Gatsby: Incompatible Licenses Apache2.0 & GPLv2 (gatsby-plugin-sharp)
Summary
Hello!
Because reasons I had to make sure all licenses in a certain gatsby project we have play well together. Unfortunately there is an issue.
As explained here https://www.apache.org/licenses/GPL-compatibility.html
the FSF has never considered the Apache License to be compatible with GPL version 2
There are several apache2.0 licensed packages in a typical gatsby project, eg. starter has 42
and one library which is GPLv2 licensed, so this is where I see a problem.
This specific library is https://github.com/Iwasawafag/node-potrace
I opened an issue and a PR regarding this topic, no feedback so far.
node-potrace is a dependency of gatsby-plugin-sharp. Sharp itself is apache2.0 licensed so I think the incompatibility is already on that level. Gatsby-plugin-sharp is licensed as MIT, however I miss the knowledge to evaluate if this is ok.
Relevant information
FWIW I used https://github.com/davglass/license-checker and run it on the gatsbyjs/gatsby-starter-default and printed the licenses.
Here is the summary: https://github.com/einSelbst/gatsby-starter-default/blob/master/licenses-summary.txt
Here are the details: https://github.com/einSelbst/gatsby-starter-default/blob/master/licenses-details.json
Question
I would like to know if gatsby thinks this is a relevant issue. I would think it's also in gatsby's own interest to make sure the code which is distributed doesn't infringe licenses.
einSelbst
All 10 comments
Hey there, thanks so much for bringing this up! Just to let you know, I am not a legal expert by any means so what I say may be incorrect, although it seems like I'm in the best position to answer this out of our team since I have some background on software licensing issues.
I would like to know if gatsby thinks this is a relevant issue. I would think it's also in gatsby's own interest to make sure the code which is distributed doesn't infringe licenses.
First of all, we definitely do think this is a relative issue and we want to make sure we comply with all licensing terms :)
We've had a look into the issue and as far as we can tell, the main problem actually lies with the fact that we are using a GPL library inside some of our plugins, which are all currently licensed as MIT, which would still be an issue even if we did not have any Apache dependencies.
Using NPM dependency packages would legally constitute as dynamic linking, which means that under the FSF's interpretation of the GPL [1] they form part of a single program. This means that we either need to license any plugins which use GPL dependencies as GPL, or remove these dependencies. [2] In addition, websites using any of these plugins would need to be licensed as GPL themselves in order to comply, for the same reason - so it seems much more likely that we will look towards the first option if we can.
Alternatively if we cannot find a suitable replacement, then we may have to make potrace an optional dependency, so that we do not have to license the whole plugin as GPL (since all those sites would need to be relicensed as GPL, including www.gatsbyjs.com which is not even open source at all). Then we could simply show a warning if someone tries to use functionality which depends on this library, and allow them to add it themselves if they are happy to license their site as GPL.
[1] This view seems to differ among various lawyers - see this StackOverflow answer + example
[2] The core part of Gatsby does not directly depend on either potrace or any of the plugins which do, so we would not need to make any changes to its license - only to projects which use these plugins.
davidbailey00
on 12 Sep 2019
Thank you for looking into this @davidbailey00 !
einSelbst
on 20 Sep 2019
Hiya!
This issue has gone quiet. Spooky quiet. π»
We get a lot of issues, so we currently close issues after 30 days of inactivity. Itβs been at least 20 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!
Thanks for being a part of the Gatsby community! πͺπ
![gatsbot[bot] picture](https://avatars2.githubusercontent.com/in/12849?v=4&s=40)
gatsbot[bot]
on 11 Oct 2019
Hey again!
Itβs been 30 days since anything happened on this issue, so our friendly neighborhood robot (thatβs me!) is going to close it.
Please keep in mind that Iβm only a robot, so if Iβve closed this issue in error, Iβm HUMAN_EMOTION_SORRY. Please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!
Thanks again for being part of the Gatsby community!
gatsbot[bot]
on 22 Oct 2019
It looks like the node-potrace authors are open to updating the license to GPL v3, which may resolve this issue? https://github.com/Iwasawafag/node-potrace/issues/7
m-allanson
on 8 Jan 2020
It looks like the node-potrace authors are open to updating the license to GPL v3, which may resolve this issue? Iwasawafag/node-potrace#7
as far as I understand, using GPLv3 still requires you to release as GPLv3
https://tldrlegal.com/license/gnu-general-public-license-v3-(gpl-3)
thinwhiteduke80
on 8 Jan 2020
What is the status of this issue? We have a solution utilizing contentful and gatsby but making our code open source is not an option so this is kind of a make or break issue for my organization.
sternetj
on 27 Feb 2020
@sternetj The status is that this issue need to be resolved. Because node-potrace can't really be relicensed to more permissive license even the maintainer would want to do so, I think the only solution for us is to make breaking change in gatsby-plugin-sharp and remove node-potrace usage from it (that would let it remain MIT licensed). And there would be another package that would utilize node-potrace (but that would need to be GPL), but that would be up to individual projects to decide wether they want to use it or not.
Because this is not done yet, there might be solutions to workaround node-potrace being in gatsby-plugin-sharp dependencies:
Using yarn resolutions (would require to use yarn for it) - you can force potrace to be resolved to something else than actual potrace - if you are not using tracedSVG feature (this is the feature that relies on potrace). Then you can supply mock library that just make sure that imports still work
Here's example: https://github.com/pieh/dont-use-potrace-example/commit/a05eb1530792815de7c0aea2d0e419166e44f3bc
I ran https://www.npmjs.com/package/license-checker on project afterwards and it doesn't contain the GPL licensed potrace - see https://github.com/pieh/dont-use-potrace-example/blob/master/licenses.txt output of it.
Interestingly there is one mention of GPL license still:
ββ [email protected]
β ββ licenses: (BSD-3-Clause OR GPL-2.0)
β ββ repository: https://github.com/digitalbazaar/forge
β ββ publisher: Digital Bazaar, Inc.
β ββ email: [email protected]
β ββ url: http://digitalbazaar.com/
β ββ path: /Users/misiek/test/dont-use-potrace-example/node_modules/node-forge
β ββ licenseFile: /Users/misiek/test/dont-use-potrace-example/node_modules/node-forge/LICENSE
node-forge is transitive dependency of webpack-dev-server and I didn't inspect what the OR in licenses really mean (and what impact it can have), but I also am not a lawyer so even if I did look it up, I wouldn't be able to give advices on that part
pieh
on 27 Feb 2020
I think the way we could permamently solve it (still breaking change) would be to make potrace a peerDependency and let user opt into installing it and let gatsby-plugin-sharp check if it's available and conditionally enable potrace related functionality.
That would also need to have big warning in documentation, what are consequences of installing potrace
pieh
on 27 Feb 2020
Any updates on this?
dannyphillips
on 31 Mar 2020
Related issues
signalwerk
Β·
3Comments
magicly
Β·
3Comments
totsteps
Β·
3Comments
benstr
Β·
3Comments
rossPatton
Β·
3Comments
Most helpful comment
Hey there, thanks so much for bringing this up! Just to let you know, I am not a legal expert by any means so what I say may be incorrect, although it seems like I'm in the best position to answer this out of our team since I have some background on software licensing issues.
First of all, we definitely do think this is a relative issue and we want to make sure we comply with all licensing terms :)
We've had a look into the issue and as far as we can tell, the main problem actually lies with the fact that we are using a GPL library inside some of our plugins, which are all currently licensed as MIT, which would still be an issue even if we did not have any Apache dependencies.
Using NPM dependency packages would legally constitute as dynamic linking, which means that under the FSF's interpretation of the GPL [1] they form part of a single program. This means that we either need to license any plugins which use GPL dependencies as GPL, or remove these dependencies. [2] In addition, websites using any of these plugins would need to be licensed as GPL themselves in order to comply, for the same reason - so it seems much more likely that we will look towards the first option if we can.
Alternatively if we cannot find a suitable replacement, then we may have to make
potracean optional dependency, so that we do not have to license the whole plugin as GPL (since all those sites would need to be relicensed as GPL, including www.gatsbyjs.com which is not even open source at all). Then we could simply show a warning if someone tries to use functionality which depends on this library, and allow them to add it themselves if they are happy to license their site as GPL.[1] This view seems to differ among various lawyers - see this StackOverflow answer + example
[2] The core part of Gatsby does not directly depend on either
potraceor any of the plugins which do, so we would not need to make any changes to its license - only to projects which use these plugins.