Bug #82774
closed
Check license compatibility upon extension install
0%
Description
When a new extension is installed it is not checked whether the extension license complies with the requirements of the TYPO3 CMS. By current understanding a TYPO3 CMS extension requires to be licensed under the GPL or LGPL at a version of 2 or later. This is not the case with all extensions. There are quite a lof of extensions swirring around which are not clearly licensed under the GPL, distributed by third-parties under unclear legal conditions and whatsoever.
Additional effort should be put into adding utility/service classes for determining the TYPO3 CMS extension compatibility upon installation and upgrade/update of an extension from TER or other sources. This could be accomplished by checking the "license" field of the composer.json file supplied with an extension and by adding a new "license" field to the ext_emconf.php file.
I do not know the current plans whether to drop or keep the ext_emconf.php in favour of a composer.json. But currently the "ext_emconf.php" is one (if not the only) "sign" which marks a directory in "typo3conf/ext/" as an official extension!
Updated by Bernhard Kraft over 6 years ago
- Related to Task #78144: Evaluate inclusion of spdx info file added
Updated by Gerrit Code Review over 6 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54404
Updated by Bernhard Kraft over 6 years ago
The idea/problem behind this patch request is the fact that there are quite a bunch of legally unclear extensions out there ...
There are people which do not include the GPL header in the top of class files - either by intention or by mistake.
I do not know which legal impact it has upon a TYPO3 installation at a whole if there are extensions installed which do not comply to the GPL.
As far as my current understanding is concerned a TYPO3 extension requires to be GPL ... But what happens if it is not? In other software projects (Linux distributions, etc.), the Linux kernel, etc. this "taints" the whole setup.
I guess it would be somewhat similar in a TYPO3 instance.
Updated by Bernhard Kraft over 6 years ago
I do not know if there are any TYPO3 "clones" out there which try to resemble the TYPO3 extension API. But just in such a hypothetical case "they" could legally use TYPO3 CMS extensions as they are GPL licensed while installing their extensions in TYPO3 would eventually violate TYPO3 CMS legal requirements and or break their legal requirements because they would be "forced" to GPL their work.
Updated by Helmut Hummel over 6 years ago
- Category changed from Security to Extension Manager
That is not a security topic
Updated by Helmut Hummel over 6 years ago
By current understanding a TYPO3 CMS extension requires to be licensed under the GPL or LGPL at a version of 2 or later
And in general, this also is not true. MIT license is compatible with GPL and TYPO3 itself used MIT code.
Therefore Extensions licensed as MIT are valid to be installed with TYPO3.
However all Extensions on TER must be GPL as written in the ToS of TER.
Besides that, license check should not be done during installation, but during upload to TER or separately in a license check module (reports) or something similar.
Updated by Georg Ringer over 6 years ago
why shouldn't I be allowed to install any package I want on my server?
Updated by Bernhard Kraft over 6 years ago
It is just about knowing that you are tainting your system with non-GPL software.
Updated by Helmut Hummel over 6 years ago
Bernhard Kraft wrote:
It is just about knowing that you are tainting your system with non-GPL software.
That might be useful to know, however this IMHO should not be done during installation, but needs a separate check
Updated by Bernhard Kraft over 6 years ago
I veto Helmuts postings.
Of course it is allowed to install non-GPL extensions. As previously mentioned it is only forbidden to upload non-GPL extensions to the official TER. But this is also not checked.
I will create a separate issue for this.
Updated by Bernhard Kraft over 6 years ago
So I should not be allowed to upload a non-GPL extension to TER. This is explained somewhere - but there is no technical check/reason against it. So if I not place the "This software is GPL" header in my file headings and have not a "license" => "GPLv2" in my ext_emconf or composer.json I will still be able to upload it to TER. There is a German Sprichwort: "Wo kein Kläger da kein Richter".
Meaning that if no one cares about whether all software in TER is GPL there could be some non-GPL extensions lurking around.
So we have two frontiers:
1. Take care only GPL extensions get uploaded to TER.
2. Notify a user when he is installing non-GPL software.
Updated by Bernhard Kraft over 6 years ago
- Related to Bug #82875: Check license compatibility upon extension upload to TER added
Updated by Jo Hasenau over 6 years ago
The checkbox that has to be clicked before the upload states:
I confirm that my extension contains only GPL v2 or any later version compliant code.
So there is no need to stick to GPLv2 due to the "any later" part and there is no need to stick to GPL at all due to the term "compliant".
Which is why some themes we did based on theme_bootstrap are using MIT license and are still legally published to the TER.
Please discuss topics like this with the licensing team first, since we are using our own tracker here on forge.
Updated by Susanne Moog about 6 years ago
- Related to Feature #19393: Integrate license information and management added
Updated by Susanne Moog over 5 years ago
- Target version changed from 9 LTS to next-patchlevel
Updated by Susanne Moog about 5 years ago
- Status changed from Under Review to Closed
Patch has been abandoned. Due to Comment 14 this should be discussed with the licensing team first. I'll close this issue in our tracker for now.