = GPLv2 > 4) BSD + GPLv2 = GPLv2 > 5) Need to call out Public Domain because that license applies to distinct > and separate works (the SVG files) > > Either way, please include the above license analysis (the bits between the > *****) as a comment above the License tag in the spec file. > > If any of that is unclear, please let me know. Lifting FE-Legal. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx
