DEV Community

Cover image for What's up with mimemagic breaking everything?
christine
christine

Posted on • Updated on

What's up with mimemagic breaking everything?

If you are a Rails 6.1+ user, you probably have noticed something is up in the past couple days.

Good morning everyone! If you have a Rails app 6.1+, you probably noticed all of your bundle installs are failing! A gem, mimemagic, had a licensing issue and needed to yank all of its old (illegal) versions and relicense. Your options:

— Nate Berkopec (@nateberkopec) March 24, 2021

Sweet, what every rails developer wants to see bundle install is failing. Looking further leads you to this Rails PR:
https://github.com/rails/rails/issues/41750

Dependency on mimemagic 0.3.x no longer valid

The gem mimemagic (see minad/mimemagic#97 & minad/mimemagic#98 ) has resolved a licensing issue today by yanking all builds prior to 0.4.0, but Rails itself (activestorage) has a dependency on mimemagic (~> 0.3.2).

Quinn brought up an issue on the mimemagicrb github that by removing all gem versions prior to 0.4.0 broke CI installs of rails because it depends on the 0.3.x gem version.

Ok, well that doesn't sound good. At all.

The fix that is suggested is to move to gem version 0.3.6 that is released under GPL-2.0 now.

Oh goodness, you wouldn't think this is a big deal but it. is. huge.

MIT licenses and GPL licenses are very different. I am just a software engineer, not a lawyer but in layman's terms it can be generalized to:
MIT = “permissive license” pretty short and essentially says “do whatever you want with this, just don’t sue me.”
GPL = "share-alike license", approximately it says “if you make a derivative work of this, and distribute it to others under certain circumstances, then you have to provide the source code under this license.”

MIT is the easy going do what you will license, GPL has sharing provisions, it dictates if you use this software then your software needs to be conform to it too. There is a lot of people that know more then I do, I would say definitely read them for a more nuanced take on this.

Also relevant and something you may have also be wondering about, is that GPL license is written and maintained by the Free Software Foundation. The FSF was started by Richard Stallman, which may be a name you have seen pop up lately too.

Here is EFF's statement on the re-election of Richard Stallman to the Free Software Foundation board. How disappointed is EFF? Profoundly. https://t.co/t5rcJ0s4ag

— Eva (@evacide) March 24, 2021

What does this have to do with mimemagic?

When mimemagic pulled old versions and switched to using the GPL license for all new versions, it enforced that more restrictive licenses and as Gustavo put it:

I'm not a lawyer, but in my understanding, the mimemagic change to GPL licence forces rails to be distributed in GPL also, which forces all projects that are using Rails to be open-sourced

And Rails isn't going to be changing its license anytime soon, because there are a lot of dependent companies who have policies against using GPL licensed software.

But why now with the licensing changes?

Welcome to the wonderful world of DMCA takedown notices. Strap in, and get ready for a ride if you want to see all that was going in with shared mime info

Also Philippe Ombredanne has shared the DMCA notice that was received against his fork and information from GitHub up on a gist. Pretty much, GitHub informed him that he had 1 day to respond to the takedown notice otherwise the repository was going to be disabled.

So how does this get fixed?

Well it hasn't been...yet. It is very much still something that is being discussed. One path forward is:

The best way forward is probably to create a version of the gem which is licensed under the MIT license and loads the mime database at startup. This is the approach proposed by the maintainer of shared-mime-info

But now that full PR is locked by Rails. So where should you be looking at? There is a new PR opened by Daniel Mendler it does look like there is a light at this very long, and very twisty tunnel.

Need a workaround?

Checkout mdominiak's suggestion to update your Gemfile:

Here's the temporary workaround to reference the yanked gem version mimemagicrb/mimemagic@01f92d8 in Gemfile until this issue is resolved:

gem 'mimemagic', github: 'mimemagicrb/mimemagic', ref: '01f92d86d15d85cfd0f20dabd025dcbd36a8a60f'

Let there be a fix!

If you need a fix, looks like Rails just released an update

Hey everyone! Rails versions 5.2.5, 6.0.3.6 and 6.1.3.1 have been released. These versions upgrade Active Storage’s Marcel dependency to version 1.0.0.
Before 1.0.0, Marcel—which is distributed under the terms of the MIT License, like Rails—indirectly depended on MIME type data released under the incompatible GNU General Public License. Marcel 1.0.0 instead directly packages MIME type data adapted from Apache Tika, released under the permissive and compatible Apache License 2.0.

Top comments (18)

Collapse
 
trinhcanhphuc profile image
Phuc Trinh

Please install shared-mime-info and add FREEDESKTOP_MIME_TYPES_PATH in your environment.
if you use windows or linux, please download from gitlab.freedesktop.org/xdg/shared-... and extract it

Collapse
 
camobap profile image
Alex Bobrikovich

This package has no freedesktop.org.xml, just freedesktop.org.xml.in

Collapse
 
lavika profile image
Lavika Kurda

I renamed the file to freedesktop.org.xml and it worked for me.

Collapse
 
beendra profile image
Alexandra

That header is my favorite meme of the week 😂

Collapse
 
marvelxy profile image
Marvelous Akpotu

😂😂😂

Collapse
 
schmijos profile image
Josua Schmid

Regarding: github.com/rails/rails/issues/4175...

Maybe I miss a piece, but in't it allowed to ship GPL code alongside your code as long as it stays packaged and its license it kept? Or does this only apply to compiled code?

Collapse
 
joshpuetz profile image
Josh Puetz

Thanks for this great summary!

Collapse
 
dwpdx profile image
Daniel Wise

Christine thanks for the write-up. I had a momentary panic attack this morning running bundle install and this showed up right away!

Collapse
 
cseeman profile image
christine

Glad the write-up helped!I found it interesting tracking down the why on this one, and thought others in the community might enjoy the read.

Collapse
 
rsmithlal profile image
Robert Smith

Awesome, thanks for the update with the latest Rails version for the fix! I had no idea what was going on until I found your post. Thanks so much!!

Collapse
 
cseeman profile image
christine

Welcome! It was great to see Rails get out a fix so quick on this.

Collapse
 
frogandcode profile image
Rich Thornett

This write-up is great, thanks for sharing it. Am I missing something, or is there no communication of this sort from official Rails channels? (Have checked their Twitter, website, and forum and haven't found an announcement of the issue and how it's being addressed.) All I can find are threads in GitHub issues.

This seems crazy given how big an issue this is.

Collapse
 
cseeman profile image
christine • Edited

Looks like Rails just released an update that discusses this a bit, but I agree it did feel like it was kind of radio silence on this issue: weblog.rubyonrails.org/2021/3/26/m...

Collapse
 
davidarmendariz profile image
David Armendáriz

Any update on this? I still can't bundle install.

Collapse
 
egallup02360 profile image
egallup02360 • Edited

Install shared-mime-info manually, then run bundle update

OS X: brew install shared-mime-info
Linux (debian-based distro): apt-get install shared-mime-info (I think, I didn't test this)

Collapse
 
cseeman profile image
christine

Thanks for sharing a workaround, but this could potentially have copyright impacts if you start using pulling in shared-mime-info because I believe it is GNU GPL v2 licensed.

An alternative could also be github.com/rails/rails/issues/4175...

reference the yanked gem version mimemagicrb/mimemagic@01f92d8 in Gemfile until this issue is resolved:

gem 'mimemagic', github: 'mimemagicrb/mimemagic', ref: '01f92d86d15d85cfd0f20dabd025dcbd36a8a60f'

Thread Thread
 
egallup02360 profile image
egallup02360

Yes, this workaround wasn't in that thread when I posted this.

Absolutely the better option, by far.

Collapse
 
oscartzgz profile image
Oscar Tellez

Great, updating Rails, I did can build my docker container again, because the command "build install" was failing