Skip to content

Instantly share code, notes, and snippets.

@pombredanne
Last active March 30, 2021 12:58
Show Gist options
  • Save pombredanne/7d6b3689a1b796c9a509c83b6b87f274 to your computer and use it in GitHub Desktop.
Save pombredanne/7d6b3689a1b796c9a509c83b6b87f274 to your computer and use it in GitHub Desktop.

This is a notice received and originally from https://github.zendesk.com/attachments/token/eTJTaIjPp5pqbcAldaowe2N4E/?name=2021-03-22-freedesktop.rtf

Are you the copyright holder or authorized to act on the copyright owner's behalf?

Yes, I am the copyright holder.

Please describe the nature of your copyright ownership or authorization to act on the owner's behalf.

I'm [private] of the software that some code was taken from, and [private] of it for more than 15 years.

Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online.

The shared-mime-info package contains:

  • The core database of common MIME types, their file extensions and icon names.
  • The update-mime-database command, used to extend the DB and install a new MIME data.
  • The freedesktop.org shared MIME database spec.

The core database was copied wholesale:
[private]
with translations merged:
[private]

What files should be taken down? Please provide URLs for each file, or if the entire repository, the repository’s URL.

https://github.com/zRedShift/mimemagic/blob/master/cmd/parser/freedesktop.org.xml
https://github.com/13521900025/mimemagic/blob/master/cmd/parser/freedesktop.org.xml
https://github.com/backwardn/mimemagic/blob/master/cmd/parser/freedesktop.org.xml
https://github.com/brandfolder/mimemagic/blob/master/cmd/parser/freedesktop.org.xml
https://github.com/developgo/mimemagic/blob/master/cmd/parser/freedesktop.org.xml
https://github.com/Kycklingar/mimemagic/blob/master/cmd/parser/freedesktop.org.xml
https://github.com/pombredanne/mimemagic/blob/master/cmd/parser/freedesktop.org.xml
https://github.com/simplesurance/mimemagic/blob/master/cmd/parser/freedesktop.org.xml

Have you searched for any forks of the allegedly infringing files or repositories? Each fork is a distinct repository and must be identified separately if you believe it is infringing and wish to have it taken down.

Yes.

Is the work licensed under an open source license? If so, which open source license? Are the allegedly infringing files being used under the open source license, or are they in violation of the license?

Is the work licensed under an open source license?

Yes.

If so, which open source license?

The GNU General Public License v2 or later:
https://gitlab.freedesktop.org/xdg/shared-mime-info/-/blob/master/COPYING

Are the allegedly infringing files being used under the open source license, or are they in violation of the license?

They're using the file under an MIT license which is not compatible with the GNU GPL v2 or later.

What would be the best solution for the alleged infringement? Are there specific changes the other person can make other than removal? Can the repository be made private?

Relicense the project under a license compatible with the GNU GPL v2 or later, or remove it.

Do you have the alleged infringer’s contact information? If so, please provide it.

No.

I have a good faith belief that use of the copyrighted materials described above on the infringing web pages is not authorized by the copyright owner, or its agent, or the law.

I have taken fair use into consideration.

I swear, under penalty of perjury, that the information in this notification is accurate and that I am the copyright owner, or am authorized to act on behalf of the owner, of an exclusive right that is allegedly infringed.

I have read and understand GitHub's Guide to Submitting a DMCA Takedown Notice.

So that we can get back to you, please provide either your telephone number or physical address.

[private]
[private]
[private]
[private]

Please type your full legal name below to sign this request.

[private]

@pombredanne
Copy link
Author

pombredanne commented Mar 22, 2021

And some more elements I received from Github:

I'm contacting you on behalf of GitHub because we've received a DMCA takedown notice regarding the following content:

https://github.com/pombredanne/mimemagic/blob/master/cmd/parser/freedesktop.org.xml

We're giving you 1 business day to make the changes identified in the following notice:
https://github.zendesk.com/attachments/token/eTJTaIjPp5pqbcAldaowe2N4E/?name=2021-03-22-freedesktop.rtf

If you need to remove specific content from your repository, simply making the repository private or deleting it via a commit won't resolve the alleged infringement. Instead, you must follow these instructions to remove the content from your repository's history, even if you don't think it's sensitive:
https://docs.github.com/articles/remove-sensitive-data

Once you've made changes, please reply to this message and let us know. If you don't tell us that you've made changes within the next 1 business day, we'll need to disable the entire repository according to our GitHub DMCA Takedown Policy:

https://docs.github.com/articles/dmca-takedown-policy/

If you believe your content on GitHub was mistakenly disabled by a DMCA takedown request, you have the right to contest the takedown by submitting a counter notice, as described in our DMCA Takedown Policy.

PLEASE NOTE: It is important that you reply to this message within 1 business day to tell us whether you've made changes. If you do not, the repository will be disabled.

@pombredanne
Copy link
Author

pombredanne commented Mar 22, 2021

And some draft of reply elements:

I happen to just have an old fork of that repo and I just received this DMCA takedown notice something which I find rather surprising but nonetheless an interesting and novel GPL development
I made this notice public at https://gist.github.com/pombredanne/7d6b3689a1b796c9a509c83b6b87f274

I have to assume that this legal injunction is based on this original issue by@hadess zRedShift/mimemagic#4

@hadess wrote in zRedShift/mimemagic#4:

The license that you're shipping mimemagic under (MIT) isn't compatible with shared-mime-info's.

I am pretty sure that this person does not fully understand the GPL: the MIT is compatible with the GPL per the FSF https://www.gnu.org/licenses/license-list.en.html#Expat
 And the source of the shared-mime-info XML data is also provided as is here (and in my  fork  at https://github.com/pombredanne/mimemagic/blob/master/cmd/parser/freedesktop.org.xml ) meeting any GPL redistribution requirements.

@hadess wrote:

Using a GPL file as a source makes your whole codebase a derived work, making it all GPL, so I think it's pretty important that this problem gets corrected before somebody uses it in a pure MIT codebase, or a closed-source application.

I am not redistributing any binary, but how would code and data that side-by-side in a repo make a whole codebase a derived work? 
I am not legally-trained so I have no idea what this would mean in general, and in particular here. I think this is at best a case of side-by-side redistribution aka "mere aggregation" per the GPL 2.0 Section2 : https://www.gnu.org/licenses/old-licenses/gpl-2.0.html

"In addition, mere aggregation of another work not based on the Programwith the Program (or with a work based on the Program) on a volume ofa storage or distribution medium does not bring the other work underthe scope of this License. "

@hadess continues:

You will also need to re-add the GPL header to the shared-mime-info XML file as a matter of urgency.

The file in question at https://raw.githubusercontent.com/pombredanne/mimemagic/master/cmd/parser/freedesktop.org.xml is copied verbatim and unmodified as-is from https://gitlab.freedesktop.org/xdg/shared-mime-info/uploads/6a226038bf42dae45a049a6b8e729abc/shared-mime-info-1.10.tar.xz with absolutely no notice removed at all, so which GPL header that was supposedly removed does @hadess refers to?There is no such header in his own original release at freedesktop.org. There was however a GPL full text and a README. But no notice anywhere in the release made by @hadess himself. The only license reference is https://github.com/pombredanne/mimemagic/blob/master/cmd/parser/freedesktop.org.xml.COPYING
There was no full GPL text and  in my fork at https://github.com/pombredanne/mimemagic I added the missing GPL text and the shared-mime-info original readme and an extra readme note:

@hadess also wrote:

I've historically been the maintainer of shared-mime-info for around 15 years

We are all grateful for his work as maintainer, but is he also the copyright holder?Based on https://gitlab.freedesktop.org/xdg/shared-mime-info/-/blame/master/data/freedesktop.org.xml.in there is a large number of authors 

@Pizzacus
Copy link

I am not a lawyer but I find licenses to be pretty interesting. I've looked quite a bit into them, but unfortunately, I am not familiar with the GPL 2.0 license.

Still, I'll try to answer some questions to the best of my abilities. You'll still have to make your own research, but I hope this puts you on the right path!


is he also the copyright holder?

As I understand, if he contributed to the work, then he shares the copyright with the other people who did. He can take action if it is misused. So yes, at least for this purpose, he can say he is the copyright holder.


I think this is at best a case of side-by-side redistribution aka "mere aggregation"

At best, yeah, but not necessarily... Let's look at the line closely

In addition, mere aggregation of another work not based on the Program with the Program [...] does not bring the other work under the scope of this License. [Emphasis added.]

In order to determine whether your work falls in the scope of the GPL 2.0 license, one needs to determine whether your work is based on their work.

That's a hard question to answer. It may not be relevant, as I will explain in the next section, but still, let's think about that.

Already, one paragraph that, in my opinion, is more relevant to look at, is this one:

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

So is your work truly "independent and separate" by itself? It might depend on how much your code depends on the way the GPL work is made. You may also ask whether the main functionality or value of your program comes from the GPL work. Is this part replaceable?

The FSF believes that if a font were licensed under GPL 2.0 and the font was embedded into a document (not just referenced, but the file was actually included in the text file by the editor), then the document would need, they think, to be under GPL.

See https://www.fsf.org/blogs/licensing/20050425novalis

In fact, this is why they created an exception that font authors can add to the GPL licenses that allow embedding in documents, because this requirement would be silly.

I don't know whether the idea that "font embedding makes the work based on the original work" is something that can be proven or just speculation from the FSF. Still, if they believe that, it must be founded.


But this may not matter, because I think it is not a violation of the GPL 2.0 license to release your changes under permissive licenses.

But again, not a lawyer.

Here is why I think that:

Already, I can tell you with quite a bit of confidence that it would not be a violation of the GPL 3.0 license, thanks to Section 7.

Section 7 of the GPL 3.0 license, ⚠️ which does not exist in GPL 2.0, allows the author of the work to add additional terms to their work as long as they make the license more permissive.

This means you can, for instance, create a new file in a GPL 3.0 work and add a term on it that allows people to do anything they want with it. You could license it under MIT, Apache 2.0, or any license more permissive than GPL 3.0.

In this case, the whole project remains GPL 3.0, but the file you added can be used on its own under the license you chose

Back to GPL 2.0

GPL 2.0 does not have an explicit section that allows additional permission.

But I would argue there's nothing in it that prevents it, it's just unregulated.

If your work is based on the GPL work, then Section 2 point b says that

You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

But it never says "this license exclusively" or "you may not offer any additional permissions to the recipients of your work". It simply says that you have to offer it under this license.

So you could provide your project under both the MIT and GPL 2.0 licenses, and then people could choose which one to use.

But... wait...

They can already use the MIT parts under GPL 2.0 if they want to, they don't need you to provide it under this license...

Therefore, if this logic is correct, you're... good? You basically don't need to change anything, well apart from adding the license file, which you did, and indicate the file is under GPL 2.0 and nothing else is.

Because when you provide the code under MIT, it can be licensed under the GPL 2.0 license, so it should fulfil its requirements as long as my logic that you can provide additional licenses if you want to is correct.

Conclusion

I think both of your commits, pombredanne/mimemagic@84325dd and pombredanne/mimemagic@4c154fc are enough to fix the issues with the GPL 2.0 license. Maybe you could make the notice more prominent in the readme, just to ensure everyone is aware there's a GPL file in it, but anyway, I would say there's nothing else you need to do.

But again, not a lawyer.

@Pizzacus
Copy link

Actually, this part of the GPL 2.0 Q&A might answer our question

https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#GPLModuleLicense

If I add a module to a GPL-covered program, do I have to use the GPL as the license for my module?

The GPL says that the whole combined program has to be released under the GPL. So your module has to be available for use under the GPL.
But you can give additional permission for the use of your code. You can, if you wish, release your module under a license which is more lax than the GPL but compatible with the GPL. The license list page gives a partial list of GPL-compatible licenses.

Your project could be basically a big module to the original GPL-covered work, so this is relevant. You do have the right to release it under a license that is laxer.

@pombredanne
Copy link
Author

@Pizzacus Thank you for your comprehensive post and opinion!

@pombredanne
Copy link
Author

The readme of the package starts with this note:

This package contains:

  • The freedesktop.org shared MIME database spec.
  • The merged GNOME and KDE databases, in the new format.
  • The update-mime-database command, used to install new MIME data.

I could not find anything about its license. I assume this would be GPL?

  • The merged GNOME and KDE databases.
    I assume both would be GPL alright but there is again no notice in the provided XML database file freedesktop.org.xml which is the topic at issue here. There is a notice in the related file freedesktop.org.xml.in as a comment though:
<!--
The freedesktop.org shared MIME database (this file) was created by merging
several existing MIME databases (all released under the GPL).

It comes with ABSOLUTELY NO WARRANTY, to the extent permitted by law. You may
redistribute copies of update-mime-database under the terms of the GNU General
Public License. For more information about these matters, see the file named
COPYING.

The latest version is available from:

	http://www.freedesktop.org/wiki/Software/shared-mime-info/

To extend this database, users and applications should create additional
XML files in the 'packages' directory and run the update-mime-database
command to generate the output files.
-->
  • The update-mime-database command, used to install new MIME data.
    This comes alright with a Copyright (C) 2003 Thomas Leonard e.g. @talex5 and this notice in update-mime-database.c
#define COPYING								\
	     N_("Copyright (C) 2003 Thomas Leonard.\n"			\
		"update-mime-database comes with ABSOLUTELY NO WARRANTY,\n" \
		"to the extent permitted by law.\n"			\
		"You may redistribute copies of update-mime-database\n"	\
		"under the terms of the GNU General Public License.\n"	\
		"For more information about these matters, "		\
		"see the file named COPYING.\n")

The man page at update-mime-database.1 has this notice: This manpage is in the public domain.

@pombredanne
Copy link
Author

I also created this ticket https://gitlab.freedesktop.org/xdg/shared-mime-info/-/issues/154 so that this issue can be discussed publicly in the upstream project

@cfergeau
Copy link

I am not redistributing any binary, but how would code and data that side-by-side in a repo make a whole codebase a derived work?
I am not legally-trained so I have no idea what this would mean in general, and in particular here. I think this is at best a case of side-by-side redistribution aka "mere aggregation" per the GPL 2.0 Section2 : https://www.gnu.org/licenses/old-licenses/gpl-2.0.html

What about https://github.com/zRedShift/mimemagic/blob/master/magicsigs.go , https://github.com/zRedShift/mimemagic/blob/master/mediatypes.go , ... ? I'm quite sure these are generated from shared-mime-info.xml using https://github.com/zRedShift/mimemagic/blob/master/cmd/parser/main.go , which make this code base more than "shipping go files side by side with a GPL xml file", these go files are a derivative work from shared-mime-info.xml.

@hadess
Copy link

hadess commented Mar 23, 2021

I'm not going to read the whole thing, because I only have one life.

A quick note though that I do have the right to enforce my own copyright (and I wrote the majority of the contents of freedesktop.org.xml.in above the person that imported the original database, and own that copyright), and I don't need to ask other rights holders.

I've pointed out the changes I'd like to see made in zRedShift/mimemagic#4 (comment)

@pombredanne
Copy link
Author

@cfergeau good points!

FWIW, https://gitlab.freedesktop.org/xdg/shared-mime-info/-/issues/154#note_850132 was closed by @hadess who does not seem to be willing to discuss the matter further.

@hadess
Copy link

hadess commented Mar 23, 2021

FWIW, https://gitlab.freedesktop.org/xdg/shared-mime-info/-/issues/154#note_850132 was closed by @hadess who does not seem to be willing to discuss the matter further.

?

@pombredanne
Copy link
Author

@Pizzacus
Copy link

It's not GPLv2 or later though .-.

@pombredanne
Copy link
Author

@hadess you wrote:

I'm not going to read the whole thing, because I only have one life.
A quick note though that I do have the right to enforce my own copyright (and I wrote the majority of the contents of freedesktop.org.xml.in above the person that imported the original database, and own that copyright), and I don't need to ask other rights holders.

I am not disputing your rights there as I have no idea whether you have proper standing or not in this matter and what the GPL means for data files: you brought a serious legal action in the first place so I think it is fair to discuss this. You closed and locked the ticket in https://gitlab.freedesktop.org/xdg/shared-mime-info/-/issues/154#note_850132 for further comment... but this still needs to be discussed. As mentioned before your demands and guess lack the clarity that is required to be actionable in zRedShift/mimemagic#4

@cfergeau
Copy link

@cfergeau I further updated the README at https://github.com/pombredanne/mimemagic/blob/22e9e89765540fcd8062db2471432a7a12b7e9b6/README.md

This is fairly light and misleading imo. The generated code is gplv2 if it's a straight rip from the xml database. This also means any go program using this code as a go module effectively has to be shipped under the gplv2. This is very unusual in the go ecosystem, so it might e safer to just remove that generated code, and reimplement it properly (parsing the xml file at runtime maybe?)

@pombredanne
Copy link
Author

pombredanne commented Mar 23, 2021

@Pizzacus you wrote:

It's not GPLv2 or later though .-.

Let me fix that further, though the plot thickens and I need some extra clarity there first before being able to resolve the issues without compounding the problem:

The notice in freedesktop.org.xml.in is:

The freedesktop.org shared MIME database (this file) was created by merging
several existing MIME databases (all released under the GPL).

It comes with ABSOLUTELY NO WARRANTY, to the extent permitted by law. You may
redistribute copies of update-mime-database under the terms of the GNU General
Public License. For more information about these matters, see the file named
COPYING.

The latest version is available from:

        http://www.freedesktop.org/wiki/Software/shared-mime-info/

To extend this database, users and applications should create additional
XML files in the 'packages' directory and run the update-mime-database
command to generate the output files.

Per the GPL-2.0, Section 9 https://www.gnu.org/licenses/old-licenses/gpl-2.0.html#section9 this means any version of the GPL:

If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

And the GPL COPYING text is for the GPL-2.0. I am not really able to resolve whether that's a GPL-2.0-or-later or a GPL-2.0 or any of the GPL 1,2 or 3 or any other version that applies.

@hadess do you know what is the exact license of this project? I need to know so I can carry this forward accurately.

@Pizzacus
Copy link

@cfergeau I hadn't thought of that... You're absolutely right, that's true, it does mean that if the work is a module, then GPL will apply to any other program that depends on it...

Well, if you're in the US, you might be able to just regenerate the file, because databases are not protected by copyright in the US.

See https://meta.wikimedia.org/wiki/Wikilegal/Database_Rights

Essentially, in the US, the structure and organisation of a database is protected by copyright. But the content, if it's just factual, non-creative, is not.

So you could create your own database of mime types, with the content of the original one, but structured in your own way. I think it would no longer be covered by GPL, but PLEASE MAKE SURE OF THAT BEFORE YOU DO IT 😨

@pombredanne
Copy link
Author

@cfergeau in reply to https://gist.github.com/pombredanne/7d6b3689a1b796c9a509c83b6b87f274#gistcomment-3676356

That's a good point. I made further updates at https://github.com/pombredanne/mimemagic/blob/b433f99f4a226778cdeb1a2f2887b36929e5ca8e/README.md to clarify what the GPL impact may be on the generated code. Note that this (e.g. the license of data fact under a the GPL and what happens in this case of generation) is a grey area as one may be able to make a point that file types and their magic are non-copyrightable facts? Alwayer's take on this would be much welcomed.

@hadess
Copy link

hadess commented Mar 23, 2021

It's supposed to be GPLv2+, after verification. This MR attempts to clarify this:
https://gitlab.freedesktop.org/xdg/shared-mime-info/-/merge_requests/119

@cfergeau
Copy link

Essentially, in the US, the structure and organisation of a database is protected by copyright. But the content, if it's just factual, non-creative, is not.

In the mimemagic, I suspect the structure of the data is heavily based on shared-mime-info structure, so it's not just reusing individual 'facts' in its own way. And well, if the code can be MIT if ??? (developer? user? distributor?) is in the US, but GPL in other parts of the world, this still feels very complicated :)

Note that this (e.g. the license of data fact under a the GPL and what happens in this case of generation) is a grey area as one may be able to make a point that file types and their magic are non-copyrightable facts?

My recommendation would be to err on the safe side, and consider this code to be GPL, with all the implications that go with that. You are of course free to have your own interpretation on the matter. If you go with the 'safe side', maybe you are going too far, but you know for sure you won't have more problems because of this. Going with your own interpretation is full of 'maybe's (the ones you used yourself in this discussion, and in the README file).

@pombredanne
Copy link
Author

@hadess you wrote:

This MR attempts to clarify this:
https://gitlab.freedesktop.org/xdg/shared-mime-info/-/merge_requests/119

MO is that this MR is missing some proper historical references to the license of the original data from Gnome and KDE that were merged to create that database. This would need to be researched and documented before a change in licensing documentation to avoid adding more layers of confusion to the topic.

@hadess
Copy link

hadess commented Mar 23, 2021

MO is that this MR is missing some proper historical references to the license of the original data from Gnome and KDE that were merged to create that database. This would need to be researched and documented before a change in licensing documentation to avoid adding more layers of confusion to the topic.

Except that, as Zander mentioned, it doesn't matter one bit in this discussion.

You can choose to pin your copy of the database to a particular version of the GPL, say, GPLv2 and you would still not be following that license's terms properly.

@R030t1
Copy link

R030t1 commented Mar 24, 2021

Essentially, in the US, the structure and organisation of a database is protected by copyright. But the content, if it's just factual, non-creative, is not.

In the mimemagic, I suspect the structure of the data is heavily based on shared-mime-info structure, so it's not just reusing individual 'facts' in its own way.

@cfergeau: Reverse engineering for interoperability is explicitly protected. Discussions elsewhere talk about replacing the disputed file with a drop in public domain one, so the suggestion this project lacks of structure imposed from this specific database is, contingent on the existence of those other databases, very defensible.

Then, the GPL-ness extends just to the MIME type database; @hadess needs to be going after people who are distributing binaries but not the source to the MIME database or its changes without the copyright notice. I am very pro-GPL but even if you considered XML a programming language (it's not) it is different than the implementation language in every case. Its inclusion in a forest of other files does not mean all of those files must be similarly licensed; see current handling of e.g. router firmware.

@pombredanne
Copy link
Author

@pombredanne
Copy link
Author

For reference here is the status of this DMCA takedown so far:

The head original fork of @zRedShift https://github.com/zRedShift/mimemagic was relicensed under the GPL and all past releases "retracted" Go package-wise and git tags deleted.

My fork https://github.com/pombredanne/mimemagic/ has been filtered and purged from all and any Freedesktop shared-mime-info content

Eventually GitHub published the DMCA takedown here https://github.com/github/dmca/blob/master/2021/03/2021-03-22-freedesktop.md with redacted names.

@pombredanne
Copy link
Author

On the Ruby side, following mimemagicrb/mimemagic#97 which was worded the same way as this DMCA takedown but was not yet a DMCA action @jellybob and @minad 's https://github.com/mimemagicrb/mimemagic/ was briefly relicensed under the GPL and all past versions and tags yanked then eventually was rewritten to remove all generated parts and relicensed under the MIT to read a system-installed mime database after having created quite a stir for downstream users, including major ones such as Rails and all Rails users.

@pombredanne
Copy link
Author

More related issues created by @hadess which I am not sure I always understand:

They have this typical content I guess asking for repository removal.

Remove repo #1
Hey,

I know you're just trying to get your Ruby on Rails stuff working, but if old
versions of a repo were removed because their license is incorrect, the right
way to fix this isn't to reupload stuff that was using the wrong license.

The upstream discussion:
rails/rails#41750

And more takedown requests impacting other places:

Remove mimemagic 0.3.6 The license listed is invalid in: https://github.com/KON-ch/ActorConnection/tree/master/vendor/cache/ruby/3.0.0/gems/mimemagic-0.3.6
Please refer to: rails/rails#41750

I've historically been the maintainer of shared-mime-info for around 15 years, and script/freedesktop.org.xml looks like it's a copy of the database shipped with shared-mime-info, which is released under the GPL, with shared-mime-info's translators work merged in, and the GPL header removed.
The license that you're shipping mimemagic under (MIT) isn't compatible with shared-mime-info's.
There are a number of possibilities to fix this problem:

change the mimemagic license to be GPL compatible
parse the XML file that shared-mime-info ships at runtime, and don't ship it in a codebase with an incompatible license

Using a GPL file as a source makes your whole codebase a derived work, making it all GPL, so I think it's pretty important that this problem gets corrected before somebody uses it in a pure MIT codebase, or a closed-source application.

You will also need to re-add the GPL header to the shared-mime-info XML file as a matter of urgency. It was stripped in release tarballs by the tool used to merge translations, but is visible in the .in version of the same file.

And some also contain DMCA takedown threats:
gedhean/mimemagic#2 (comment)

hadess commented 15 minutes ago
Thanks for the advice, @hadess. I'll remove the repo soon.

Please fix it now, otherwise I'll have to file a DMCA takedown request, and it's more work for me, and more hassle for you.

@pombredanne
Copy link
Author

There is quite a bit of twitter chatter about the impact of the actions listed here in the Rails world https://twitter.com/search?q=mimemagic&src=typed_query

@pombredanne
Copy link
Author

And some interesting article (translated from German by Google translate): https://www.heise.de/news/Ruby-on-Rails-Durch-Lizenzproblem-entfallene-Library-erzeugt-Dominoeffekt-5999197.html

Ruby on Rails: Library lost due to license problem creates domino effect
Half a million open source projects are likely to be affected by the chaos caused by a library that was initially incorrectly licensed and then withdrawn.

In the middle of this week, Bastien Nocera, the maintainer of an open source software library called shared-mime-infothe maintainer of the Ruby library, mimemagichad notified that mimemagicthe wrong license was being used. Noceras Library is registered under the GPLv2 license, and projects based on it would have to use the same license. The Ruby library, however, was registered with the MIT license. The discovery might have been a side note, but the licensing problem has sparked a chain reaction that now affects around 500,000 open source projects.

@pombredanne
Copy link
Author

And an interesting article by @cseeman https://dev.to/cseeman/what-s-up-with-mimemagic-breaking-everything-he1

And some weird twists: https://news.ycombinator.com/item?id=26571086

In a twist of irony, the software for which the copyright claim breaking rails was made is hosted on the free edition of gitlab, which is based on rails.

and https://news.ycombinator.com/item?id=26573161

And according to the twitter-bio of the individual, who brought this up, he's related to Red Hat, which are also affected [^1].
[^1]RedHatInsights/compliance-backend#79...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment