Project

General

Profile

Actions

Bug #82774

closed

Check license compatibility upon extension install

Added by Bernhard Kraft about 7 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Extension Manager
Target version:
Start date:
2017-10-16
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
9
PHP Version:
7.2
Tags:
license, GPL, extension manager
Complexity:
hard
Is Regression:
Sprint Focus:

Description

When a new extension is installed it is not checked whether the extension license complies with the requirements of the TYPO3 CMS. By current understanding a TYPO3 CMS extension requires to be licensed under the GPL or LGPL at a version of 2 or later. This is not the case with all extensions. There are quite a lof of extensions swirring around which are not clearly licensed under the GPL, distributed by third-parties under unclear legal conditions and whatsoever.

Additional effort should be put into adding utility/service classes for determining the TYPO3 CMS extension compatibility upon installation and upgrade/update of an extension from TER or other sources. This could be accomplished by checking the "license" field of the composer.json file supplied with an extension and by adding a new "license" field to the ext_emconf.php file.

I do not know the current plans whether to drop or keep the ext_emconf.php in favour of a composer.json. But currently the "ext_emconf.php" is one (if not the only) "sign" which marks a directory in "typo3conf/ext/" as an official extension!


Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Task #78144: Evaluate inclusion of spdx info fileClosed2016-10-04

Actions
Related to TYPO3 Core - Bug #82875: Check license compatibility upon extension upload to TERRejected2017-10-27

Actions
Related to TYPO3 Core - Feature #19393: Integrate license information and managementClosed2008-09-30

Actions
Actions #1

Updated by Bernhard Kraft about 7 years ago

  • Assignee deleted (Helmut Hummel)
Actions #2

Updated by Bernhard Kraft about 7 years ago

  • Related to Task #78144: Evaluate inclusion of spdx info file added
Actions #3

Updated by Gerrit Code Review about 7 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54404

Actions #4

Updated by Bernhard Kraft about 7 years ago

The idea/problem behind this patch request is the fact that there are quite a bunch of legally unclear extensions out there ...
There are people which do not include the GPL header in the top of class files - either by intention or by mistake.

I do not know which legal impact it has upon a TYPO3 installation at a whole if there are extensions installed which do not comply to the GPL.

As far as my current understanding is concerned a TYPO3 extension requires to be GPL ... But what happens if it is not? In other software projects (Linux distributions, etc.), the Linux kernel, etc. this "taints" the whole setup.

I guess it would be somewhat similar in a TYPO3 instance.

Actions #5

Updated by Bernhard Kraft about 7 years ago

I do not know if there are any TYPO3 "clones" out there which try to resemble the TYPO3 extension API. But just in such a hypothetical case "they" could legally use TYPO3 CMS extensions as they are GPL licensed while installing their extensions in TYPO3 would eventually violate TYPO3 CMS legal requirements and or break their legal requirements because they would be "forced" to GPL their work.

Actions #6

Updated by Helmut Hummel about 7 years ago

  • Category changed from Security to Extension Manager

That is not a security topic

Actions #7

Updated by Helmut Hummel about 7 years ago

By current understanding a TYPO3 CMS extension requires to be licensed under the GPL or LGPL at a version of 2 or later

And in general, this also is not true. MIT license is compatible with GPL and TYPO3 itself used MIT code.
Therefore Extensions licensed as MIT are valid to be installed with TYPO3.

However all Extensions on TER must be GPL as written in the ToS of TER.

Besides that, license check should not be done during installation, but during upload to TER or separately in a license check module (reports) or something similar.

Actions #8

Updated by Georg Ringer about 7 years ago

why shouldn't I be allowed to install any package I want on my server?

Actions #9

Updated by Bernhard Kraft about 7 years ago

It is just about knowing that you are tainting your system with non-GPL software.

Actions #10

Updated by Helmut Hummel about 7 years ago

Bernhard Kraft wrote:

It is just about knowing that you are tainting your system with non-GPL software.

That might be useful to know, however this IMHO should not be done during installation, but needs a separate check

Actions #11

Updated by Bernhard Kraft about 7 years ago

I veto Helmuts postings.

Of course it is allowed to install non-GPL extensions. As previously mentioned it is only forbidden to upload non-GPL extensions to the official TER. But this is also not checked.

I will create a separate issue for this.

Actions #12

Updated by Bernhard Kraft about 7 years ago

So I should not be allowed to upload a non-GPL extension to TER. This is explained somewhere - but there is no technical check/reason against it. So if I not place the "This software is GPL" header in my file headings and have not a "license" => "GPLv2" in my ext_emconf or composer.json I will still be able to upload it to TER. There is a German Sprichwort: "Wo kein Kläger da kein Richter".

Meaning that if no one cares about whether all software in TER is GPL there could be some non-GPL extensions lurking around.

So we have two frontiers:
1. Take care only GPL extensions get uploaded to TER.
2. Notify a user when he is installing non-GPL software.

Actions #13

Updated by Bernhard Kraft about 7 years ago

  • Related to Bug #82875: Check license compatibility upon extension upload to TER added
Actions #14

Updated by Jo Hasenau about 7 years ago

The checkbox that has to be clicked before the upload states:

I confirm that my extension contains only GPL v2 or any later version compliant code.

So there is no need to stick to GPLv2 due to the "any later" part and there is no need to stick to GPL at all due to the term "compliant".
Which is why some themes we did based on theme_bootstrap are using MIT license and are still legally published to the TER.

Please discuss topics like this with the licensing team first, since we are using our own tracker here on forge.

Actions #16

Updated by Susanne Moog almost 7 years ago

  • Related to Feature #19393: Integrate license information and management added
Actions #17

Updated by Susanne Moog over 6 years ago

  • Target version changed from 9 LTS to next-patchlevel
Actions #18

Updated by Susanne Moog almost 6 years ago

  • Status changed from Under Review to Closed

Patch has been abandoned. Due to Comment 14 this should be discussed with the licensing team first. I'll close this issue in our tracker for now.

Actions

Also available in: Atom PDF