Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 829427 - net-im/zoom-5.8.6.739 possible GPL violation for bundled quazip
Summary: net-im/zoom-5.8.6.739 possible GPL violation for bundled quazip
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Ulrich Müller
URL:
Whiteboard:
Keywords: UPSTREAM
Depends on:
Blocks:
 
Reported: 2021-12-17 10:41 UTC by Ulrich Müller
Modified: 2021-12-19 12:43 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2021-12-17 10:41:17 UTC
The tarball bundles a libquazip.so which is licensed under LGPL, version 2.1 or later. The license requires that the library is accompanied "with the complete corresponding machine-readable source code" (section 4) and distribution of "a copy of this License along with the Library" (section 1). I see neither of them in the zoom-5.8.6.739_x86_64.tar.xz tarball.
Comment 1 Ulrich Müller gentoo-dev 2021-12-17 10:56:15 UTC
Reported upstream:
https://support.zoom.us/hc/de/requests/13018604
Comment 2 Hanno Böck gentoo-dev 2021-12-17 11:53:48 UTC
This confused me, as I would find it unlikely that the LGPL requires to actually always distribute the source code (instead of "making it available").

The LPGL-2.1 contains this sentence after the one you quoted:
"If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. "

Now I find this hard to read legalese, but I interpret this that instead of shipping the source with the binary, slack could also provide the code by offering "requivalend access to copy the source code from the same place". In non-legalese I interpret this as if they offer a download link to the code from their webpage then that should be ok?

They seem to do that:
https://explore.zoom.us/de/opensource/source/
Comment 3 Hanno Böck gentoo-dev 2021-12-17 11:54:40 UTC
And in the above comment I wrote "slack" where I obviously meant "zoom". Sorry for the confusion...
Comment 4 Ulrich Müller gentoo-dev 2021-12-17 13:45:29 UTC
(In reply to Hanno Böck from comment #2)
> Now I find this hard to read legalese, but I interpret this that instead of
> shipping the source with the binary, slack could also provide the code by
> offering "requivalend access to copy the source code from the same place".
> In non-legalese I interpret this as if they offer a download link to the
> code from their webpage then that should be ok?
> 
> They seem to do that:
> https://explore.zoom.us/de/opensource/source/

That's not "the same place" though. Download of the tarball is at https://zoom.us/download and I don't see any link from there to the source code.

Also (according to iplocation.net), zoom.us is located in Virginia while explore.zoom.us is in California. So it's not the same place by a geographic definition either.

Of course, you'll find the source code for quazip using a search engine, but that's not what the license says.