Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 492424 - www-client/chromium: incomplete LICENSE
Summary: www-client/chromium: incomplete LICENSE
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Chromium Project
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2013-11-24 11:58 UTC by Ulrich Müller
Modified: 2022-11-28 19:38 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2013-11-24 11:58:30 UTC
LICENSE says just "BSD", but there are several other licenses, especially in the various third-party directories. I haven't done a complete license audit, but some random sampling shows GPL, LGPL, MIT, and MPL-1.1.

Please specify all relevant licenses in the LICENSE string. It should also be clarified if redistribution of the binary package is allowed, as it apparantly combines GPL code with code under GPL-incompatible licenses (such as MPL-1.1 or openssl).
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2013-12-10 16:26:57 UTC
(In reply to Ulrich Müller from comment #0)
> Please specify all relevant licenses in the LICENSE string.

Will do. Could you clarify what is considered relevant?

Is code that is not part of compiled package relevant? What about code that is only used during build, but does not make it into the binaries? Then there is also likely code that is not used for anything (either used on other platform, or e.g. unbundled, or only used for some tests).

> It should also be clarified if redistribution of the binary package
> is allowed, as it apparantly combines GPL code with code under
> GPL-incompatible licenses (such as MPL-1.1 or openssl).

Please avoid speculating about this.

First, how would I clarify this? Note that there is a "bindist" USE flag for binary redistribution. Of course there are no guarantees.

Then, the browser itself cannot be GPL, to allow Google to ship Chrome. My understanding is that GPL code can only be used for tests, and some files/dependencies are under a dual license in which case we'd be using them under non-GPL terms.

Standard disclaimer (applies to this and all of my posts on this bug): I'm not a lawyer.
Comment 2 Richard Freeman gentoo-dev 2013-12-10 17:48:46 UTC
(In reply to Paweł Hajdan, Jr. from comment #1)
> (In reply to Ulrich Müller from comment #0)
> > Please specify all relevant licenses in the LICENSE string.
> 
> Will do. Could you clarify what is considered relevant?
> 
> Is code that is not part of compiled package relevant? What about code that
> is only used during build, but does not make it into the binaries? Then
> there is also likely code that is not used for anything (either used on
> other platform, or e.g. unbundled, or only used for some tests).

Just my own personal two cents, but I'd think that we'd want LICENSE to cover anything in the SRC_URI.  That's what is actually getting distributed by us.  If we include a copy of a Top-40 CD in the tarball we'll have problems even if the first thing the ebuild does is delete it.
Comment 3 Ulrich Müller gentoo-dev 2013-12-10 18:08:32 UTC
(In reply to Paweł Hajdan, Jr. from comment #1)
> > Please specify all relevant licenses in the LICENSE string.
> 
> Will do. Could you clarify what is considered relevant?
> 
> Is code that is not part of compiled package relevant? What about code that
> is only used during build, but does not make it into the binaries? Then
> there is also likely code that is not used for anything (either used on
> other platform, or e.g. unbundled, or only used for some tests).

My interpretation was always that LICENSE should specify everything that will be installed on a user's system. So build tools and files used only on another platform would be excluded, but e.g. the license of a file installed from ${FILESDIR} would have to be included. This also allows to control optionally installed pieces of a package (that have a more restrictive license) via USE flags, without jumping through hoops.

I'm aware that there are other opinions, see rich0's comment.

> > It should also be clarified if redistribution of the binary package
> > is allowed, as it apparantly combines GPL code with code under
> > GPL-incompatible licenses (such as MPL-1.1 or openssl).
> 
> Please avoid speculating about this.
> 
> First, how would I clarify this? Note that there is a "bindist" USE flag for
> binary redistribution. Of course there are no guarantees.

As I said, I haven't done a complete license audit, and I haven't investigated the details of what parts are linked together. Some of the MPL-1.1 stuff seems to be dual-licensed, so maybe it is o.k.
Comment 4 Alexander Berntsen (RETIRED) gentoo-dev 2013-12-10 18:59:22 UTC
The fact that there are multiple interpretations of the ramifications of the LICENSE field, coupled with the fact that neither the PMS nor the devmanual actually specifies it any more than "The package’s license" leads me to believe we need a clear and concise definition of this.
Comment 5 Andrius Štikonas 2020-07-19 18:30:44 UTC
There is a particularly problematic unRAR license among those. This one is not even in @FREE license set.
Comment 6 Ulrich Müller gentoo-dev 2022-07-29 09:08:04 UTC
Ping. Any progress here?
Comment 7 Marco Scardovi (scardracs) 2022-11-27 21:15:41 UTC
Debian already did it. You can find the complete list at https://metadata.ftp-master.debian.org/changelogs//main/c/chromium/chromium_107.0.5304.121-1_copyright
Comment 8 Marco Scardovi (scardracs) 2022-11-27 21:24:00 UTC
Complete license list

License="BSD-3-clause GPL-2+ GPL-3+ LGPL-2.0+ LGPL-2.1+ Apache-2.0 BSD-2-clause BSL-1 ICU MPL-1.1 Public-domain Apple-license MPL-2.0 Ms-PL zlib MIT ISC GPL-2.0 LGPL-2 LGPL-2+ LGPL-2.1"
Comment 9 Andrius Štikonas 2022-11-27 21:49:43 UTC
(In reply to Marco Scardovi (scardracs) from comment #8)
> Complete license list
> 
> License="BSD-3-clause GPL-2+ GPL-3+ LGPL-2.0+ LGPL-2.1+ Apache-2.0
> BSD-2-clause BSL-1 ICU MPL-1.1 Public-domain Apple-license MPL-2.0 Ms-PL
> zlib MIT ISC GPL-2.0 LGPL-2 LGPL-2+ LGPL-2.1"

On Gentoo you also need to add unrar.
Comment 10 Ulrich Müller gentoo-dev 2022-11-28 09:20:03 UTC
(In reply to Marco Scardovi (scardracs) from comment #8)
> Complete license list
> 
> License="BSD-3-clause GPL-2+ GPL-3+ LGPL-2.0+ LGPL-2.1+ Apache-2.0
> BSD-2-clause BSL-1 ICU MPL-1.1 Public-domain Apple-license MPL-2.0 Ms-PL
> zlib MIT ISC GPL-2.0 LGPL-2 LGPL-2+ LGPL-2.1"

"Apple-license" is APSL-2 and "BSL-1" is Boost-1.0, I suppose?


(In reply to Andrius Štikonas from comment #9)
> On Gentoo you also need to add unrar.

(In reply to Andrius Štikonas from comment #5)
> There is a particularly problematic unRAR license among those. This one is
> not even in @FREE license set.

Right. Is it possible to make installation of the nonfree parts USE-conditional? Otherwise the package would be license masked by default.
Comment 11 Marco Scardovi (scardracs) 2022-11-28 12:57:01 UTC
Ok, now follows our license labels and are alphabetically ordered

License="Apache-2.0 APSL-2 Boost-1.0 BSD BSD-2 GPL-2 GPL-2+ GPL-3+ icu ISC LGPL-2 LGPL-2+ LGPL-2.1 LGPL-2.1+ MIT MPL-1.1 MPL-2.0 Ms-PL public-domain unRAR ZLIB"
Comment 12 Marco Scardovi (scardracs) 2022-11-28 13:03:42 UTC
(In reply to Ulrich Müller from comment #10)
> Right. Is it possible to make installation of the nonfree parts
> USE-conditional? Otherwise the package would be license masked by default.

I saw it is on keepdir (see https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium/chromium-107.0.5304.121.ebuild#n558). If chromium can works without it it would be possible to add a USE="rar" and then

> if use system-ffmpeg; then
>	keepddir=( third_party/unrar )
> fi

or something like that.
Comment 13 Marco Scardovi (scardracs) 2022-11-28 13:04:14 UTC
(In reply to Marco Scardovi (scardracs) from comment #12)
> (In reply to Ulrich Müller from comment #10)
> > Right. Is it possible to make installation of the nonfree parts
> > USE-conditional? Otherwise the package would be license masked by default.
> 
> I saw it is on keepdir (see
> https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium/chromium-
> 107.0.5304.121.ebuild#n558). If chromium can works without it it would be
> possible to add a USE="rar" and then
> 
> > if use system-ffmpeg; then
> >	keepddir=( third_party/unrar )
> > fi
> 
> or something like that.

Sorry,

> if use rar; then
>	keepddir=( third_party/unrar )
> fi
Comment 14 Ulrich Müller gentoo-dev 2022-11-28 13:54:57 UTC
(In reply to Marco Scardovi (scardracs) from comment #11)
> Ok, now follows our license labels and are alphabetically ordered
> 
> License="Apache-2.0 APSL-2 Boost-1.0 BSD BSD-2 GPL-2 GPL-2+ GPL-3+ icu ISC
> LGPL-2 LGPL-2+ LGPL-2.1 LGPL-2.1+ MIT MPL-1.1 MPL-2.0 Ms-PL public-domain
> unRAR ZLIB"

Thank you. I'd put BSD first because it is the main license of the package, but otherwise alphabetical order is fine.
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-11-28 14:01:14 UTC
Shouldn't it include !system-icu and such?
Comment 16 Mike Gilbert gentoo-dev 2022-11-28 15:43:05 UTC
(In reply to Ulrich Müller from comment #10)
> (In reply to Andrius Štikonas from comment #9)
> > On Gentoo you also need to add unrar.
> 
> (In reply to Andrius Štikonas from comment #5)
> > There is a particularly problematic unRAR license among those. This one is
> > not even in @FREE license set.
> 
> Right. Is it possible to make installation of the nonfree parts
> USE-conditional? Otherwise the package would be license masked by default.

It looks like the unrar code is only used by the "safe browsing" feature; basically, the browser tries to detect rar files with unsafe content.

I don't see any way to disable unrar by itself without applying a patch. However, we could disable the safe browsing feature entirely via a build system flag.
Comment 17 Stephan Hartmann (RETIRED) gentoo-dev 2022-11-28 16:00:10 UTC
(In reply to Marco Scardovi (scardracs) from comment #8)
> Complete license list
> 
> License="BSD-3-clause GPL-2+ GPL-3+ LGPL-2.0+ LGPL-2.1+ Apache-2.0
> BSD-2-clause BSL-1 ICU MPL-1.1 Public-domain Apple-license MPL-2.0 Ms-PL
> zlib MIT ISC GPL-2.0 LGPL-2 LGPL-2+ LGPL-2.1"

zlib is unbundled in our builds and I can't find a Boost license in the sources. Boost is only part of Swiftshader, but not build with Chromium.
Comment 19 Marco Scardovi (scardracs) 2022-11-28 19:10:46 UTC
(In reply to Stephan Hartmann from comment #17)
> (In reply to Marco Scardovi (scardracs) from comment #8)
> > Complete license list
> > 
> > License="BSD-3-clause GPL-2+ GPL-3+ LGPL-2.0+ LGPL-2.1+ Apache-2.0
> > BSD-2-clause BSL-1 ICU MPL-1.1 Public-domain Apple-license MPL-2.0 Ms-PL
> > zlib MIT ISC GPL-2.0 LGPL-2 LGPL-2+ LGPL-2.1"
> 
> zlib is unbundled in our builds and I can't find a Boost license in the
> sources. Boost is only part of Swiftshader, but not build with Chromium.

I took the LICENSES from Debian (they have a complete list of licenses and where it is applied on link I’ve posted before)
Comment 20 Marco Scardovi (scardracs) 2022-11-28 19:21:34 UTC
Nevermind, Boost license is listed at the end of the page but not actually used so it can be dropped
Comment 21 Marco Scardovi (scardracs) 2022-11-28 19:38:49 UTC
(In reply to Mike Gilbert from comment #18)
> Debian patch to disable unrar:
> 
> https://salsa.debian.org/chromium-team/chromium/-/blob/bullseye/debian/
> patches/disable/unrar.patch

Thanks! I've made a PR ^^. Please look if it is ok for all you all and feel free to merge/overtake :)