Check license compatibility upon extension install
When a new extension is installed it is not checked whether the extension license complies with the requirements of the TYPO3 CMS. By current understanding a TYPO3 CMS extension requires to be licensed under the GPL or LGPL at a version of 2 or later. This is not the case with all extensions. There are quite a lof of extensions swirring around which are not clearly licensed under the GPL, distributed by third-parties under unclear legal conditions and whatsoever.
Additional effort should be put into adding utility/service classes for determining the TYPO3 CMS extension compatibility upon installation and upgrade/update of an extension from TER or other sources. This could be accomplished by checking the "license" field of the composer.json file supplied with an extension and by adding a new "license" field to the ext_emconf.php file.
I do not know the current plans whether to drop or keep the ext_emconf.php in favour of a composer.json. But currently the "ext_emconf.php" is one (if not the only) "sign" which marks a directory in "typo3conf/ext/" as an official extension!
#4 Updated by Bernhard Kraft about 1 year ago
The idea/problem behind this patch request is the fact that there are quite a bunch of legally unclear extensions out there ...
There are people which do not include the GPL header in the top of class files - either by intention or by mistake.
I do not know which legal impact it has upon a TYPO3 installation at a whole if there are extensions installed which do not comply to the GPL.
As far as my current understanding is concerned a TYPO3 extension requires to be GPL ... But what happens if it is not? In other software projects (Linux distributions, etc.), the Linux kernel, etc. this "taints" the whole setup.
I guess it would be somewhat similar in a TYPO3 instance.
#5 Updated by Bernhard Kraft about 1 year ago
I do not know if there are any TYPO3 "clones" out there which try to resemble the TYPO3 extension API. But just in such a hypothetical case "they" could legally use TYPO3 CMS extensions as they are GPL licensed while installing their extensions in TYPO3 would eventually violate TYPO3 CMS legal requirements and or break their legal requirements because they would be "forced" to GPL their work.
#7 Updated by Helmut Hummel about 1 year ago
By current understanding a TYPO3 CMS extension requires to be licensed under the GPL or LGPL at a version of 2 or later
And in general, this also is not true. MIT license is compatible with GPL and TYPO3 itself used MIT code.
Therefore Extensions licensed as MIT are valid to be installed with TYPO3.
However all Extensions on TER must be GPL as written in the ToS of TER.
Besides that, license check should not be done during installation, but during upload to TER or separately in a license check module (reports) or something similar.
#12 Updated by Bernhard Kraft about 1 year ago
So I should not be allowed to upload a non-GPL extension to TER. This is explained somewhere - but there is no technical check/reason against it. So if I not place the "This software is GPL" header in my file headings and have not a "license" => "GPLv2" in my ext_emconf or composer.json I will still be able to upload it to TER. There is a German Sprichwort: "Wo kein Kläger da kein Richter".
Meaning that if no one cares about whether all software in TER is GPL there could be some non-GPL extensions lurking around.
So we have two frontiers:
1. Take care only GPL extensions get uploaded to TER.
2. Notify a user when he is installing non-GPL software.
#14 Updated by Jo Hasenau about 1 year ago
The checkbox that has to be clicked before the upload states:
I confirm that my extension contains only GPL v2 or version code.
So there is no need to stick to GPLv2 due to the "any later" part and there is no need to stick to GPL at all due to the term "compliant".
Which is why some themes we did based on theme_bootstrap are using MIT license and are still legally published to the TER.
Please discuss topics like this with the licensing team first, since we are using our own tracker here on forge.