MIT vs GPL License conflict?

[xavidp]

Hi there:

I've just discovered the H5P project, and it looks AWESOME! Thanks for sharing such project with a MIT-license.

I'm a project admin at Tiki Wiki CMS Groupware ( https://tiki.org ), which is LGPL'd and compatible with MIT-license libraries, and we might consider re-using h5p for our software in some projects.

However, we have noticed that some part of your code seem to be GPL'd, as indicated here: https://github.com/h5p/h5p-php-library/blob/master/LICENSE.txt

Was that intended? Is this an unintended conflict?

We ask because GPL'd code can't be bundled in LGPL'd applications, such as Tiki, while MIT code can.

By the way, in case that GPL'd license was intended, do you know that you can also double license your GPL'd libraries with the MIT license, also? (so that all FLOSS projects can use your libraries, regardless of GPL or LGPL license they have, for instance).

[falcon-git]

Hi, we use GPL code for purifying user input. That code is GPL licensed so the code in this repository is GPL. We could perhaps move the purifier into a separate repo and make it possible for you to use different code to purify user input. What code are you using today to purify user input?

[xavidp]

Hi

We are using this library: "HTML Purifier" https://doc.tiki.org/Purifier

See: http://htmlpurifier.org

Yes, making the specific purifier a result of a choice (to choose among that one you currently use, or other ones such as "htmlpurifier") in your code would help us to eventually integrate more easily your library i our code, if that is required for some of our projects (there are high chances that this happens, sooner or later, because the h5p project looks veeeery interesting).

Xavier de Pedro

El 08/04/16 a les 15:36, Svein-Tore Griff With ha escrit:

Hi, we use GPL code for purifying user input. That code is GPL licensed so the code in this repository is GPL. We could perhaps move the purifier into a separate repo and make it possible for you to use different code to purify user input. What code are you using today to purify user input?

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/h5p/h5p-php-library/issues/16#issuecomment-207434337

[falcon-git]

Ok, please get back to us if you want to work more on this. I think we considered "HTML Purifier" as well, but it wasn't MIT compatible. Beeing LGPL would have been a step in the right direction but I think we went for the current code since htmlpurifier has a very large code base IIRC

[davericher]

html purifier works has a replacement, tried and tested. If you guys could provide some unit tests with expected behaviors I would be happy to do the port over.

[jonnybradley]

Hi all

Thanks to @falcon-git for pointing me at the GPL code which apparently is the filter_xss and related functions in h5p.classes.php.

In Tiki we have our own function TikiFilter_PreventXss so we could use that to filter user input, if it was possible to somehow extract that GPL code from the main class and provide it separately - but i'm afraid i can really imagine quite how that would work... any ideas?

TIA

[falcon-git]

Hi, I haven't thought this through, but perhaps make H5PContentValidator into an abstract class with filter_xss being an abstract function?

[davericher]

If someone could take the time and put through like 10 strings through it, including the expected stuff to be filtered out and provide me the input and the output I will port it over to Purifier. Purifier is basically the defacto standard right now, in fact the code currently being used is somewhat dated. It may be a larger dependencies to take in but since there are plans I believe for composer support this would be a non issue.

[falcon-git]

You mean like unit tests or documentation? It is supposed to take in HTML as a string with potentially a lot of dangerous code and return HTML with all dangerous code escaped or stripped away but no harmless code should be removed. Test cases for this is probably not something a "normal friendly" dev should write, but we can find lots of examples of harmful HTML on the web.

[davericher]

Sweet. I will take a look and compile some tests. But does the filter not also intergrate with things h5p deems as safe such has a specific subset of style tags.

[falcon-git]

Yes, you are right, it takes in "white lists" for style patterns and tags.

[ghost]

hi @falcon-git. Is there any progress with this issue?

[falcon-git]

No, we're still looking for a replacement for the purifier we're using now. MIT licensed alternatives we've found have incredibly large code bases. Any tips?

[ghost]

hi @falcon-git and apologies for the delay. Can you mention here the file(s) and line(s) under GPL license?

[falcon-git]

Hi @xarhsdev it is https://github.com/h5p/h5p-php-library/blob/master/h5p.classes.php#L3168 and everything it uses. Especially filter xss

[pvenakis]

Hello @falcon-git, are there any news with regards to removing the GPL'd code from H5P?

[osimakoff]

Hi Guys. Any more information on this?

H5P is an awesome tool but this GPL'd code spoils absolutely everything and prevents a large number of H5P real world deployments.

Any alternatives to the GPL code?

Thanks in advance!

[hrieke]

My question has to do with the font files, because it appears that they are common across multiple code bases. Are they dual licensed or only MIT License or only GNU General Public License v3.0 or later licensed?

[mandadimuralidharreddy]

Any updates on this.can i deploy h5p as separate service and embed in corporate LMS platform. Does it violate GPL license?

[ramonziai]

Any updates on this? Also, if one wanted to build a platform integration for a non-php framework and only use the JS code of h5p-php-library, would the GPL still apply? If so, could the client-side stuff perhaps be moved out of this repo?

[mikkorantalainen]

Could you guys at least move the GPL'd code to a separate file and declare a less problematic license for the rest?

Currently the whole project is licensed under GPL v3 and some of the issue tickets here in GitHub say that it's actually only the HTML purifier implementation that's intentionally GPL v3.

If everything else were MIT licensed, I'm pretty sure we can come up with MIT licensed code for the purifier part. However, to better understand the part that would need to be replaced, it must be first separated into clearly defined separate file.

[ramonziai]

I've opened a related issue for separation of JS and PHP code, see #105. Besides the licensing issue, such a separation would also make it much easier to integrate H5P into non-PHP platforms.

[sr258]

Not sure if it‘s that easy to change the license retrospectively. There are more contributors than just Joubel and they‘d all have to agree that the license of their commits is changed, too. However, GPL 3 isn‘t that much of a problem if the code isn‘t used in a desktop program or an app.

[ramonziai]

@sr258 Since the JavaScript code for the core also lives in this repo under the GPL, and due to its nature is necessarily distributed to end users via their browser, doesn't that mean all other JS that the browser sees in the respective app would have to be GPLed as well?

[sr258]

I guess you can see the H5P core as a runtime environment, in which the other libraries are executed in. You can run non-GPL binaries in a GPL Linux system, after all.

[mikkorantalainen]

The ability to execute non-GPL binaries on Linux is allowed because Linux kernel is not distributed on plain old GPL but uses a custom variant that allows executing non-GPL code.

Sure, GPL v3 + extra freedoms to make it logically MIT could be one solution but you cannot relicense the code without agreement from copyright holders.

[mikkorantalainen]

Library code such as H5P should have freedom level of LGPL at minimum, preferably MIT/2-clause BSD to avoid problems with mixing the code from other sources. GPL only works if your intent is to actually enforce combined work to be distributed as GPL'd code, too.

[sr258]

Yes, certainly correct in theory, but the fact remains that the GPL 3 license is there at the moment. I've checked by running git shortlog -n -s -- js who has contributed to the client folder and it looks like it's nearly only the Joubel Core team + Oliver Tacke. Not everybody still works there, I believe, however.

Here's the list of contributors + numbers of contribution:

   258  Frode Petterson
   108  Svein-Tore Griff With
    63  Thomas Marstrander
    38  Paal Joergensen
    24  Oliver Tacke
    18  thomasmars
    13  Pål Jørgensen
     7  Frank Ronny Larsen
     6  Timothy Lim
     5  Tom Arild Jakobsen
     2  Andrew Downes
     1  Ravi Majithia
     1  falcon
     1  otacke

@falcon-git @thomasmars @icc @fnoks What do you think about relicensing the client to MIT license (or LGPL) to avoid the infectious nature of GPL 3? It should not be too difficult to ask the contributors, as they are mostly your employees or ex-employees.

[otacke]

@sr258 Joubel has already received carte blanche from me :-)