Preview: https://forgejo.codeberg.page/@pull_461/2024-07-non-free-dependency-found/
Excerpt: https://forgejo.codeberg.page/@pull_461/news/
blog post for the finding of a non-free dependency #461
beowulf/2024-07-non-free-dependency into main 6b9c3532fb
eda620aa81
@ -0,0 +2,4 @@
title: Non-free dependency in the project found
publishDate: 2024年07月20日
tags: ['report']
excerpt: Non-free dependency in the project found and removed in newest releases.
Idea: Non-free dependency was discovered and removed in new releases.
so, without the project
s/found/discovered
s/newest/new
For less repetition (now excerpt and title sound very similar) I suggest:
A dependency on a non-free package was discovered and removed in new releases.
Hmm I haven't noticed but I actually suggested the title in my comment. The excerpt can be longer and descriptive.
Given #461 (comment), I would suggest the following title:
Non-free dependency discovered in Forgejo and removed
And excerpt: A non-free JS library was discovered in the NPM dependency tree of the project and got the whole component depending on it was reimplemented without it. New 7.0 and 8.0 releases were published without this dependency.
excerpt: A non-free JavaScript library was discovered in the dependency tree of the project and the whole component depending on it was reimplemented. New 7.0 and 8.0 releases are published without this library.
Maybe it would be nice in the excerpt to also give already the reason why that is important?
Maybe it would be nice in the excerpt to also give already the reason why that is important?
I can't imagine how to write that in a short and quickly understandable form.
Preview ready: https://forgejo.codeberg.page/@pull_461/
https://forgejo.codeberg.page/@pull_461/2024-07-non-free-dependency-found/
@ -0,0 +7,4 @@
During a discussion about the future of Forgejo's license, it was discovered that a non-free dependency of a dependency created for Gitea was loaded into the project.
On 18. July at 4:23 PM [an issue](https://codeberg.org/forgejo/forgejo/issues/4569) was opened to track the problem.
The problem is tracked in forgejo/discussions#193.
This is where it was reported.
I reformulated it and added the discussion.
- what timezone is used for dates?
- I don't think we need a dot after day number (not sure where such format is even used)
- s/were/was
- revert s/an/the
Btw, @bramh said he contacted Gitea in Discord about this yesterday. So it may worth noting, IDK, would like to see what Bram thinks.
I think it's better to link to https://github.com/go-gitea/gitea/issues/31660
Time changed to UTC (sorry, forgot the time zones)
Or should I remove the timestamps 🤔 They may be confusing...
They may be redundant.
@ -0,0 +15,4 @@
The dependency already existed at the time of the fork of Gitea and was therefore included in Forgejo from the beginning.
Since this dependency is not compatible with the values of Forgejo and restricts the free use of binaries, it was of high importance to remove the offending dependency.
The [release of 8.0.0](/2024-06-release-v8-0) was therefore blocked until the problem was solved.
This post needs to be released after #456, or I need to remove the link to the 8.0.0 release post.
They can be released at the same time and link to each other.
I changed it for the moment to forgejo/forgejo#4153 (for the case when we want to release this post before the release of 8.0.0 - can change it back later)
@ -0,0 +9,4 @@
On 18. July at 4:23 PM [the issue](https://codeberg.org/forgejo/forgejo/issues/4569) were reported in the main issue tracker.
A few hours later at 10:10 PM, a [pull request](https://codeberg.org/forgejo/forgejo/pulls/4571) was opened to remove the dependency.
In addition, [a ticket](https://codeberg.org/forgejo/discussions/issues/193) was created to track the problem and the resulting consequences as a whole.
issue/ticket naming consistency.
@ -0,0 +12,4 @@
In addition, [a ticket](https://codeberg.org/forgejo/discussions/issues/193) was created to track the problem and the resulting consequences as a whole.
The pull request was merged on 18. July at _X:XX PM_.
The dependency already existed at the time of the fork of Gitea and was therefore included in Forgejo from the beginning.
It would be important to add related links. Either in the tracking issue, or here.
- Gitea commit that introduced the problem
- https://github.com/djaxho/pure-vue-chart/issues/2
- ...
added the gitea commit
@ -0,0 +1,24 @@
---
title: Non-free dependency in the project found
- Forgejo news titles usually include "Forgejo"
- title could already be more precise on "removal"
e.g., Forgejo removes a non-free dependency
@ -0,0 +16,4 @@
Since this dependency is not compatible with the values of Forgejo and restricts the free use of binaries, it was of high importance to remove the offending dependency.
The [release of 8.0.0](/2024-06-release-v8-0) was therefore blocked until the problem was solved.
The removal of the binary was also ported to 7.0.6.
Possibly add link to https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-6
@ -0,0 +20,4 @@
Additionally [the author](https://github.com/lafriks/vue-bar-graph/issues/14) of the dependency and [Gitea](https://github.com/go-gitea/gitea/issues/31660) were informed of the non-free dependency.
As this violates the values of Forgejo it forces the removal of all release binaries prior to 7.0.6.
Forgejo commitment is to always be a completely free, open source and community-first product. Non-free dependencies and distribution licensing are not in line with the values of Forgejo. The inclusion of a non-free component within the binary affects it's whole license. There's no place for non-free binaries in the Forgejo spaces, which unfortunately means that they all must be removed from releases prior to 7.0.6.
Add also link to the values of Forgejo
So firstly: Have more non-free dependencies been detected now, or were they all just false positives? Because depending on that, I need to talk in plural or not. And depending on that, I would have to expand the article...
I have lost track in the chat.
118b9d00cc
ec48b5bc59
ec48b5bc59
8d1b9e86d0
So firstly: Have more non-free dependencies been detected now, or were they all just false positives? Because depending on that, I need to talk in plural or not. And depending on that, I would have to expand the article...
@Gusted can you say something about this?
@ -0,0 +29,4 @@
The [values of Forgejo](https://codeberg.org/forgejo/governance/src/branch/main/MISSION.md#values) were not only violated, but the inclusion of a non-free dependency also has the consequence of affecting the complete license of the binary.
In the Forgejo spaces, there is no place for non-free binaries, which unfortunately means that all binaries must be removed from releases prior to 7.0.6.
This is planned for _TBD_.
@earl-warren any idea when the planned deadline is for the removal of the old binaries? 🤔
Why not write "This will happen as soon as possible", to indicate we might need some quick tooling for this?
@fnetX We wanted to have a time gap so that theoretically people could mirror if necessary.
Here is a proposal:
Because GSAP is not Free Software, it cannot be [distributed in the Forgejo organization](https://codeberg.org/forgejo) hosted by Codeberg. It is not allowed by the [Codeberg Terms of Use](https://codeberg.org/Codeberg/org/src/branch/main/TermsOfUse.md#2-allowed-content-usage) and goes against [Forgejo core values](https://codeberg.org/forgejo/governance/src/branch/main/MISSION.md#values). The Forgejo binaries and OCI images will be deleted. It will take some time because the technical impact on existing Forgejo instances that depend on these images has to be carefully addressed.
So firstly: Have more non-free dependencies been detected now, or were they all just false positives? Because depending on that, I need to talk in plural or not. And depending on that, I would have to expand the article...
@Gusted can you say something about this?
Only the GSAP one was non-free the other were false-positives, the false-positives weren't actually bundled in the Forgejo's index.js.
@ -0,0 +21,4 @@
The removal of the binary will also be ported to [7.0.6](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-6).
Additionally [the author](https://github.com/lafriks/vue-bar-graph/issues/14) of the dependency and [Gitea](https://github.com/go-gitea/gitea/issues/31660) were informed of the non-free dependency.
two lines above: It uses "dependency" two times, but actually refers to different dependencies. What about "direct dependency" and "indirect dependency" to clarify the difference? If this is agreed upon, it should also be added in some other places so the reader gets an explanation of what it means ...
You mean Additionally [the author](https://github.com/lafriks/vue-bar-graph/issues/14) of the direct dependency and [Gitea](https://github.com/go-gitea/gitea/issues/31660) were informed of the non-free indirect dependency.
Or smth like Additionally [the author](https://github.com/lafriks/vue-bar-graph/issues/14) of the dependency and [Gitea](https://github.com/go-gitea/gitea/issues/31660) were informed of the non-free subdependency. 🤔
The important paragraphs are clear and well written, great write up. All it needs is a first paragraph, a kind of summary, which is likely the only thing most people will actually read. Here is a proposal:
On 18 July 2024 a [small piece of non Free Software was discovered](https://codeberg.org/forgejo/forgejo/issues/4569) in the Forgejo codebase. It is exclusively used when displaying the repository contribution graphs (e.g. [the Forgejo contributions page](https://codeberg.org/forgejo/forgejo/activity) in the web interface. A replacement [was implemented](https://codeberg.org/forgejo/forgejo/pulls/4571) and merged on 20 July 2024. The [v8.0.0 release](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0) and the [v7.0.6 point release](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-6) no longer contain this piece of non Free Software.
As an external reader I want to know:
- what is the problem
- what is its magnitude
- is it fixed already or not
As a Forgejo user I want to know:
- where it impacts me (the web ui)
As a Forgejo admin I want to know:
- if it is fixed already
- where I can get the fix
7a2f980bce
e011b68a4d
@ -0,0 +32,4 @@
Due to the new tool which works more precisely, it can lead to more licenses being included in the [`license.txt`](https://next.forgejo.org/assets/licenses.txt) - also from dependencies that are removed in the build process.
But better this safe way than missing licenses from dependencies in the end.
Because GSAP is not Free Software, it cannot be [distributed in the Forgejo organization](https://codeberg.org/forgejo) hosted by Codeberg.
This would be the only place where GSAP is mentioned directly, and this would certainly raise questions and online searches for this non-free library.
I add a link to the license page of GASP
And maybe reword it to smth like: Because GSAP, the subdependency, is not Free...
@ -0,0 +10,4 @@
A replacement [was implemented](https://codeberg.org/forgejo/forgejo/pulls/4571) and merged on 20 July 2024.
This piece of non-Free Software is no longer contained in the [v8.0.0 release](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0) and the [v7.0.6 point release](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-6).
During a discussion about the future of Forgejo's license, it was discovered that a non-free dependency of a dependency initially created for Gitea was loaded into the project.
A separator before this line would help. As it stands it does not read well in the continuation of the summary that comes before it.
@ -0,0 +27,4 @@
Additionally [the author](https://github.com/lafriks/vue-bar-graph/issues/14) of the dependency and [Gitea](https://github.com/go-gitea/gitea/issues/31660) were informed of the non-free subdependency.
In order to rule out further infringements, the dependencies have been carefully checked and a [new, improved tool](https://codeberg.org/forgejo/forgejo/pulls/4574) for checking licenses has been introduced.
In order to rule out further infringements
the word infringements is not right in this context.
Will change it to: To prevent more violations, the dependencies have been carefully checked and a new, improved tool for checking licenses has been introduced.
@ -0,0 +33,4 @@
But better this safe way than missing licenses from dependencies in the end.
Because GSAP is not Free Software, it cannot be [distributed in the Forgejo organization](https://codeberg.org/forgejo) hosted by Codeberg.
It is prohibited by the [Codeberg Terms of Use](https://codeberg.org/Codeberg/org/src/branch/main/TermsOfUse.md#2-allowed-content-usage) and goes against [Forgejo core values](https://codeberg.org/forgejo/governance/src/branch/main/MISSION.md#values).
s/against/against the/
@ -0,0 +35,4 @@
Because GSAP is not Free Software, it cannot be [distributed in the Forgejo organization](https://codeberg.org/forgejo) hosted by Codeberg.
It is prohibited by the [Codeberg Terms of Use](https://codeberg.org/Codeberg/org/src/branch/main/TermsOfUse.md#2-allowed-content-usage) and goes against [Forgejo core values](https://codeberg.org/forgejo/governance/src/branch/main/MISSION.md#values).
**The Forgejo binaries and OCI images will be deleted.**
It will take some time, since the technical impact on existing Forgejo instances that depend on these images has to be carefully addressed.
s/on these images/on them/
cb008ef2b7
73021b0c87
Added the publishing date and squashed the commits
73021b0c87
dec5a98b8b
Nice one. 👍
Re-reading I had a few non blocking thoughts:
- s/ticket/issue/ or discussion (ticket is not used elsewhere, issue is more common)
The release of 8.0.0 was therefore blocked until the problem was solved. The removal of the binary will also be ported to 7.0.6.
The mix of past and future reads funny to me. "therefore" could be removed to avoid repetition with the previous line.
In order to rule out further infringements, the dependencies have been carefully checked and a new, improved tool for checking licenses has been introduced. The licenses are checked with every CI run, and the CI fails if the licenses are incompatible.
to avoid the repetition of "checked" (three times), "CI" (two) and "licenses" (three times): maybe
An [improved tool was introduced](https://codeberg.org/forgejo/forgejo/pulls/4574) to check the licenses of the dependencies. It runs in the CI, and fails if an incompatibility is found.
subdependency
could be replaced by
indirect dependency
Note that GSAP has now been removed from vue-bar-graph.
Note that GSAP has now been removed from vue-bar-graph.
@caesar I see no reason, why we should add this? But if you find it important, I can add it...
dec5a98b8b
73faab9df1
Any review regarding the new paragraph at the end (regarding the citation)?
forgejo/forgejo#4153 the release is pushed to 25 July.
@ -0,0 +36,4 @@
Because [GSAP](https://gsap.com/community/standard-license/), the indirect dependency, is not Free Software, it cannot be [distributed in the Forgejo organization](https://codeberg.org/forgejo) hosted by Codeberg.
It is prohibited by the [Codeberg Terms of Use](https://codeberg.org/Codeberg/org/src/branch/main/TermsOfUse.md#2-allowed-content-usage) and goes against the [Forgejo core values](https://codeberg.org/forgejo/governance/src/branch/main/MISSION.md#values).
**The Forgejo binaries and OCI images will be deleted.**
s/OCI/container/
@ -0,0 +41,4 @@
---
During the whole process, another indirect dependency was found that has an incompatible license.
During the investigation, another indirect dependency with incompatible license was found.
It has a more restrictive, [copyleft license](https://github.com/Juris-M/citeproc-js/blob/master/LICENSE) that is violated by Forgejo's [current license](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/LICENSE).
The dependency was used for citing a repository in APA format (if the repository is set up for this) and has been [removed for the moment](https://codeberg.org/forgejo/forgejo/pulls/4595).
at is violated by Forgejo's...
I don't think it is necessary to get into specifics in this blog post, the link to the removal has all the information if someone is interested. And "violated" in this case is not correct: a license is incompatible with another, a license violation involves a person.
@ -0,0 +45,4 @@
It is used for citing a repository in APA format (if the repository is set up for this).
The dependency for the APA format has a copyleft license and has therefore been [removed for the moment](https://codeberg.org/forgejo/forgejo/pulls/4595).
Repositories can therefore currently only be cited in the widely used BibTeX format.
Should Forgejo switch to a copyleft license in the future, it would be possible to add the dependency again.
actually only if it switches to AGPL, if I understand correctly?
More positive final sentence would be nice to have.
What about:
As Forgejo decided to accept copyleft license last year, this dependency may be added again in the future.
actually only if it switches to AGPL, if I understand correctly?
Yes. And it is quite likely this will happen eventually. But this is probably too much details for this blog post, don't you think?
I'm OK with it.
73faab9df1
2a72c28bbd
@mahlzahn & @earl-warren: I added your suggestions. Are you fine with it, or do you see anything else which could be improved?
@ -0,0 +5,4 @@
excerpt: A non-free JavaScript library was found in the project's dependency structure, and the entire component that relied on it was re-implemented. The new versions 8.0.0 and 7.0.6 will be released without this library. This step is important to meet the core values of Forgejo.
---
On 18 July 2024, a [small piece of non Free Software was discovered](https://codeberg.org/forgejo/forgejo/issues/4569) within the Forgejo codebase.
small is not necessarily and it GSAP isn't really small - it's mjs dist is over 200 KiB (regular build is 570 KiB).
it is small compared to the entire codebase and it is also small in its impact in terms of user experience. I think it is fitting in that context because the first thought that comes to mind is: "what is the magnitude of the problem?". And honestly, it is a tiny thing with annoyingly large consequences.
Since there also is a need to remove ELK from the binary, not just APA, here is how it could be announced. In that scenario neither APA nor ELK are removed or replaced in v8.0.0 or v7.0.6. That will happen at a later time and plans are made to do that.
Explain:
- that copyleft code was discovered and has been around for years (ELK + APA).
- remind that Forgejo decided to allow for copyleft code to enter the codebase last year
- explains that while ELK is copyleft it is not compatible with GPLv3+ and will be replaced by a backward compatible solution (possibly mermaid alpha when it matures?)
- explains there are ongoing discussions to publish Forgejo under AGPLv3+
- explains that APA is AGPLv3+ and there would be no need to replace it if it was the case
- explain that if there is no agreement on AGPLv3+ APA will be replaced with a backward compatible solution
I commit to implement the backward compatible solutions for both of them within a reasonable amount of time if noone else does it. It will require a very large amount of time because this is a domain I know little about.
This was discussed in the development chatroom but there is no consensus at the moment.
2a72c28bbd
9751effa72
@Gusted & @earl-warren I added an info regarding elk in the latest patch...
9751effa72
f0ee9fd457
@Beowulf perfect. I double checked the URLs and they are all good.
Many thanks! LGTM.
@caesar I see no reason, why we should add this? But if you find it important, I can add it...
I didn't mean to suggest it should be added, it was just an observation. The post is good as-is.
f0ee9fd457
7a467d391e
7a467d391e
2a2ad12d2b
2a2ad12d2b
23eda2ea19
(削除) @earl-warren the 8.0 blog post has a broken link, because this PR isn't merged https://forgejo.org/2024-07-release-v8-0/ (削除ここまで) nevermind :D
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?