Bug #82774

Check license compatibility upon extension install

Added by Bernhard Kraft about 1 year ago. Updated 3 months ago.

Status:
Under Review
Priority:
Should have
Assignee:
-
Category:
Extension Manager
Target version:
Start date:
2017-10-16
Due date:
% Done:

0%

TYPO3 Version:
9
PHP Version:
7.2
Tags:
license, GPL, extension manager
Complexity:
hard
Is Regression:
Sprint Focus:

Description

When a new extension is installed it is not checked whether the extension license complies with the requirements of the TYPO3 CMS. By current understanding a TYPO3 CMS extension requires to be licensed under the GPL or LGPL at a version of 2 or later. This is not the case with all extensions. There are quite a lof of extensions swirring around which are not clearly licensed under the GPL, distributed by third-parties under unclear legal conditions and whatsoever.

Additional effort should be put into adding utility/service classes for determining the TYPO3 CMS extension compatibility upon installation and upgrade/update of an extension from TER or other sources. This could be accomplished by checking the "license" field of the composer.json file supplied with an extension and by adding a new "license" field to the ext_emconf.php file.

I do not know the current plans whether to drop or keep the ext_emconf.php in favour of a composer.json. But currently the "ext_emconf.php" is one (if not the only) "sign" which marks a directory in "typo3conf/ext/" as an official extension!


Related issues

Related to TYPO3 Core - Task #78144: Evaluate inclusion of spdx info file New 2016-10-04
Related to TYPO3 Core - Bug #82875: Check license compatibility upon extension upload to TER Rejected 2017-10-27
Related to Licensing Team - Task #50133: License compatibility Needs Feedback 2013-07-17
Related to TYPO3 Core - Feature #19393: Integrate license information and management Accepted 2008-09-30

History

#1 Updated by Bernhard Kraft about 1 year ago

  • Assignee deleted (Helmut Hummel)

#2 Updated by Bernhard Kraft about 1 year ago

  • Related to Task #78144: Evaluate inclusion of spdx info file added

#3 Updated by Gerrit Code Review about 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54404

#4 Updated by Bernhard Kraft about 1 year ago

The idea/problem behind this patch request is the fact that there are quite a bunch of legally unclear extensions out there ...
There are people which do not include the GPL header in the top of class files - either by intention or by mistake.

I do not know which legal impact it has upon a TYPO3 installation at a whole if there are extensions installed which do not comply to the GPL.

As far as my current understanding is concerned a TYPO3 extension requires to be GPL ... But what happens if it is not? In other software projects (Linux distributions, etc.), the Linux kernel, etc. this "taints" the whole setup.

I guess it would be somewhat similar in a TYPO3 instance.

#5 Updated by Bernhard Kraft about 1 year ago

I do not know if there are any TYPO3 "clones" out there which try to resemble the TYPO3 extension API. But just in such a hypothetical case "they" could legally use TYPO3 CMS extensions as they are GPL licensed while installing their extensions in TYPO3 would eventually violate TYPO3 CMS legal requirements and or break their legal requirements because they would be "forced" to GPL their work.

#6 Updated by Helmut Hummel about 1 year ago

  • Category changed from Security to Extension Manager

That is not a security topic

#7 Updated by Helmut Hummel about 1 year ago

By current understanding a TYPO3 CMS extension requires to be licensed under the GPL or LGPL at a version of 2 or later

And in general, this also is not true. MIT license is compatible with GPL and TYPO3 itself used MIT code.
Therefore Extensions licensed as MIT are valid to be installed with TYPO3.

However all Extensions on TER must be GPL as written in the ToS of TER.

Besides that, license check should not be done during installation, but during upload to TER or separately in a license check module (reports) or something similar.

#8 Updated by Georg Ringer about 1 year ago

why shouldn't I be allowed to install any package I want on my server?

#9 Updated by Bernhard Kraft about 1 year ago

It is just about knowing that you are tainting your system with non-GPL software.

#10 Updated by Helmut Hummel about 1 year ago

Bernhard Kraft wrote:

It is just about knowing that you are tainting your system with non-GPL software.

That might be useful to know, however this IMHO should not be done during installation, but needs a separate check

#11 Updated by Bernhard Kraft about 1 year ago

I veto Helmuts postings.

Of course it is allowed to install non-GPL extensions. As previously mentioned it is only forbidden to upload non-GPL extensions to the official TER. But this is also not checked.

I will create a separate issue for this.

#12 Updated by Bernhard Kraft about 1 year ago

So I should not be allowed to upload a non-GPL extension to TER. This is explained somewhere - but there is no technical check/reason against it. So if I not place the "This software is GPL" header in my file headings and have not a "license" => "GPLv2" in my ext_emconf or composer.json I will still be able to upload it to TER. There is a German Sprichwort: "Wo kein Kl├Ąger da kein Richter".

Meaning that if no one cares about whether all software in TER is GPL there could be some non-GPL extensions lurking around.

So we have two frontiers:
1. Take care only GPL extensions get uploaded to TER.
2. Notify a user when he is installing non-GPL software.

#13 Updated by Bernhard Kraft about 1 year ago

  • Related to Bug #82875: Check license compatibility upon extension upload to TER added

#14 Updated by Jo Hasenau about 1 year ago

The checkbox that has to be clicked before the upload states:

I confirm that my extension contains only GPL v2 or any later version compliant code.

So there is no need to stick to GPLv2 due to the "any later" part and there is no need to stick to GPL at all due to the term "compliant".
Which is why some themes we did based on theme_bootstrap are using MIT license and are still legally published to the TER.

Please discuss topics like this with the licensing team first, since we are using our own tracker here on forge.

#15 Updated by Jo Hasenau about 1 year ago

#16 Updated by Susanne Moog 11 months ago

  • Related to Feature #19393: Integrate license information and management added

#17 Updated by Susanne Moog 3 months ago

  • Target version changed from 9 LTS to next-patchlevel

Also available in: Atom PDF