Hi, I am experimenting with automatic verification of code licenses of OpenStack projects and see that one of Rally dependencies has GPL3 license [1]. I'm not a big expert in licenses, but isn't it a violation of GPL? In particular what concerns me is: [2] - " If a library is released under the GPL (not the LGPL), does that mean that any software which uses it has to be under the GPL or a GPL-compatible license? (#IfLibraryIsGPL) Yes, because the program actually links to the library. As such, the terms of the GPL apply to the entire combination. The software modules that link with the library may be under various GPL compatible licenses, but the work as a whole must be licensed under the GPL. " and [3] - " This licensing incompatibility applies only when some Apache project software becomes a derivative work of some GPLv3 software, because then the Apache software would have to be distributed under GPLv3. This would be incompatible with ASF's requirement that all Apache software must be distributed under the Apache License 2.0. We avoid GPLv3 software because merely linking to it is considered by the GPLv3 authors to create a derivative work. " [1] http://paste.openstack.org/show/744483/ [2] https://www.gnu.org/licenses/gpl-faq.html#IfLibraryIsGPL [3] https://www.apache.org/licenses/GPL-compatibility.html Should this issue be fixed? If yes, should we have a gate job to block adding of such dependencies? Thanks, Ilya
On Mon, 2019-02-04 at 14:42 +0100, Ilya Shakhat wrote:
Hi,
I am experimenting with automatic verification of code licenses of OpenStack projects and see that one of Rally dependencies has GPL3 license [1]. I'm not a big expert in licenses, but isn't it a violation of GPL? In particular what concerns me is:
[2] - " If a library is released under the GPL (not the LGPL), does that mean that any software which uses it has to be under the GPL or a GPL-compatible license? (#IfLibraryIsGPL)
Yes, because the program actually links to the library. As such, the terms of the GPL apply to the entire combination. The software modules that link with the library may be under various GPL compatible licenses, but the work as a whole must be licensed under the GPL. "
and
[3] - " This licensing incompatibility applies only when some Apache project software becomes a derivative work of some GPLv3 software, because then the Apache software would have to be distributed under GPLv3. This would be incompatible with ASF's requirement that all Apache software must be distributed under the Apache License 2.0.
We avoid GPLv3 software because merely linking to it is considered by the GPLv3 authors to create a derivative work. "
[1] http://paste.openstack.org/show/744483/ [2] https://www.gnu.org/licenses/gpl-faq.html#IfLibraryIsGPL [3] https://www.apache.org/licenses/GPL-compatibility.html
Should this issue be fixed? If yes, should we have a gate job to block adding of such dependencies? it looks like it was added as part of this change https://github.com/openstack/rally/commit/ee2f469d8f347fbf8e0dcd84cf3f52e41e... I have not checked but if it is only used by the optional elasticSearch plugin then im not sure there is a licence conflict in the general case. rally can be used entirly without the elastic serach exporter plugin so at most the GPL contamination whould be confied to that plugin provided the combination fo the plugin and rally is not considerd a sincel combinded work.
the clause of the GPL only take effect on distibution as such if you distibute rally without the elastic search plugin or you distibute in such a way as the elastitc search plugin is not loaded i think no conclict would exist. im not a legal expert so this is just my oppion but from reviewing https://www.gnu.org/licenses/gpl-faq.en.html#GPLPlugins breifly it is arguable that loading the elastic search pluging would make rally and that plugin a single combined application which looking at https://www.gnu.org/licenses/gpl-faq.en.html#NFUseGPLPlugins would imply that the GPL would have to apply to the entire combination fo rally and the elastic search plugin. that would depend on how the plugin was loaded. if the exporter plugin is forked into a seperate python inteperater instance instaead of imported as a lib and invoked via a fuction call it would not form a single combined program but i have not looked at how rally uses the plugin. it would likely be good for legal and the rally core team to review. the simplest soltution if an issue is determinted to exist would be to move the elastic search plugin into its own repos so it si distibuted seperately from rally. failing that the code that depends on morph would have to be removed to resolve the conflict. as i said im not a leagl expert so this is just my personal opinion as such take it with a grain of salt. regard sean
Thanks, Ilya
On 2019-02-04 14:42:04 +0100 (+0100), Ilya Shakhat wrote:
I am experimenting with automatic verification of code licenses of OpenStack projects and see that one of Rally dependencies has GPL3 license [...]
To start off, it looks like the license for morph is already known to the Rally developers, based on the inline comment for it at https://git.openstack.org/cgit/openstack/rally/tree/requirements.txt?id=3625... (so hopefully this is no real surprise). The source of truth for our licensing policies, as far as projects governed by the OpenStack Technical Committee are concerned (which openstack/rally is), can be found here: https://governance.openstack.org/tc/reference/licensing.html It has a carve out for "tools that are run with or on OpenStack projects only during validation or testing phases of development" which "may be licensed under any OSI-approved license" and since the README.rst for Rally states it's a "tool & framework that allows one to write simple plugins and combine them in complex tests scenarios that allows to perform all kinds of testing" it probably meets those criteria. As for concern that a Python application which imports another Python library at runtime inherits its license and so becomes derivative of that work, that has been the subject of much speculation. In particular, whether a Python import counts as "dynamic linking" in GPL 3.0 section 1 is debatable: https://bytes.com/topic/python/answers/41019-python-gpl https://opensource.stackexchange.com/questions/1487/how-does-the-gpls-linkin... https://softwareengineering.stackexchange.com/questions/87446/using-a-gplv3-... https://stackoverflow.com/questions/40492518/is-an-import-in-python-consider... I'm most definitely not a lawyer, but from what I've been able to piece together it's the combination of rally+morph which potentially becomes GPLv3-licensed when distributed, not the openstack/rally source code itself. This is really more of a topic for the legal-discuss mailing list, however, so I am cross-posting my reply there for completeness. To readers only of the legal-discuss ML, the original post can be found archived here: http://lists.openstack.org/pipermail/openstack-discuss/2019-February/002356.... -- Jeremy Stanley
Hi stackers! Thanks for raising this topic. I recently removed morph dependency ( https://review.openstack.org/#/c/634741 ) and I hope to release a new version of Rally as soon as possible. пн, 4 февр. 2019 г. в 17:14, Jeremy Stanley <fungi@yuggoth.org>:
On 2019-02-04 14:42:04 +0100 (+0100), Ilya Shakhat wrote:
I am experimenting with automatic verification of code licenses of OpenStack projects and see that one of Rally dependencies has GPL3 license [...]
To start off, it looks like the license for morph is already known to the Rally developers, based on the inline comment for it at
https://git.openstack.org/cgit/openstack/rally/tree/requirements.txt?id=3625... (so hopefully this is no real surprise).
The source of truth for our licensing policies, as far as projects governed by the OpenStack Technical Committee are concerned (which openstack/rally is), can be found here:
https://governance.openstack.org/tc/reference/licensing.html
It has a carve out for "tools that are run with or on OpenStack projects only during validation or testing phases of development" which "may be licensed under any OSI-approved license" and since the README.rst for Rally states it's a "tool & framework that allows one to write simple plugins and combine them in complex tests scenarios that allows to perform all kinds of testing" it probably meets those criteria.
As for concern that a Python application which imports another Python library at runtime inherits its license and so becomes derivative of that work, that has been the subject of much speculation. In particular, whether a Python import counts as "dynamic linking" in GPL 3.0 section 1 is debatable:
https://bytes.com/topic/python/answers/41019-python-gpl
https://opensource.stackexchange.com/questions/1487/how-does-the-gpls-linkin...
https://softwareengineering.stackexchange.com/questions/87446/using-a-gplv3-...
https://stackoverflow.com/questions/40492518/is-an-import-in-python-consider...
I'm most definitely not a lawyer, but from what I've been able to piece together it's the combination of rally+morph which potentially becomes GPLv3-licensed when distributed, not the openstack/rally source code itself. This is really more of a topic for the legal-discuss mailing list, however, so I am cross-posting my reply there for completeness.
To readers only of the legal-discuss ML, the original post can be found archived here:
http://lists.openstack.org/pipermail/openstack-discuss/2019-February/002356....
-- Jeremy Stanley
-- Best regards, Andrey Kurilin.
a quick update: the latest release of Rally ( https://pypi.org/project/rally/1.4.0/ ) doesn't include morph dependency пн, 4 февр. 2019 г. в 19:57, Andrey Kurilin <andr.kurilin@gmail.com>:
Hi stackers!
Thanks for raising this topic. I recently removed morph dependency ( https://review.openstack.org/#/c/634741 ) and I hope to release a new version of Rally as soon as possible.
пн, 4 февр. 2019 г. в 17:14, Jeremy Stanley <fungi@yuggoth.org>:
On 2019-02-04 14:42:04 +0100 (+0100), Ilya Shakhat wrote:
I am experimenting with automatic verification of code licenses of OpenStack projects and see that one of Rally dependencies has GPL3 license [...]
To start off, it looks like the license for morph is already known to the Rally developers, based on the inline comment for it at
https://git.openstack.org/cgit/openstack/rally/tree/requirements.txt?id=3625... (so hopefully this is no real surprise).
The source of truth for our licensing policies, as far as projects governed by the OpenStack Technical Committee are concerned (which openstack/rally is), can be found here:
https://governance.openstack.org/tc/reference/licensing.html
It has a carve out for "tools that are run with or on OpenStack projects only during validation or testing phases of development" which "may be licensed under any OSI-approved license" and since the README.rst for Rally states it's a "tool & framework that allows one to write simple plugins and combine them in complex tests scenarios that allows to perform all kinds of testing" it probably meets those criteria.
As for concern that a Python application which imports another Python library at runtime inherits its license and so becomes derivative of that work, that has been the subject of much speculation. In particular, whether a Python import counts as "dynamic linking" in GPL 3.0 section 1 is debatable:
https://bytes.com/topic/python/answers/41019-python-gpl
https://opensource.stackexchange.com/questions/1487/how-does-the-gpls-linkin...
https://softwareengineering.stackexchange.com/questions/87446/using-a-gplv3-...
https://stackoverflow.com/questions/40492518/is-an-import-in-python-consider...
I'm most definitely not a lawyer, but from what I've been able to piece together it's the combination of rally+morph which potentially becomes GPLv3-licensed when distributed, not the openstack/rally source code itself. This is really more of a topic for the legal-discuss mailing list, however, so I am cross-posting my reply there for completeness.
To readers only of the legal-discuss ML, the original post can be found archived here:
http://lists.openstack.org/pipermail/openstack-discuss/2019-February/002356....
-- Jeremy Stanley
-- Best regards, Andrey Kurilin.
-- Best regards, Andrey Kurilin.
participants (4)
-
Andrey Kurilin
-
Ilya Shakhat
-
Jeremy Stanley
-
Sean Mooney