Oracle has updated the license for app-emulation/virtualbox-extpack-oracle. The new license is incompatible with the old one. Specifically the definition of "personal use" has been changed to no longer cover anyone who is the sole user of the product on a particular machine where they installed it themselves. Anyone using the extensions for any business or non-curriculum educational purposes must now pony up a minimum of $5000 in licensing fees after a 30 day trial period. Further, Oracle has begun tracking downloads of the extensions and sending nastygrams to anyone who's WHOIS entry looks like it might be a business and hasn't paid. The text of the PUEL license needs to be updated, and it probably needs to be done in such a way that it alerts users to the fact that the terms are now substantially different and likely incompatible. New license: https://www.virtualbox.org/wiki/VirtualBox_PUEL
I've asked upstream in their IRC channel and they confirmed the claims being stated here. So I'm now open for suggestions what we should do with the license / affected packages. Please keep in mind that we currently also install the extensions with app-emulation/virtualbox-bin package.
Is there a list of versions that is affected by the license change? We shouldn't update the license in place, but create a new file for it, and add the new license to the @EULA group (as it is the case for the existing PUEL license). That way users cannot miss the license change (as they must add the new license to ACCEPT_LICENSES). I see that the ebuilds already have mirror restriction in place; bindist restriction should be added as well (for the old version too). (In reply to lperkins from comment #0) > Further, Oracle has begun tracking downloads of the extensions I wonder if that is compliant with the GDPR. When downloading the distfile, I am neither being informed nor asked for my consent to such tracking. > and sending nastygrams to anyone who's WHOIS entry looks like it might be > a business and hasn't paid. Nasty. Maybe we should drop the package?
(In reply to Ulrich Müller from comment #2) > Is there a list of versions that is affected by the license change? I've asked the VBox devs and got told that the new license is in place since version 5.1.30 which was released in November 23rd 2017. > We shouldn't update the license in place, but create a new file for it, and > add the new license to the @EULA group (as it is the case for the existing > PUEL license). That way users cannot miss the license change (as they must > add the new license to ACCEPT_LICENSES). > > I see that the ebuilds already have mirror restriction in place; bindist > restriction should be added as well (for the old version too). Can you clarify what purpose that change would serve? I am not per se against it but fail to understand why this is necessary. > (In reply to lperkins from comment #0) > > Further, Oracle has begun tracking downloads of the extensions > > I wonder if that is compliant with the GDPR. When downloading the distfile, > I am neither being informed nor asked for my consent to such tracking. > > > and sending nastygrams to anyone who's WHOIS entry looks like it might be > > a business and hasn't paid. > > Nasty. Maybe we should drop the package? That's one solution I am taking into account but I want to wait at least until I return from vacation before doing a final decision. The reason is that I had a talk with one VBox dev and he told me that the whole VBox development team is not very happy about the license change but it got forced upon them. He told me that he's trying to get some clarifications from their legal team and I want to wait for those.
(In reply to Lars Wendler (Polynomial-C) from comment #3) > > I see that the ebuilds already have mirror restriction in place; bindist > > restriction should be added as well (for the old version too). > > Can you clarify what purpose that change would serve? I am not per se > against it but fail to understand why this is necessary. The argument is that if the distfile cannot be distributed (i.e., if mirror restriction is needed), then usually the resulting binpkg won't be distributable either. Therefore the standard case is that "mirror" goes along with "bindist".
The nastygrams are now also sent to educational institutions. My university received one because I repeatedly evaluated new versions of their extpack. Is it possible to add PUEL-10 to licenses/ as suggested in Commtent 2?
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c19a655fa0ecc6910fb6eeb3053b3bf8ca575086 commit c19a655fa0ecc6910fb6eeb3053b3bf8ca575086 Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2020-06-09 17:20:46 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2020-06-09 17:20:46 +0000 app-emulation/virtualbox-extpack-oracle: Update LICENSE. Mirror and bindist restrictions are already in place. Closes: https://bugs.gentoo.org/663536 Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: Ulrich Müller <ulm@gentoo.org> .../virtualbox-extpack-oracle-5.2.40.137108.ebuild | 2 +- .../virtualbox-extpack-oracle-6.0.20.137117.ebuild | 2 +- .../virtualbox-extpack-oracle-6.1.6.137129.ebuild | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea988c9f50ed65d5fdfe23a4c6cbb8fa2e000cd2 commit ea988c9f50ed65d5fdfe23a4c6cbb8fa2e000cd2 Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2020-06-09 17:16:45 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2020-06-09 17:16:45 +0000 licenses: Add PUEL-10 for app-emulation/virtualbox-extpack-oracle. Bug: https://bugs.gentoo.org/663536 Signed-off-by: Ulrich Müller <ulm@gentoo.org> licenses/PUEL-10 | 152 ++++++++++++++++++++++++++++++++++++++++++++++++ profiles/license_groups | 2 +- 2 files changed, 153 insertions(+), 1 deletion(-)
