WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#14703 closed defect (bug) (fixed)

Make the Incutio XML-RPC Library GPL-Compatible and match redistribution and use conditions.

Reported by: hakre Owned by:
Milestone: 3.1 Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords: has-patch dev-reviewed
Focuses: Cc:

Description

In [1346] on 22 May 2004 Michel Valdrighi (michelvaldrighi) added the file /wp-includes/class-IXR.php. That added file is licensed under the BSD license.

The BSD license is not compatible with the GPL. The rest of the code was licensed under GPL on that date. After 22 May 2004, the wordpress code base is tainted.

This affects all releases and those forks that did not clear IPO since then.

I strongly urge the wordpress project to calmly but immediatly take the right actions. This is a serious situation the whole wordpress community is facing.

Attachments (5)

14703.patch (2.1 KB) - added by hakre 4 years ago.
14703.2.patch (2.2 KB) - added by hakre 4 years ago.
php-ixr-1.7.4.tar.gz (9.6 KB) - added by hakre 4 years ago.
http://php-ixr.googlecode.com/files/php-ixr-1.7.4.tar.gz
14703.update-to-version-1.7.4.patch (29.4 KB) - added by hakre 4 years ago.
@version 1.7.4 7th September 2010
wp_thank_you.diff (8.6 KB) - added by johnjamesjacoby 4 years ago.
What about an 'About' page with a little license loader?

Download all attachments as: .zip

Change History (53)

comment:1 hakre4 years ago

I'm trying to get some professional help from the Freedom Task Force because I assume that there are some more licensing issues in the code.

Tag: FIXIPO
Related: #14685
Related: #10835

comment:2 scribu4 years ago

That's a 6 year old changeset. Fantastic.

comment:3 hakre4 years ago

Replying to scribu:

That's a 6 year old changeset. Fantastic.

Yeah, this is a very, very, very unpleasant situation.

If a fraction of the time the self-proclaimed licence-police had burned down to check other persons theme php code had been invested to verify the own codebase in advance, that had made acutally sense.

Isn't it the GPL which states that you do not need to enforce their usage of third parties? Doesn't that imply that you start with your own code? Isn't that generally good practice in life?

comment:4 demetris4 years ago

@hakre,

The licence of the IXR class (the one linked to from the file header) is not the original BSD Licence, and it does not have the advertising clause that makes the original BSD Licence incompatible with the GPL.

This list at the GNU site explains which BSD licences are compatible and which are not compatible with the GPL:

http://www.gnu.org/licenses/license-list.html

I think there is no problem here.

comment:5 jacobsantos4 years ago

Actually, the new library 1.6 is licensed under the Artistic License. No clue if it is still compatible.

comment:6 follow-up: ryan4 years ago

The version we based on uses the modified BSD license, which is GPL compatible. I contacted Simon to clarify the history here, just to cover the bases.

comment:7 follow-up: ryan4 years ago

"If a fraction of the time the self-proclaimed licence-police had burned down to check other persons theme php code had been invested to verify the own codebase in advance, that had made acutally sense."

We check the licenses of everything and have relationships with most of the maintainers of the third-party code we include. Your editorializing on every ticket is not helpful.

comment:8 in reply to: ↑ 7 Denis-de-Bernardy4 years ago

Replying to ryan:

We check the licenses of everything and have relationships with most of the maintainers of the third-party code we include.

Mm... #6155? :-)

comment:9 ericmann4 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Since the IXR library uses the modified BSD license (according to comments by @ryan and the actual license linked from the library: http://www.opensource.org/licenses/bsd-license.php) and is, in fact, GPL compatible, I suggest closing this as "invalid." It's not actually a problem, though kudos to @hakre for pointing it out so we could double check!

For those who want more explanation - the IXR library uses the modified "3-clause" BSD (also known to some as FreeBSD). This is a modified version of the original BSD license that omits the advertising clause (it was rescinded in 1999).

comment:10 in reply to: ↑ 6 ; follow-ups: hakre4 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

Replying to ryan:

The version we based on uses the modified BSD license [...]. I contacted Simon to clarify [...].

Okay, that's good to know, the MIT-Style BSD license is actually GPL compatible. I'm still waiting for his feedback regarding the license of the file because it looks like there is the other artistic license as well.

Replying to ryan:

We check the licenses of everything

Obviously not. You might have clarified with Simon Willison (please send me a copy of that if you don't mind) that his code is released under the 3-clause license. But that does not mean you can ignore the requirements of the license. I mean, that's what a license is for, right? And I don't see them met for class-IXR.php.

Therefore the code is not eligble to redistribution which is basically the same incompability of which I opened this ticket. Therefore re-open.

comment:11 in reply to: ↑ 10 hakre4 years ago

Correting myself hakre:
MIT-Style BSD -> modified BSD license

comment:12 follow-up: ericmann4 years ago

BSD licensing clauses:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. The library itself still retains the original copyright and explicitly links out to the list of conditions. This is the format in which the original author distributed the code.
  • Redistributions in binary form must... WordPress distributes source, not binary, so this doesn't apply.
  • Neither the name of the <ORGANIZATION> nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. We don't use the IXR library, or Simon to promote WordPress.

So how, exactly, are we ignoring the requirements of the license?

comment:13 in reply to: ↑ 12 ; follow-up: hakre4 years ago

Don't take the act of an author distributing you some code and telling you under which license for the act of redistribution.

And link is not the new retain. Especially not when it's over the boundary of the package.

comment:14 in reply to: ↑ 13 ; follow-up: ericmann4 years ago

Replying to hakre:

Don't take the act of an author distributing you some code and telling you under which license for the act of redistribution.

So are you saying that an author writing code, specifying a license that gives you the right to redistribute, and distributing that code doesn't give you the right to distribute? I don't understand what your point is here.

comment:15 mrmist4 years ago

Could I perhaps suggest that if the entire code base is being looked through to find instances like this, that perhaps there is the creation of one master ticket to hold all such instances?

Currently it seems that the trac is being cluttered with IPO related tickets, and associated meta-discussion (which I accept that I'm adding to with this comment).

comment:16 in reply to: ↑ 10 ; follow-up: ryan4 years ago

The file retains the copyright notice, links to the license, is distributed as source, and is not used for endorsement. All clauses are met.

comment:17 in reply to: ↑ 14 ; follow-up: hakre4 years ago

Replying to ryan:

The file retains the copyright notice, links to the license, is distributed as source, and is not used for endorsement. All clauses are met.

Okay, then visit that link "to the license": http://www.opensource.org/licenses/bsd-license.php

In case you have not noticed until now, I'll quote an interesting descriptive sentence of the page: "Here is the license template:".

Obviously a template the original author referenced for those users who are interested to redistribute the code. They only need to fill out the placeholders and incorporate it into their own program. The OSI page is a service for the author, not a place to offer license-"outsourcing" for re-distributors.

I know I'm repeating myself: Unless you don't meet the requirements, you have no right for redistribution. Thats are the simple rules of that BSD license which are not met since the first day the code has been taken into the project. We're still talking about a period longer than six years and long, long list of wordpress release packages.

hakre4 years ago

comment:18 hakre4 years ago

I now followed the instructions on http://www.opensource.org/licenses/bsd-license.php:

The following is a BSD license template. To generate your own license, change the values of OWNER, ORGANIZATION and YEAR from their original values as given here, and substitute your own. Also, you may optionally omit clause 3 and still be OSD conformant.

Naturally this is addressed to an original author, so I steped in the author role to generate the missing license text. I've taken these replacement values which are of my best knowledge:

<OWNER> = Simon Willison
<ORGANIZATION> = Incutio Ltd.
<YEAR> = 2002-2005

The attached patch contains the license to match the named requirements for redistribution and use under the 3-clause "New BSD" license.

comment:19 hakre4 years ago

  • Summary changed from Incompatible licensed code in class-IXR.php to Match Redistribution and use conditions for The Inutio XML-RPC Library

To better reflect the nature of this issue. I would like to modify my issue description as well, if someone could provide me the rights in tract that would be helpful.

comment:20 hakre4 years ago

  • Summary changed from Match Redistribution and use conditions for The Inutio XML-RPC Library to Match Redistribution and use conditions for The Incutio XML-RPC Library

hakre4 years ago

comment:21 hakre4 years ago

Typo corrected.

comment:22 hakre4 years ago

  • Keywords has-patch added

comment:23 demetris4 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

@hakre

Supposedly, the problem here is that the licencing terms of the library are not clear or that they are not clearly stated. It that is so, how can you then take the author’s role and supply the linencing terms yourself?

Are the licencing terms clear or are they not?

The WordPress package is complex enough as it is. We don’t need to start changing things in the licencing terms of third-party libraries.

I suggest to leave this as is.

comment:24 in reply to: ↑ 17 ; follow-up: hakre4 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Replying to demetris:

@hakre

Supposedly, the problem here is that the licencing terms of the library are not clear

No, that is not the case, the terms are clear. The author has expressed the wish to grant usage-rights under the terms of the BSD License. The choice of the license is not questioned nor considered problematic, at least not by me any longer. I mistakenly thought the BSD would not be GPL compliant, but as it's known now, this is not the case here.

or that they are not clearly stated.

The clarity of the terms of the BSD License are not questioned by me in this ticket.

The only difference I can see so far is, that you assume (as ryan) that linking is eligble as retaining the license text (leaving aside for the moment that a website is linked that explains how to create a BSD license and retaining a template for creating a BSD-styled-license and not a concrete license).

Linking a license w/o providing a copy at once can be problematic for removeable-media distributions of wordpress, like on DVDs in magazines. Opening the software package, the license terms are not available because the link provided might not work in the user's interface (e.g. when the reading system has no network or internet access). There are other examples where linking works so no need to discuss the matter of facts here, it's just to give an example.

I for myself try at least to find out if requirements are met, because that's the indicator of being able to redistribute the code or not. This naturally implies to question the current practice. As long as this is in progress - and I still see inaccuracy and substantial questions in this dicussion here that should be clarified first, I prefer to keep the issue open. Or would you like to say to me, that I'm not eligble to care about this issue properly, that I have no right doing so?

I'm open in the discussion: If someone can provide a professional third-party opinion to ensure that this kind of linking fullfills the retainment requirements and is a somehow recommended practice for a free software project, fine. Share it.

I try to get such a professional opinion as well to better deal with the dissens, and to learn more about the implications. But this must not rely on my own. So if you like to help to clarify the codes licensing, you're welcome.

The patch was just a suggestion on how to practically reduce impact of whatever opinion might reveal. It just might be the case that it's adviseable to not rely on one certain opinion only, but to find a solution that always/mostly fits, like providing the license text direclty in the package, as we do with the GPL license text as well.

We don’t need to start changing things in the licencing terms of third-party libraries.

Hmm, this is not a change of the licensing terms of the third-party IXR library, or at least not intended so. If you still think so that it got changed, please reference a concrete change I did to the original BSD licensing terms in my patch, so this can be fixed.

comment:25 in reply to: ↑ 24 ; follow-up: demetris4 years ago

Replying to hakre:

Replying to demetris:

@hakre

Linking a license w/o providing a copy at once can be problematic for removeable-media distributions of wordpress, like on DVDs in magazines. Opening the software package, the license terms are not available because the link provided might not work in the user's interface (e.g. when the reading system has no network or internet access). There are other examples where linking works so no need to discuss the matter of facts here, it's just to give an example.

That’s a valid concern in my opinion, but I think we can try to address it in better ways, rather than by directly editing the files of third-party libraries.

Here is a suggestion for consideration:

We add to the WP package a NOTICE.txt file which, among other things, will list all third-party code used in the project. For each piece of third-party code, it will also mention its licence and then point to a file with the text of that licence.

Example:

*   Demetris’ Library
    Copyright Demetris
    Published under the WTFPL 2 (see LICENCE-WTFPL2.txt)
*   Hakre’s Library
    Copyright Hakre
    etc. etc.

comment:26 in reply to: ↑ 25 hakre4 years ago

Replying to demetris:
Thanks for your feedback, I understand your concern, but at the state right now of this issue I do not want to run into discussions about design details but to clarify the license situation upfront. My patch was mainly to add to what I'm talking about.


Replying to ryan:

The file retains the copyright notice, links to the license, is distributed as source, and is not used for endorsement. All clauses are met.

Please read my reply reg. datails of that "linking" and provide feedback (as a lead developer).

Then I'd like to know if Simon has written anything about dual-licensing. It would be really helpful if you could share more details of your conversation with him.

comment:28 in reply to: ↑ 16 hakre4 years ago

I have feedback now on this issue by the author/company: The library was licensed under the Artistic License (non GPL-Compatible). So this ticket was valid from the beginning about a licensing violation.

The good news is, it just got relicensed under "New BSD". That does cover the bases now.

Additional Feedback I got from someone from the Legal Team of FSFE is that the licenses should ship with the package all the time. That's something we're currently not doing.

Luckily the IXR file now contains the needed New BSD license text.

It only needs to get updated now. The author was so nice to leave even the @since 1.5 in there.

hakre4 years ago

@version 1.7.4 7th September 2010

comment:29 hakre4 years ago

I've merged version 1.7.4 into our current base. That basically means without the SSL class (It was not in current, so I did not took it over) and there is a htmlspecialchar() use that we had in that is not in 1.7.4.

That htmlspecialchar() change in trunk is referenced as "Updating IXR to latest", so based on this info, it could be removed with this update. But I did not, because it's written also that it fixes something. Related Ticket was #1400, Changeset was [2622].

comment:30 hakre4 years ago

  • Summary changed from Match Redistribution and use conditions for The Incutio XML-RPC Library to Make the Incutio XML-RPC Library GPL-Compatible and match lredistribution and use conditions.

comment:31 follow-up: scribu4 years ago

  • Milestone changed from Awaiting Review to 3.1

comment:32 in reply to: ↑ 31 hakre4 years ago

Replying to scribu:
I strongly suggest 3.0.2 and immediate release.

comment:33 hakre4 years ago

  • Summary changed from Make the Incutio XML-RPC Library GPL-Compatible and match lredistribution and use conditions. to Make the Incutio XML-RPC Library GPL-Compatible and match redistribution and use conditions.

comment:34 hakre4 years ago

Reference: Maintaining Permissive-Licensed Files in a GPL-Licensed Project: Guidelines for Developers - Software Freedom Law Center

It's an interesting read for the future use of the IXR Library and other permissive licensed code in the wordpress project.

comment:35 follow-up: tfountain4 years ago

I hope I can clarify a few things here, since I can speak for Incutio.

Although the Incutio XML-RPC library itself was released under the Artistic License, it was agreed when Wordpress first wanted to include it that you could do so under the New BSD license. So, I can confirm that there are no licensing issues past or present with the inclusion of this library in Wordpress.

Version 1.7.4 of the library, linked above, was released under the New BSD license in part as a response to this ticket, as I hope this makes things clearer for you guys in the long run. We (at Incutio) are both fans and users of Wordpress, so we are happy to support it in any way we can.

I'm happy to put together a 1.7.5 release of the library that includes the htmlspecialchars() change mentioned above if that would help with the merge, although it's slighly unclear from the changeset and relevant ticket what it was fixing.

comment:36 in reply to: ↑ 35 nacin4 years ago

  • Milestone 3.1 deleted
  • Resolution set to invalid
  • Status changed from reopened to closed

Replying to tfountain:

Although the Incutio XML-RPC library itself was released under the Artistic License, it was agreed when Wordpress first wanted to include it that you could do so under the New BSD license.

Thanks for clarifying. Participants in this ticket were not aware of this, though the core team was.

Version 1.7.4 of the library, linked above, was released under the New BSD license in part as a response to this ticket, as I hope this makes things clearer for you guys in the long run. We (at Incutio) are both fans and users of Wordpress, so we are happy to support it in any way we can.

Not at all necessary, but your support is much appreciated.

comment:37 hakre4 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

Nacin, I beg your pardon.

The license-text (terms and disclaimer) of IXR's Modified BSD are still missing in Wordpress. This is the point I'm talking about.

As Incutio Ltd. was so nice to improve and release a new version of the file to support us, I suggest to apply the changes to trunk as it solves that problem for the Wordpress package.

Out of other persons feedback I got over the last days, the license should be put into the package. That is also what the SFLC strongly recommends as well for Free and Open Source Software projects.

Many thanks to Incutio as they were so nice to clarify, improve and release a new version of IXR.

comment:38 scribu4 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [15612]) Update Incutio XML-RPC Library to latest version (1.7.4). Props hakre. Fixes #14703

comment:39 scribu4 years ago

  • Milestone set to 3.1

comment:40 westi4 years ago

  • Cc westi added
  • Component changed from General to XML-RPC
  • Keywords dev-reviewed added

Looks great to see all our changes merged upstream

Only significant change here is a new default of 15 second timeout for outbound IXR_Client requests which plugins will have to work with.

johnjamesjacoby4 years ago

What about an 'About' page with a little license loader?

comment:41 follow-up: johnjamesjacoby4 years ago

In the above patch, the TLM isn't really the emphasis so much as the page itself. Didn't want to go hacking up core files today and wanted to get out a proof of concept quickly.

comment:42 in reply to: ↑ 41 filosofo4 years ago

Replying to johnjamesjacoby:

In the above patch, the TLM isn't really the emphasis so much as the page itself. Didn't want to go hacking up core files today and wanted to get out a proof of concept quickly.

That is a truly impressive way to print a list. :)

Although I think the capability you want is "read," not "read_post," which must be accompanied by the post/ID in question.

comment:43 johnjamesjacoby4 years ago

I'd bet my lunch there are other little things wrong with that patch; threw it together in about 1.5 hours today. :)

Wanted to build a reusable API that made it easy to use and add things to, so this is what I came up with. Probably over-engineered it just a wee bit, but was a fun break. :)

comment:44 johnjamesjacoby4 years ago

...and yes, there is a Christina Aguilera lyric in the comments. Judge not, lest ye be judged. :P

comment:45 scribu4 years ago

Erm, maybe open a new ticket? Altough I think this should be discussed in a dev meeting first.

comment:46 westi4 years ago

Please keep discussion about this to a relevant ticket.

I think there already is one for this.

comment:47 hakre4 years ago

Related: #14944

comment:48 hakre3 years ago

Related: #16517

Note: See TracTickets for help on using tickets.