Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 829427

Summary: net-im/zoom-5.8.6.739 possible GPL violation for bundled quazip
Product: Gentoo Linux Reporter: Ulrich Müller <ulm>
Component: Current packagesAssignee: Ulrich Müller <ulm>
Status: CONFIRMED ---    
Severity: normal CC: gentoo, licenses, mva
Priority: Normal Keywords: UPSTREAM
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Ulrich Müller gentoo-dev 2021-12-17 10:41:17 UTC 
The tarball bundles a libquazip.so which is licensed under LGPL, version 2.1 or later. The license requires that the library is accompanied "with the complete corresponding machine-readable source code" (section 4) and distribution of "a copy of this License along with the Library" (section 1). I see neither of them in the zoom-5.8.6.739_x86_64.tar.xz tarball.
Comment 1 Ulrich Müller gentoo-dev 2021-12-17 10:56:15 UTC 
Reported upstream:
https://support.zoom.us/hc/de/requests/13018604
Comment 2 Hanno Böck gentoo-dev 2021-12-17 11:53:48 UTC 
This confused me, as I would find it unlikely that the LGPL requires to actually always distribute the source code (instead of "making it available").

The LPGL-2.1 contains this sentence after the one you quoted:
"If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. "

Now I find this hard to read legalese, but I interpret this that instead of shipping the source with the binary, slack could also provide the code by offering "requivalend access to copy the source code from the same place". In non-legalese I interpret this as if they offer a download link to the code from their webpage then that should be ok?

They seem to do that:
https://explore.zoom.us/de/opensource/source/
Comment 3 Hanno Böck gentoo-dev 2021-12-17 11:54:40 UTC 
And in the above comment I wrote "slack" where I obviously meant "zoom". Sorry for the confusion...
Comment 4 Ulrich Müller gentoo-dev 2021-12-17 13:45:29 UTC 
(In reply to Hanno Böck from comment #2)
> Now I find this hard to read legalese, but I interpret this that instead of
> shipping the source with the binary, slack could also provide the code by
> offering "requivalend access to copy the source code from the same place".
> In non-legalese I interpret this as if they offer a download link to the
> code from their webpage then that should be ok?
> 
> They seem to do that:
> https://explore.zoom.us/de/opensource/source/

That's not "the same place" though. Download of the tarball is at https://zoom.us/download and I don't see any link from there to the source code.

Also (according to iplocation.net), zoom.us is located in Virginia while explore.zoom.us is in California. So it's not the same place by a geographic definition either.

Of course, you'll find the source code for quazip using a search engine, but that's not what the license says.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2023-04-08 18:13:40 UTC 
Not much we can do here but wait.