NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.06k stars 14.04k forks source link

License of `ibmcloud-cli` #321992

Open dupdrop opened 4 months ago

dupdrop commented 4 months ago

(posted originally on the discourse, copied my message here because it should probably be an issue)

Hello,

The package ibmcloud-cli is marked with the license Apache License 2.0, which is at face value true according to their release page on github. However like you can see, this is only a release page that provides binaries, and there is no source code to be found. See issue 162, issue 156, issue 104.

To my understanding, since there is no source provided, it is the binaries themselves that are licensed under Apache 2, and not the source.

I doubt that personally I would consider this "free software", but at the very least, it is different from what my expectation would be for software licensed as Apache 2, since it is clearly not open source.

I suggest it would be marked somehow differently with regards to the license. Probably marked unfree as well, though it's not absolutely clear to me if it is indeed so.

nixos-discourse commented 4 months ago

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/about-the-license-of-ibmcloud-cli/47489/3

OPNA2608 commented 4 months ago

Please use the bug report template next time, which would've included pinging the actual maintainer of this package for them to look at this and voice their opinion (CC @emilytrau). As it stands, this is just shouting into the void.


In my (not maintainer of this package) opinion:

To my understanding, since there is no source provided, it is the binaries themselves that are licensed under Apache 2, and not the source.

Correct. As far as the license text is concerned, I can't see any requirement for the Source to be provided when distributing the software in Object format, only for the license text to be included and any modified-from-the-original files to be appropriately marked.

I doubt that personally I would consider this "free software", but at the very least, it is different from what my expectation would be for software licensed as Apache 2, since it is clearly not open source.

ASL-2.0, from my understanding, is a Free software license, not an Open-Source one. So this expectation just seems wrong.

I suggest it would be marked somehow differently with regards to the license. Probably marked unfree as well, though it's not absolutely clear to me if it is indeed so.

It is already marked in a way:

https://github.com/NixOS/nixpkgs/blob/dd457de7e08c6d06789b1f5b88fc9327f4d96309/pkgs/tools/admin/ibmcloud-cli/default.nix#L54

Which means that the package contains binary code that wasn't built from source during the build process. Which, at face value, appropriately describes this situation.

Something maybe worth looking into further is what the first response from the discourse thread points out:

The tarball contains the following license text:

LICENSE INFORMATION

The Programs listed below are licensed under the following License Information terms and conditions in addition to the Program license terms previously agreed to by Client and IBM. If Client does not have previously agreed to license terms in effect for the Program, the International License Agreement for Non-Warranted Programs (Z125-5589-05) applies.

Program Name (Program Number):
IBM Cloud Command Line Interface (Tool)

The following standard terms apply to Licensee's use of the Program.

Prohibited Uses

Licensee may not use or authorize others to use the Program if failure of the Program could lead to death, bodily injury, or property or environmental damage.

L/N:  L-JJYU-BDAD79
D/N:  L-JJYU-BDAD79
P/N:  L-JJYU-BDAD79
dupdrop commented 4 months ago

Please use the bug report template next time, which would've included pinging the actual maintainer of this package for them to look at this and voice their opinion (CC @emilytrau). As it stands, this is just shouting into the void.

Gotcha, my bad.

Even with sourceProvenance = with sourceTypes; [ binaryNativeCode ];, a reasonable user would assume that Apache 2 implies that the source code is available somewhere, but unfortunately it isn't.

I don't consider a "free to use binary blob" to be free software, but in light of the license information in the tarball it's a moot point, because of that "Prohibited Uses" clause.

eclairevoyant commented 4 months ago

I don't consider a "free to use binary blob" to be free software

"Free" just meansthe license is FSF-approved. "Open source" means OSI approved. There is absolutely no obligation under Apache-2.0 to provide the source code. See this SE answer or the license's text itself.

Something maybe worth looking into further is what the first response from the discourse thread points out:

There are no programs actually listed in that file. As it states, those restrictions apply only to "The Programs listed below", of which there are none.

The license seems correct; this should probably be closed.

OPNA2608 commented 4 months ago

Something maybe worth looking into further is what the first response from the discourse thread points out:

There are no programs actually listed in that file. As it states, those restrictions apply only to "The Programs listed below", of which there are none.

I would understand this:

Program Name (Program Number):
IBM Cloud Command Line Interface (Tool)

…as:

<the schema used to list programs>:
<program list entry #1>

So the downloaded software in its entirety (IBM Cloud CLI) is ASL-2-0 + the additional terms explained further down.

eclairevoyant commented 4 months ago

Hm, in that case, we should update the license to reflect the restrictions.