juju-core

Apache-licensed code has been borrowed with violation of license requirements

Bug #1443904 reported by Oleg Strikov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju-core
Fix Released
High
Ian Booth
juju-core 1.24-alpha1
1.23
Fix Released
High
Ian Booth
juju-core 1.23.0

Bug Description

File in question: https://github.com/juju/juju/blob/master/environs/cloudinit/powershell_helpers.go

If you look at the line 131 (https://github.com/juju/juju/blob/master/environs/cloudinit/powershell_helpers.go#L131) you may find the following text: 'Original sources available at: https://bitbucket.org/splatteredbits/carbon' This statement is correct because the code below the statement has been borrowed from here: https://bitbucket.org/splatteredbits/carbon/src/2aff71c6b8abfca886332b0cf1ca17c2416b2763/Source/Security/Privilege.cs?at=default

This code is licensed under Apache-2.0 licence and has Copyright 2012 Aaron Jensen in its text. Apache-2.0 license requires us to obey the following rules while borrowing code:

> (a) You must give any other recipients of the Work or Derivative Works a copy of this License;
We don't have Apache license in the juju repo.

> (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark <...>
'Copyright 2012 Aaron Jensen' has been lost and we don't have it in the juju repo.

> (b) You must cause any modified files to carry prominent notices stating that You changed the files;
I'm not sure how to read this request correctly. Maybe we need to tell if we changed the code or borrowed it as-is.

===============

While this issues is relatively easy to fix it looks pretty significant to me. It's practically impossible to find such issues in the code. I did it by chance and wonder how many issues of the same sort I missed. We may want to come up with a procedure to prevent such issues in the future.

Please note that this issue is not just 'ah, we forget to put license and copyright, let's do it and we're done'. Hopefully, Apache license is compatible with AGPL. But I don't think that anyone checked this while borrowing code. But what if we borrow something with incompatible license? We'd be required to re-write the code in a great hurry to be able to release it.

Revision history for this message
Oleg Strikov (strikov-deactivatedaccount) wrote :

Same external code has been added to the following file as well:
https://github.com/juju/juju/blob/master/environs/cloudinit/windows_userdata_test.go#L133

Curtis Hovey (sinzui)
Changed in juju-core:
status: New → Triaged
importance: Undecided → High
milestone: none → 1.24-alpha1
tags: added: packaging
Revision history for this message
Oleg Strikov (strikov-deactivatedaccount) wrote :

Thanks to Tim for a fix: https://github.com/juju/juju/pull/2072/files
Unfortunately we forget about a second file: https://github.com/juju/juju/blob/master/environs/cloudinit/windows_userdata_test.go#L133
It requires absolutely the same header change as we did for environs/cloudinit/powershell_helpers.go

Revision history for this message
Oleg Strikov (strikov-deactivatedaccount) wrote :

Thanks Tim & Ian. Both files are fixed now in juju/1.23.

Ian Booth (wallyworld)
Changed in juju-core:
assignee: nobody → Ian Booth (wallyworld)
status: Triaged → Fix Committed
Curtis Hovey (sinzui)
tags: added: tech-debt
Curtis Hovey (sinzui)
Changed in juju-core:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.