WPF - sRGB Color Space Profile.icm is non-free

dotnet / source-build

A repository to track efforts to produce a source tarball of the .NET Core SDK and all its components

MIT License

265 stars 132 forks source link

WPF - sRGB Color Space Profile.icm is non-free #4590

Open dviererbe opened 2 months ago

dviererbe commented 2 months ago

Describe the Bug

The .NET 9 source contains the file src/wpf/src/Microsoft.DotNet.Wpf/src/PresentationCore/System/Windows/Media/Resources/ColorProfiles/sRGB.icm. This file may not be distributed without fee if modified.

Steps to Reproduce

Go to the location https://github.com/dotnet/dotnet/blob/main/src/wpf/src/Microsoft.DotNet.Wpf/src/PresentationCore/System/Windows/Media/Resources/ColorProfiles/sRGB.icm in the VMR and see that it exists.

Other Information

There exists an old Debian Bug that describes the issue with this file: https://bugs.debian.org/657281
We just remove it from the Ubuntu source tarball as it is a windows only resource

omajid commented 2 months ago

The sRGB.icm file doesn't seem to have any licensing information (either embedded or via a sibling LICENSE file). How did you find the license this file is under?

dviererbe commented 2 months ago

The sRGB.icm file doesn't seem to have any licensing information (either embedded or via a sibling LICENSE file). How did you find the license this file is under?

@omajid I used the tool lintian(1), which is a static analysis tool for deb packages. It showed the error message:

E: dotnet9 source: license-problem-md5sum-non-free-file usual name is sRGB.icm. This file may not be distributed without fee if modified. See also https://bugs.debian.org/657281. [src/wpf/src/Microsoft.DotNet.Wpf/src/PresentationCore/System/Windows/Media/Resources/ColorProfiles/sRGB.icm]

The tool found it based on the md5 hash sum.

omajid commented 2 months ago

The tool found it based on the md5 hash sum.

Oh, that's amazing!

MichaelSimons commented 2 months ago

[Triage] @dotnet/dotnet-wpf - Can you provide details on how this file was obtained and what license it is under?

MichaelSimons commented 2 months ago

[Triage] This is a blocker for distro maintainers in 9.0. It can be cloaked in 9.0 since the Unified Build project is not complete. It will need to be addressed in 10.0.

A secondary question is how can we detect this in our binary scan tool?

dviererbe commented 2 months ago

A secondary question is how can we detect this in our binary scan tool?

I just commented on https://github.com/dotnet/source-build/issues/4595#issuecomment-2336787834 too:

You could just use the hash lists lintian uses to detect these files if you do not want to integrate the full lintian tool. They can be found here: https://salsa.debian.org/lintian/lintian/-/tree/master/data/cruft

E.g. here is the specific entry for the sRGB.icm file: https://salsa.debian.org/lintian/lintian/-/blob/master/data/cruft/non-free-files#L39

dipeshmsft commented 2 months ago

[Triage] @dotnet/dotnet-wpf - Can you provide details on how this file was obtained and what license it is under?

@MichaelSimons, this file was already part of the WPF source code when it was being open-sourced 5 years back. Apart from this, we don't have any information about the file yet.

I will try to find out more details about this from the previous WPF team members.

dipeshmsft commented 1 month ago

@MichaelSimons, I have added you a mail thread discussing about the file. From the discussion it looks like we are free to distribute this file.