How to deal with license & copyright violations in IDE library manager libraries?

[Bill Perry]

Not sure if this has come up before but
The general question is how should Arduino deal with 3rd party libraries in the library manager with respect to licensing and/or copyright violations?

My assumption is that Arduino devs really don't do any type of checking for these things as they add them to the library manager.
But given the way the IDE library manager works today it requires that Arduino be actively involved with setting things up to distribute a 3rd party library through the library manager.
Because of this,  it seems that they (Arduino) must bear some responsibility for dealing with any licensing or copyright violations in those libraries that may come their attention
as they are actively participating in the distribution of the libraries.

As of now, I really don't know how a person could report such a thing and even if they could notify Arduino,  how would Arduino deal with it?

I have seen cases where people are starting with LGPL or even GPL code and are modifying and even enhancing the code but then relicensing it as BSD or Creative Commons.
Since they started with LGPL or GPL code their updated code is actually a derivative and must still conform to the original license.
Relicensing it as BSD or  Creative Commons, or others, is a direct violation of the LGPL and GPL licenses.

I have even seen these end up in the IDE library manager.

How can this be dealt with?

--- bill

[Cristian Maglie]

Il 30/01/2018 00:01, Bill Perry ha scritto:
> Not sure if this has come up before but
> The general question is how should Arduino deal with 3rd party libraries
> in the library manager with respect to licensing and/or copyright
> violations?

Just report to us and we will remove the library from the library
manager. I think that there is no other way to handle this, we can't
reasonably audit every single library that is submitted (besides some
quick sanity checks on the library format).

--
Cristian Maglie <c.ma...@arduino.cc>

[Bill Perry]

I agree that copyright and license policing is pretty much an impossible task
and that Arduino can not reasonably audit the 3rd party libraries but maybe a few things could be done to help.
This might dovetail into the discussions I saw about visible license information being available from the library manager.

Some potential ideas:

For reporting copyright/license issues:
=======================

- On the wiki Arduino library specification web page
Not sure it is the best most obvious place it already exists.
The web page could include a section about s/w licenses and copyrights
Also explain how users can report any known license/copyright violations
and the resolution process that will be used to resolve the issue.
I don't think it can or should be as simple as "Just report to us and we will remove the library from the library
manager"
i.e. authors also need to know what to expect should someone report their library.

This would formalize how people can report any issues that they may see and the processes used to
notify authors, how authors can respond to such accusation/claims, and what can cause a library to be removed.

This has no s/w impact.

For Clarifying the s/w licenses used on libraries: (probably should be a separate discussion)
========================================================

A) Update the library specification to include a "License" field in .properties
This would be a reported field like the library version.
It would require that libraries updated their .properties file in order to show it.

B) Use automation like the licensee scripts,  to auto detect the license
Github uses this approach. If licensee can detect the license used, then github reports it on the main project repo page.
Arduino could a take a similar approach in the library manager.
This would provide a way for users to see the license of a library from the library manager.
Some of the advantages of this methodology would be that a "License" field would not need to be added to the .properties file.
and license information could displayed for all existing libraries that already contained proper license information.

The library manager could display something like "License unknown" or something similar like what it does for the version information,
when it is not know so users could know that the library doesn't have a clear license and It may encourage library authors to include proper licensing information.


Method B is more complex but could be integrated into the Arduino library manager automation scripts just like the semver version checking and
some of the other checks being done.
After the license is detected (or not detected) the challenge becomes should it be stored and if so, where would the license information stored?
The easiest might be to patch the .properties file but it would seem better if the library manager didn't mess with a 3rd party file.
If it is to be stored it would seem like a good idea to store it in the actual library directory so that all the information is all contained in that directory.
Perhaps the library manager could add some new kind of file to the library directory that is created at install time that is used only by the library manager.
This could be used for other purposes as well in the future.

[Dirk-Willem van Gulik]

On 31 Jan 2018, at 18:31, Bill Perry <bper...@gmail.com> wrote:

> I agree that copyright and license policing is pretty much an impossible task

Not sure that is quite the case — and others, for example the Apache Software Foundation or the *BSD/brew/etc ports collection manage (well).

If you break things down - there are really only 3 classes (1, 2 and 3 in below)( that an end user needs to know about/informed about — and 2 that are simply `do not touch' (0 and C) until you personally made arrangement with the owner/author

class 0 Things which have absolutely license information.

class 1 Code under an open source license like BSD, X11, MIT, Athena, Apache, etc, etc.

Do with it what you want; don’t sue me or expect warranty and perhaps respect my trademarks/do-not-abuse my name.

class 2 Code under the various free software license such as the GPL v2, etc, etc.

As per class 1 - but with the additional clause that if you distribute this - you must also distribute all else that is integrated/touches.

class 3 The Affero license et.al.

As class 2 - but with the ‘SaaS’ loophole plugged. Rarely ever applicable/relevant in the Arduino world

class C everything else, including commercial licenses.

In virtually all countries - if you do not actively know/have checked things - then the situation becomes very very simple - i.e. ‘class 0’; which means you the original author reserved all rights. So that means you can look, but not touch, use, produce derivative works or anything.

So that makes it rather simple (and optional) to have something in the properties file - and augment it by a simple auto-dected in a few very common cases.

Dw

[Dirk-Willem van Gulik]

On 31 Jan 2018, at 18:31, Bill Perry <bper...@gmail.com> wrote:

> I agree that copyright and license policing is pretty much an impossible task

Not sure that is quite the case — and others, for example the Apache Software Foundation or the *BSD/brew/etc ports collection manage (well).

If you break things down - there are really only 3 classes (1, 2 and 3 in below)( that an end user needs to know about/informed about — and 2 that are simply `do not touch' (0 and C) until you personally made arrangement with the owner/author

class 0 Things which have absolutely NO license information.

[Bill Perry]

I think I sent a response to Dirk instead of the list. So here is the response.

Dirk,
I believe that what I originally brought up is a different issue.
The issue I was bringing up is how to report and deal with libraries that contain code that is violating copyrights or licensing agreements.
For example, an author takes some code that is LGPL or GPL, modifies it and re-releases it as BSD or creative commons (which violates the original license)
They may even remove and/or change the copyright notices.
If you look at the copyright and licensing information provided,  it may even look ok at first glance.
But when looking closer, at the source code files often there are still remnants of the original licensing and copyrights.
In some cases an author literally even says that the code started with or is a derivative of some LGPL or GPL code but then has been relicensed his version of the code with a different license.
In other cases a library may contain a mix of open source code from multiple sources that contain incompatible licenses so they can't be combined or linked into a single library.
Or a library contains a mix of open source code with varying licenses that are compatible but the author is claiming a license for the library with the most liberal license rather than the strictest which is what the strictest licensed code requires.
I have seen several cases of this.

It is these types of cases that would be difficult for Arduino to police as they are adding libraries to the library manager.

In my response back to Cristian I probably really mudded the waters by dragging in a separate but related discussion of
showing and/or detecting licensing information in the library manager.
That is actually an entirely different topic/issue than what I original brought up of authors
violating copyrights and/or licensing agreements with their Arduino library that is available in the IDE library manager.

--- bill

[Peter Feerick]

For reporting copyright/license issues:
=======================
- On the wiki Arduino library specification web page
Not sure it is the best most obvious place it already exists.
The web page could include a section about s/w licenses and copyrights
Also explain how users can report any known license/copyright violations
and the resolution process that will be used to resolve the issue.
I don't think it can or should be as simple as "Just report to us and we will remove the library from the library
manager"
i.e. authors also need to know what to expect should someone report their library.
This would formalize how people can report any issues that they may see and the processes used to
notify authors, how authors can respond to such accusation/claims, and what can cause a library to be removed.
This has no s/w impact.

I agree with your initial thoughts Bill, that 'all' that is needed is this... so the information is there about a process by which any infringements can be dealt with, library authors know what to expect, and know what happens if they don't make sure they dot all their 'i's and cross 't's properly. And as you said, the rest is for another discussion. 

Peter Feerick
BIT, BLDes CQU

--
You received this message because you are subscribed to the Google Groups "Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to developers+unsubscribe@arduino.cc.

[William Westfield]

> given the way the IDE library manager works today it requires that Arduino be actively involved with setting things up to distribute a 3rd party library through the library manager.

Well, perhaps SOME vetting should be done before things are added to the library manager. After all, you can also add libraries via .zip file, so being present in the Manager isn’t a necessity…

We should probably try to avoid the mess that Unix Package Managers have gotten into (WRT Arduino) where the lack of perfect traceability results in preponderance of obsolete versions and improperly repackaged substitutes…

Legally, enforcing the original license/copyright is the responsibility of the original author or license-grantor. So I guess two clear ideas are:
1) claims by an author that some library infringes on his work (and/or has an incompatible license) need to be take seriously, investigated by “someone”, and possibly result in removal from the Library Manager.
2) Reporting a license violation to the original author who is being violated seems like a reasonable first step, if you want to set yourself as "enforcer.” (have you tried that with any of the examples that you’ve found?)

Frankly, the Arduino world is full of so much amateur-class abandonware where an author slaps a license on their code without understanding the implications, that I suspect the most common reaction to finding the sort of situation you describe would be “meh. I don’t care.” There might be stronger reactions to for-profit efforts, though.

IMNSHO, the whole “long string of multiple contributors, many of whom have disappeared, and now the license is stuck forever” is a pretty big thorn in the side of OSSW (or commercial licenses, for that matter. I remember needing to get licenses from THREE DIFFERENT COMPANIES in order to implement V.42bis compression in a product…)

> In some cases an author literally even says that the code started with or is a derivative of some LGPL or GPL code but then has been relicensed his version of the code with a different license.

Technically, if you re-write enough of the code, you can derive a new library from GPL’ed code and assign a new license. How much is “enough” is open to debate, and or lawsuit. (Oracle vs Google, Arista vs cisco, etc.)

BillW/WestfW

[Bill Perry]

On 02/01/2018 01:17 AM, William Westfield wrote:
> Legally, enforcing the original license/copyright is the responsibility of the original author or license-grantor. So I guess two clear ideas are:
> 1) claims by an author that some library infringes on his work (and/or has an incompatible license) need to be take seriously, investigated by “someone”, and possibly result in removal from the Library Manager.
> 2) Reporting a license violation to the original author who is being violated seems like a reasonable first step, if you want to set yourself as "enforcer.” (have you tried that with any of the examples that you’ve found?)
>
> Frankly, the Arduino world is full of so much amateur-class abandonware where an author slaps a license on their code without understanding the implications, that I suspect the most common reaction to finding the sort of situation you describe would be “meh. I don’t care.” There might be stronger reactions to for-profit efforts, though.

I believe you are correct in that last comment.
I have directly contacted people/entities about these kinds of things - not really the original authors - which would probably be a good idea as well.
In several cases, I was trying to obtain my LGPL or GPL rights from an entity conveying modified GPL s/w in a commercial product.
In nearly all cases, the new authors using the LGPL or GPL code are very accommodating and make the proper adjustments very timely.
I've even done this with companies such as Samsung with their Android sources, and GoPro with some of the camera s/w.
Both of them made corrections within a day or two which I thought more than reasonable.
In one case it was a couple of people using my low level AVR raw port i/o code (I am the sole author and copyright owner of that code)
and they made adjustments immediately to their code and in their blogs and online published materials.

There are currently two cases that I know of with Arduino libraries where the authors have not made proper adjustments.
Only one of those is in the library manager.
The one that isn't in the library manager the author agreed on what needs to be done but the library is not being very actively maintained anymore so he hasn't gotten around to it.
The one that is in the library manager made some changes but the changes were not enough.
That one is a case of creating a derivative work from LGPL code and relicensing the overall new work (Arduino library) as BSD.
In both of these 2 cases the original author(s) would include a combination of multiple parties which also includes Arduino and Adafruit.
(It is the LiquidCrystal library as well as other s/w)
I should notify Arduino and let them deal with it since they are a license holder as well as control the libraries available to the IDE library manager.
However, there doesn't seem to be a documented official way to do that. (which is why I started this thread)
Maybe just documenting how to handle this kind of stuff on the wiki page for Arduino libraries or the library specification page would be good enough to allow people to know how to deal with licensing or copyright issues they may encounter.

The other thing I've seen is that people have used CC-BY-SA 3.0 for their works.
That license is not compatible with anything but itself. So while authors are fee to use that license,
legally nobody can use it with anything but other CC-BY-SA 3.0 licensed s/w which means you really can't use it with other Arduino s/w that is not CC-BY-SA 3.0
CC-BY-SA 3.0 was not intended to be used on works that are combined with other works such as s/w.
Creative commons created CC-BY-SA 4.0 to resolve that,but there is Arduino library code out there still licensed under the 3.0 license.
That one is messy.

(This is really the other discussion)
For years entities like Arduino and Adafruit were a bit lax on putting licenses in their own libraries; it didn't set a good example.
Looking forward, I do think that what might help prevent some of the amateur class innocent mistakes in this area would be to better document licenses for Arduino libraries in general.
Maybe even have a few paragraphs on the Arduino library and library specification pages that talks about open source licensing and reminding potential authors that "open source" is not the same as freeware and include links to additional information
about the most common licenses.
While these types of licensing and copyright things may seem obvious to some of us, I think that isn't always the case for some of the library authors.
And the information here: https://www.arduino.cc/en/Main/FAQ#toc10
Is not entirely accurate and is misleading since not all the libraries shipped with the IDE are LGPL. The SD library is GPL 3.0 which requires opening up all the source.


--- bill