static-ip-map license

[kmk3]

General

@reinerh commented on Jan 19:

In a comment in this file you mention that you obtained it from a geoip package available on Linux distributions. I couldn't find such a file in the source of Debian's geoip-database. (https://sources.debian.org/src/geoip-database/20191224-3/) Can you please clarify what the source of the file is? I need to document its license etc in the package.

@netblue30 commented on Jan 20:

The file was build mainly by running /usr/bin/whois on addresses I saw coming up in the trace. Most webpages are served today from a handful of CDN or cloud providers. For Google, Cloudflare and Amazon I've found the official public webpages where they list their current addresses. We will have to update our list from time to time (I included the official webpages in the file).

The country name is printed in the trace only if geoip-bin is installed on the system. Our program calls /usr/bin/geoiplookup directly.

I'll put the fixes in, thanks.

Later: We are similar to geoip, all the data is compiled from public sources. I saw they use OpenDataLicense for copyright purposes. Probably we can stay with GPLv2.

I don't exactly understand everything that was involved when generating static-ip-map, but from what I'm reading, to me it looks like that file could possibly be considered a derivative work of geolite2/geoip-database (I'm not sure). In which case, the license of the original database and of static-ip-map would have to be compatible with each other and also with GPLv2+ as used by firejail.

In any case, I would keep the same license as the original database to avoid license proliferation and also to allow contributions to go both ways (especially since static-ip-map isn't a major part of firejail anyway).

Also, if it is potentially a derivative work, the original copyright notice(s) probably have to be distributed along with the data to comply with the license. I'd also distribute the original license file as well for good measure.

Which License

I saw they use OpenDataLicense for copyright purposes.

Are you sure that that is the license that applies in this case?

The Debian package for geoip-database only mentions CC-BY-SA-4.0 and CC-BY-3.0 as the licenses. From https://sources.debian.org/src/geoip-database/20191224-3/LICENSE.txt/:

This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/.

This database incorporates GeoNames [http://www.geonames.org] geographical data, which is made available under the Creative Commons Attribution 3.0 License. To view a copy of this license, visit http://www.creativecommons.org/licenses/by/3.0/us/.

Also, copyright information for completeness: https://sources.debian.org/src/geoip-database/20191224-3/COPYRIGHT.txt/:

Database and Contents Copyright (c) 2019 MaxMind, Inc.

According to GNU, CC-BY-SA-4.0 is only compatible with GPLv3+:

https://www.gnu.org/licenses/license-list.en.html#ccbysa

Creative Commons Attribution-Sharealike 4.0 license (a.k.a. CC BY-SA) (#ccbysa)

This is a copyleft free license that is good for artistic and entertainment works, and educational works. Like all CC licenses, it should not be used on software.

CC BY-SA 4.0 is one-way compatible with the GNU GPL version 3: this means you may license your modified versions of CC BY-SA 4.0 materials under GNU GPL version 3, but you may not relicense GPL 3 licensed works under CC BY-SA 4.0.

Also there is no entry of OpenDataLicense in the GNU license comment list:

https://www.gnu.org/licenses/license-list.en.html

AFAIK OpenDataLicense is also a copyleft license (and copyleft licenses are usually incompatible with each other by default due to their nature of disallowing further restrictions), so GPL compatibility seems unclear to me.

I think that the lack of a clear answer could cause issues for anyone using firejail under GPLv2-only. I suspect that SailfishOS may be one such case (Cc: @spiiroin @Tomin1).

Suggestion

Anyway, my suggestion would be to remove static-ip-map for now to avoid shipping it in 0.9.68 (since the release already in RC stage and since the feature was added rather recently) and then try to figure this out after the release.

[netblue30]

It's quite simple. There are two different pieces of information: the owner of the address, and the country hosting the address.

The owner (Amazon, Cloudflare etc.) is in the static ip map file. The country information comes from running geoiplookup utility if it is installed on the computer. We don't keep any country info in the static ip map. Nothing from geoip database is in our file. GPLv2 as the rest of the project should do it.

[kmk3]

@netblue30 commented on Feb 2:

It's quite simple. There are two different pieces of information: the owner of the address, and the country hosting the address.

The owner (Amazon, Cloudflare etc.) is in the static ip map file. The country information comes from running geoiplookup utility if it is installed on the computer. We don't keep any country info in the static ip map. Nothing from geoip database is in our file. GPLv2 as the rest of the project should do it.

I see, I misunderstood the part about geoip. So the only thing that comes from geoip is the country information and that is generated only at runtime. I read #4867 again and now it makes sense to me. Sorry for the confusion.