search

dhorions / boxable

Boxable is a library that can be used to easily create tables in pdf documents.
http://dhorions.github.io/boxable/
Apache License 2.0
333 stars 154 forks source link

Boxable jar may not be Apache 2 licensed #231

Open tstibbs opened 3 years ago

tstibbs commented 3 years ago

The boxable readme says that Boxable is Apache 2 licensed, however I've noticed that the jar file distributed in maven central (https://repo1.maven.org/maven2/com/github/dhorions/boxable/1.6/boxable-1.6.jar) contains some font files that are not Apache licensed.

The fonts directory contains a README file which says "Free UCS scalable fonts is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License". My layman's understand of GPL is that if you distribute GPL code/binaries as part of your application/library, then your whole application/library effectively becomes GPL. If I'm right about that, I expect not many people would spot this and would assume that the jar is licensed under Apache 2 as noted in the boxable readme.

In theory I suppose it's possible for the boxable source code to be Apache licensed and for the distributed jar file to be GPL licensed, but I think the readme and poms need to make this clear. I also suspect that this is not the intention.

johnmanko commented 2 years ago

106

hauntingEcho commented 2 years ago

@johnmanko that doesn't really resolve the issue that the jar cannot legally be licensed under Apache 2, it just adds the Apache 2 label to the jar in violation of FreeFont's licensing terms as laid out here

johnmanko commented 2 years ago

@hauntingEcho What would the solution be? Licensing is not something I'm well informed on. @dhorions needs to weigh in on this, as ultimately he owns this project.

hauntingEcho commented 2 years ago

either this project needs to be licensed under GPLv3, or the FreeFont files need to be removed from the repo

johnmanko commented 2 years ago

@hauntingEcho Can't this project be duel licensed, then? That should solve everything.

hauntingEcho commented 2 years ago

Keeping the individual code files themselves Apache2 licensed should be just fine, but anything that includes the FreeFont files (such as the jar, or the repo as a whole at the moment) would have to be GPLv3 licensed. I very strongly recommend reading the whole license file. A primary goal of the GPL is preventing downstream projects from stripping off its copyleft protections.

Note that I'm not a lawyer, just had run into questions on this library's license at a previous job (per #155)

johnmanko commented 2 years ago

@hauntingEcho Thank you for your input. I'll take a look at that this weekend. It will get fixed.