libcdio GPL/license violation

why did sun remove libcdio? Wouldn't compiling libgstreaming without linking to libcdio "solve" the issue as well?

Please avoid the term "linking", it does not appear anywhere in the GPL and for this
reason. linking is irrelevent for GPL violations.

We are talking about shared libraries here that are loaded on demand (using dlopen).
The GPL does not care about linking but it cares about using GPLd software from
other software in order to create a derived work. If libgstreamer (being under LGPL)
loads and uses libcdio, it becomes a derived work of libcdio and thus must be under GPL.

Sun removed libcdio, because libgstreamer cannot be under LGPL (needed for some cases)
and GPL at the same time (see LGPL license text).

> Sun removed libcdio, because libgstreamer cannot be under LGPL (needed for some cases)
In what cases libgstreamer needs to be under LGPL?

> and GPL at the same time (see LGPL license text).
Can you please give a reference for this claim?

I did not ask Sun for more. if you are interested, please try to find the right
people on the OpenSolaris GNOME mailing list.

For the legal background on the GPL/LGPL incompatibility please read LGPL §3

.....
  Once this change is made in a given copy, it is irreversible for
that copy, so the ordinary GNU General Public License applies to all
subsequent copies and derivative works made from that copy.

I know the last comment on this was quite a while ago, but does this apply to any of the Ubuntu versions currently in use, and if so can you tell us which versions you believe to be affected by this licensing issue. I will then make sure that this is passed on to the relevant people. Thank you.

I'm attaching the current debian/copyright file that is currently included in lucid's libcdio10 package.

While it does not show the license change (which needs to be handled upstream), it does state:

 - Joerg Schilling as one of the copyright holders
 - the license is GPLv3 or later.

indeed the copyright file of lucid's package gstreamer0.10-plugins-ugly claims that the package was distributed under LGPL, which is problematic AFAIUI.

The original problem has not been fixed:

- it is even worse now as the current libcdio is published under a supposed GPLv3 or
  any later while it contains code that was published under "GPLv2 only".
  The authors of the related code have not been asked and would not give their OK
  for a license change (if asked).

- there is still the gstreamer library, being intentionally under LGPL because this is
  needed to make it usable by the intended application code that calls libcdio.

A fix for audio playback is to use the replacement library (that calls cdda2wav) I wrote with Sun.
This library has a clean privilege separation and thus does not create the problems that make
users of libcdio a potential security risk.

In general, it is a conceptional mistake to put high level stuff like CD/DVD writing high level code
into a library as CD/DVD writing is a privileges operation that needs root privileges on most
platforms. Thus applications developed based on such a library (including all libraries they call)
would need a full in depth secutiry audit.

Conclusion, I recommend to stop distributing libcdio as Sun did in 2007.

For gst-plugins-ugly0.10:
The COPYING file in http://gstreamer.freedesktop.org/src/gst-plugins-ugly/gst-plugins-ugly-0.10.13.tar.gz and in the package in Lucid and the debian/copyright in Lucid all agree that the license is LGPLv2.1+

For libcdio:
The COPYING file in http://ftp.gnu.org/gnu/libcdio/libcdio-0.82.tar.gz and in the package in Lucid and the debian/copyright in Lucid all agree that the license is GPLv3+

If you believe that the FSF does not have the right to choose the GPLv3+ license for libcdio, please take this up with them. Getting it changed there will trickle down to all distros instead of you having to ask many individual distros to make changes to the copyright files distributed with their packages.

IANAL, so no comment on GPLv3+ interaction with LGPLv2.1+

Let me repeat again:

The maintainer of libcdio admits that libcdio contains code from cdda2wav and the code crom cdda2wav is available under GPLv2-only or under CDDL but not under different licenses. Note: this is an official statement from the cdda2wav author.

BTW: This is not the only software where the FSF intentionally ignores legal rules. It took me 10 years and the help from Suse to finally convince the FSF to make vcdimager a legal program.

An additional problem with libcdio is that is gets called from GNOME via LGPL libraries. Calling GPLd code from non-GPLd code is not legally possible. This is why the Sun legal department decided in 2006 already, to bann libcdio from their distribution and replaced it by a new library that is based on the original cddfa2wav code. This new solution is fully legal and gives even better audio extraction properties.

So why is Ubunto not interested in being legal and still distributes a non-legal solution even though alegal alternative exists?

cdda2wav code in libcdio is only for its paranoia library. When we became aware of the mixing of licenses, the paranoia portion was split off from libcdio and put into a separate package and the two packages have separate licenses.

So again and more specifically, libcdio version 0.90 from Oct 27, 2012 does not have any paranoia or cdda2wav code.