boxable icon indicating copy to clipboard operation
boxable copied to clipboard

Published 20 hours ago verified publisher icon dhorions

Boxable jar may not be Apache 2 licensed

Open tstibbs opened this issue 3 years ago • 7 comments

The boxable readme says that Boxable is Apache 2 licensed, however I've noticed that the jar file distributed in maven central (https://repo1.maven.org/maven2/com/github/dhorions/boxable/1.6/boxable-1.6.jar) contains some font files that are not Apache licensed.

The fonts directory contains a README file which says "Free UCS scalable fonts is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License". My layman's understand of GPL is that if you distribute GPL code/binaries as part of your application/library, then your whole application/library effectively becomes GPL. If I'm right about that, I expect not many people would spot this and would assume that the jar is licensed under Apache 2 as noted in the boxable readme.

In theory I suppose it's possible for the boxable source code to be Apache licensed and for the distributed jar file to be GPL licensed, but I think the readme and poms need to make this clear. I also suspect that this is not the intention.

tstibbs avatar May 06 '21 12:05 tstibbs

#106

johnmanko avatar Dec 15 '21 03:12 johnmanko

@johnmanko that doesn't really resolve the issue that the jar cannot legally be licensed under Apache 2, it just adds the Apache 2 label to the jar in violation of FreeFont's licensing terms as laid out here

hauntingEcho avatar Jun 06 '22 19:06 hauntingEcho

@hauntingEcho What would the solution be? Licensing is not something I'm well informed on. @dhorions needs to weigh in on this, as ultimately he owns this project.

johnmanko avatar Jun 06 '22 20:06 johnmanko

either this project needs to be licensed under GPLv3, or the FreeFont files need to be removed from the repo

hauntingEcho avatar Jun 06 '22 20:06 hauntingEcho

@hauntingEcho Can't this project be duel licensed, then? That should solve everything.

johnmanko avatar Jun 06 '22 20:06 johnmanko

Keeping the individual code files themselves Apache2 licensed should be just fine, but anything that includes the FreeFont files (such as the jar, or the repo as a whole at the moment) would have to be GPLv3 licensed. I very strongly recommend reading the whole license file. A primary goal of the GPL is preventing downstream projects from stripping off its copyleft protections.

Note that I'm not a lawyer, just had run into questions on this library's license at a previous job (per #155)

hauntingEcho avatar Jun 06 '22 20:06 hauntingEcho

@hauntingEcho Thank you for your input. I'll take a look at that this weekend. It will get fixed.

johnmanko avatar Jun 07 '22 14:06 johnmanko