KPass : reuse of library without opening code

[J-Jamet]

First of all, I want to say that I really like your work. You use a cross-platform approach that is fresh in the ecosystem and many users turn to your solutions to have good synchronization conditions and a new generation code. Which is a very good thing ! :)

Now let's get to the bad stuff. Korovan's KPass application knowingly uses your GPL3 licensed library without disclosing the source code of its KeePass app, which in my opinion is an aberration and in fact an argument that completely misleads users.

KeePass solutions should be open source by nature so I don't like this policy which is a shame. I don't know if you knew about this and I don't know if you sold a version of your library with another license, in that case I have nothing to say but if this is not the case then there is clearly a real problem. Do you have any visibility on the subject? Are you in contact with Korovan?

https://www.gnu.org/licenses/gpl-faq.html#GPLInProprietarySystem

[korovan-software]

Hello @J-Jamet, thanks for your interest and review. I'm founder of KPass app and would like to clarify something.

First of all, I have plan to publish source code, but I have no time to improve code style and software design to make it fit my own requirements of public code readability and documentation.

The second thing – I can share code with you if you're brave enough to read it. GPL3 allow to share code by request and doesn't require publish it in a repository.

And the last but not least – I don't think that something could be done here from the law side. Otherwise almost all the Flutter software must be open source.

[J-Jamet]

Hello @Footmau,

Thank you for your feedback, maybe I reacted too quickly but it is true that this is a subject that is close to my heart. It is above all a philosophy and even before the legislative side, it is especially a spirit of sharing. It doesn't matter if it's Flutter code, the code of this library is under GPL license.

If you are planning to release the source code then that's really fine, but that's not at all what you wrote in your FAQ. So for me you are reacting after the fact, that's not a bad thing on the contrary. I think it's a real added value, but it should already be available for everyone because that's the principle of this license. If it's a code style problem, it's an afterthought, so it doesn't really matter for a first public distribution. And if the documentation is not ready, it can also be done in a second time and everybody can contribute. I don't think it's a big deal at first because it can be improved as we go along.

If you are not ready to deploy the source code but ready to give it by request, I will be happy to deploy it if you don't want to make a repository.

[hpoul]

@J-Jamet thanks for the heads up, I actually was not aware of it :-) But since @Footmau actually credits the library in the FAQ is pretty nice. IANAL, but my understanding was that for derivative work the source code must be distributed as easy as the binaries. So if you can download binaries without asking, my understanding is, that source code should be provided the same way. 🤔️ (and the source code must be made available as GPL itself). so basically @J-Jamet could get the GPLd code from @Footmau and redistribute it on github as GPL 🤷‍♂️

Otherwise almost all the Flutter software must be open source

This argument I don't quite understand, because flutter is released under the BSD license, this only applies to GPL licensed code. Although I have to admit pub doesn't make it particularly easy to filter libraries by license.

[J-Jamet]

Yes, I think it was just a mistake or lack of knowledge of the licenses (@Footmau) and that I was a bit hasty because the use of the library could be completely hidden (which would have been much worse ^^). But that doesn't change the fact that the KPass code should be open.

[korovan-software]

Actually the library usage mentioned not only in FAQ, but firstly on About screen of app. Before that I was using https://github.com/tobischo/gokeepasslib which is under MIT license and after refactoring just replaced it by kdbx.dart everywhere and even didn't checked it license. For me possibility to use a code is much more important than licensing bureaucracy, which slows down development of final application and can be skipped by a workaround like in Nvidia drivers. But anyway I very appreciate such possibility of open source and probably will review my point.

There is no need to establish new repo, because I already have it with private access. I'll investigate now if I can provide Flutter part only without platform code, because this library is used on Flutter side only.

BTW why the topic mention "reuse" if standard "use" has place in this case?

[hpoul]

Honestly, i think if anyone starts to care about licence terms, there will be more work done by lawyers than anyone ever spent developing kdbx clients 😂 keepass itself is gpl, but there are quite a few apps which have both, either a more permissive or less permissive license.. For example kdbxweb (used by keeweb) is MIT, which i think is pretty hard to believe that they made a clean-room implementation without looking at the implementation of Keepass.. since keepass itself has no proper unlicensed specification about kdbx (afaik), basically their source code is the reference for all others.. and since it is gpl, i have no idea how any derivatives could be licensed differently? Although i honestly didn't care enough to do proper research, so using gpl seemed like the safest bet.

The message channel apis of Flutter would i guess be a valid (ie legal) way to escape the gpl for native code.. but trying as hard as possible to escape free licenses sounds dodgy nonetheless.. but ymmv..

I think I'll close the issue anyway.. i guess technically it makes the library still more robust if more people use it.. as long as fixes are contributed back 😅

[J-Jamet]

So you mean you don't care about the licenses that are applied? I don't see it that way at all, for me it's a way of expressing the kind of contract you want to have with the user and other contributors. It's a matter of respect and fairness in relation to the different work done. After that, adopting or not adopting rules of conduct is a moral thing that is up to those who use these projects.

If no one cares, there will be problems when it really matters, these licenses are there for a reason and ignoring them simply defines a spirit of individualism. If no one cares, then no one will watch anymore and it will be normal to take the work of others without embarrassment and without sharing because it will become a habit.

As I said, the main goal is to share and doing things by the rules proves the good conduct of a project. Otherwise, you might as well ignore all the laws even in other areas, a French proverb says "Qui vole un oeuf, vole un boeuf" ("if someone steals an egg, he steals an ox").

The MIT license is not incompatible with the GPL and the KeeWeb code is inspired by KeePass, it is not an inclusion of code or library, so it is legitimate.

The message channel apis of Flutter would i guess be a valid (ie legal) way to escape the gpl for native code.. but trying as hard as possible to escape free licenses sounds dodgy nonetheless.. but ymmv..

Concretely I wouldn't have a problem if it was done this way but all the code that uses the GPL up to the message channel must be open.

I think I'll close the issue anyway.. i guess technically it makes the library still more robust if more people use it.. as long as fixes are contributed back sweat_smile

@hpoul, If you simply don't care about the license applied then you might as well use another more permissive license like MIT or Apache2. That way there will be no ambiguity.

@DReichl What do you think about this licensing issue?

[hpoul]

If you simply don't care about the license applied

@J-Jamet So what action would you recommend which could resolve this issue? I see no clear action to take, so no idea what keeping this issue open would help anyone.

[J-Jamet]

@hpoul I think you can change your lib license to Apache2, it would be clear to everyone in this case and it will allow to use your library in close source projects. Everyone would be happy.

It's your code, you're just applying an open format, it's not copying and pasting GPL code, so it shouldn't be a problem. I know I'm a bit of a pain in the ass, but these are really important issues in the open source world, so it's up to us to get it right.

[hpoul]

@J-Jamet No, because I want GPL. But I can't enforce it. Maybe someday it'll be worth it to throw lawyers at it, but I see no benefit on doing so know.

applying an open format

there is no "open format". There is an open source application (Keepass) which writes into it's own proprietary file format. There is no "open" documentation on how it works or how it is structured. If you managed to reverse engineer it without looking at the original code you could claim that you have full ownership over your code (as far as I understand it, again, ianal).

it's not copying and pasting GPL code

And ever heard of Google v Oracle? 😂 I don't really have the budget of either of those to proof my clean room implementation.

[J-Jamet]

@J-Jamet No, because I want GPL. But I can't enforce it. Maybe someday it'll be worth it to throw lawyers at it, but I see no benefit on doing so know.

Okay, I understand, but in this case it is necessary to find the appropriate license or open the code of applications that use it, otherwise we fall back into the original problem of this issue.

I thought the format was open, but just not technically documented. I think @DReichl can tell us more about it. In fact, we could do some documentation if that is the case, otherwise that's another problem I indeed hadn't identified. I know that KeePassXC had made a full description of the format on its github. (https://github.com/keepassxreboot/keepassxc-specs/blob/master/kdbx-xml/rfc.md) But it's true that it requires a real description with an XML Schema. For the headers of the format, it is well in the official documentation. (https://keepass.info/help/kb/kdbx_4.html)

And ever heard of Google v Oracle? joy I don't really have the budget of either of those to proof my clean room implementation.

This is not a case that I have followed closely, but all the more reason to ensure that licenses are respected and that we do not turn a blind eye to the subject! :D

[hpoul]

open the code of applications that use it,

@J-Jamet and how am I supposed to do this?

[J-Jamet]

@J-Jamet and how am I supposed to do this?

It's not yours to do, it's @Footmau 's in this case.

[hpoul]

@J-Jamet Perfect, then we agree that there is nothing to do on this issue, since this is not the issue tracker for KPass ;-)

[J-Jamet]

I know you think the topic is not important to you, but as I said above, it's actually important to the philosophy of open source, so it's not nothing, especially since @Footmau is in the discussion and a solution has not yet been implemented.

[korovan-software]

If such a criminal violations are important to the philosophy of open source, then probably this is issue of Police of open source moral, not kdbx.dart project. But since I'm commercial developer I'm interested in profit firstly and can bring some fixes and improvements to this open project from time to time. When I'll decide this is profitable to open KPass code, it will be opened, but until I'm Open Source witness this is not a priority task for me.

And it is not clear for me who can win if I'll implement LGPL wrapper for kdbx.dart and will continue to use it in KPass. And also from Android or iOS user side it is very very uncertain difference if application is open source or not.

[hpoul]

@Footmau you should probably stop arguing. If you tell me you want to profit from my work without caring about my time and my terms, i might decide it's worth proceeding this legal shit after all.

[J-Jamet]

Sorry, I don't want to put you in a bad position @hpoul, nor do I want to argue. It's all about principle, respecting licenses and philosophies and not about winning or not. @Footmau As you say, your first motivation is profit so at least it's clear.

And also from Android or iOS user side it is very very uncertain difference if application is open source or not.

That's why we have also to be clear with the users, it is simple enough to inform them well and not to mislead them.

I won't bother you any further, I've said all I have to say on the subject, you both hold the cards.

Edit : Footmau does not assume these words and has deleted these messages ...

[hpoul]

@Footmau wtf? Just because you don't value license terms, does not mean they are irrelevant. Why is your code more valuable than mine? What if you want to "profit" from your code, but your users think software licenses is an old and redundant principle, and steal your code and circumvent payment? It is one thing to just code things for people to use and just not getting around to publishing the source code. It is something completely different to intentionally and knowingly violating licensing terms and even publicly acknowledging as much.