copyright violation

[obfusk]

https://github.com/Tencent/QT4A/blob/master/qt4a/apktool/zipalign.py says:

# Tencent is pleased to support the open source community by making QTA available.
# Copyright (C) 2016THL A29 Limited, a Tencent company. All rights reserved.
# Licensed under the BSD 3-Clause License (the "License"); you may not use this
# file except in compliance with the License. You may obtain a copy of the License at
#
# https://opensource.org/licenses/BSD-3-Clause
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS
# OF ANY KIND, either express or implied. See the License for the specific language
# governing permissions and limitations under the License.
#

"""zipalign
modified from https://github.com/obfusk/reproducible-apk-tools/blob/master/zipalign.py
"""

But the original file I wrote -- that you link to -- says:

# SPDX-FileCopyrightText: 2024 FC (Fay) Stegerman <flx@obfusk.net>
# SPDX-License-Identifier: GPL-3.0-or-later

I'm glad you find my code useful. But it's licenced under GPLv3+, not BSD 3-Clause. The GPLv3 does not permit you to change the license to BSD 3-Clause. And requires you to keep my original copyright notices -- which have been removed -- intact. Distributing it like this -- under a different license and claiming you own the copyright -- is a clear license and copyright violation. You need to fix that or I will have to ask GitHub to take action.

[obfusk]

Please note that if you do not respond to this issue I will have no choice but to contact GitHub and PyPI to have them remove the infringing code. I would much rather you comply with the terms of the license instead.

[CutestNekoAqua]

Let me help you and ping the person responsible for this shit. @drunkdream

[leandro-benedet-garcia]

Hmm, I guess we should check all their repos to check if it is a repeating offense.

[eeelin]

@obfusk Thank you for bringing this to my attention. I sincerely apologize for any confusion or mistakes regarding the license and copyright notice. We respect your work and fully understand the importance of adhering to the correct licensing terms. We have initiated an internal investigation to understand the cause of this issue and correct it ASAP.

[drunkdream]

@obfusk Sorry for the dirty work, i have removed the code from repo in #136

[obfusk]

Thank you. You didn't need to remove my code completely. Simply complying with the license would have been sufficient, and my preferred solution.

Unfortunately, simply removing the file as you did doesn't remove it from git history, existing tags, or any of the releases published here or on PyPI. The problem has been "fixed" on master but you are still distributing my code in violation of its license in other places.

[eeelin]

Thank you. You didn't need to remove my code completely. Simply complying with the license would have been sufficient, and my preferred solution.

Unfortunately, simply removing the file as you did doesn't remove it from git history, existing tags, or any of the releases published here or on PyPI. The problem has been "fixed" on master but you are still distributing my code in violation of its license in other places.

@drunkdream Keeping the origin code and its correct license intact seems to be a better idea.

[drunkdream]

Thank you. You didn't need to remove my code completely. Simply complying with the license would have been sufficient, and my preferred solution.

Unfortunately, simply removing the file as you did doesn't remove it from git history, existing tags, or any of the releases published here or on PyPI. The problem has been "fixed" on master but you are still distributing my code in violation of its license in other places.

@obfusk Because our project is under BSD 3-Clause License, you mean we can only use this file under AGPL License, and other files still keep BSD 3-Clause License. Like #137. If so, we are happy to do it.  Sorry for this again.

[obfusk]

Because our project is under BSD 3-Clause License, you mean we can only use this file under AGPL License, and other files still keep BSD 3-Clause License. Like #137. If so, we are happy to do it.

I am not a lawyer, and this is not legal advice. But as long as you comply with the AGPL and the rest of your project is a separate work (which seems to be the case) that merely calls the AGPL code as an essentially separate program, yes. Any modifications to the AGPL code, or anything derived from it, would have to be AGPL, but the other files can keep their original BSD license.

Simply having the files together in the same repo is not a problem, but you do need to make sure you comply with the AGPL when distributing source code and binaries that include the AGPL code. And should include a copy of the AGPL as well.

GitHub's summary of the AGPL (which is useful but of course not legal advice or a replacement for reading the entire license text itself):

Permissions of this strongest copyleft license are conditioned on making available complete source code of licensed works and modifications, which include larger works using a licensed work, under the same license. Copyright and license notices must be preserved. Contributors provide an express grant of patent rights. When a modified version is used to provide a service over a network, the complete source code of the modified version must be made available.

[drunkdream]

Considering the risks to our project with the AGPL license, we are preparing to remove all git histories, tags, and pypi packages that include the zipalign.py file in the project. Can this solve the violation of copyright?

[obfusk]

we are preparing to remove all git histories, tags, and pypi packages that include the zipalign.py file in the project. Can this solve the violation of copyright?

Yes, ceasing all distribution of the zipalign.py version with wrong license and missing attribution should be sufficient. I am only aware of this repository and PyPI being used to distribute it. If there are more places, you need to remove it from those as well.

Unfortunately, this doesn't solve the fact that users of your packages that have one of the versions with zipalign.py would unknowingly be in violation as well if they distribute it (merely using it would be fine). Perhaps you should communicate something to your users to make sure they are aware of this.

[drunkdream]

We reasonably presume that the QT4A is predominantly utilized for users' internal automated testing and it is unlikely to be distrubuted by the users. Moreover, we would like to include a statement in the readme file to clarify that version 3.2.0-3.2.2 employed the https://github.com/obfusk/reproducible-apk-tools/blob/284dd69ac46e804e643b1014049993207f0768fa/zipalign.py, Copyright (C) 2024 FC (Fay) Stegerman flx@obfusk.net, which is subject to GPL v3（https://github.com/obfusk/reproducible-apk-tools/blob/284dd69ac46e804e643b1014049993207f0768fa/LICENSE.GPLv3）. Thus, we kindly ask you to adhere to GPL v3 when using Version 3.2.0-3.2.2 of QT4A.

We hope this will help alleviate your concerns. Thanks!

[obfusk]

The GPLv3 link is broken and the statement could be made a bit easier to read; a suggested improvement:

QT4A version 3.2.0-3.2.2 included [zipalign.py](https://github.com/obfusk/reproducible-apk-tools/blob/284dd69ac46e804e643b1014049993207f0768fa/zipalign.py), Copyright (C) 2024 [FC (Fay) Stegerman](https://github.com/obfusk), which is subject to [GPL v3](https://github.com/obfusk/reproducible-apk-tools/blob/284dd69ac46e804e643b1014049993207f0768fa/LICENSE.GPLv3).

Thus, we kindly ask you to adhere to GPL v3 when using Version 3.2.0-3.2.2 of QT4A.