If you are a Rails 6.1+ user, you probably have noticed something is up in the past couple days.
Good morning everyone! If you have a Rails app 6.1+, you probably noticed all of your bundle installs are failing! A gem, mimemagic, had a licensing issue and needed to yank all of its old (illegal) versions and relicense. Your options:— Nate Berkopec (@nateberkopec) March 24, 2021
Sweet, what every rails developer wants to see
bundle install is failing. Looking further leads you to this Rails PR:
The gem mimemagic (see minad/mimemagic#97 & minad/mimemagic#98 ) has resolved a licensing issue today by yanking all builds prior to 0.4.0, but Rails itself (activestorage) has a dependency on mimemagic (~> 0.3.2).
Ok, well that doesn't sound good. At all.
The fix that is suggested is to move to gem version 0.3.6 that is released under GPL-2.0 now.
Oh goodness, you wouldn't think this is a big deal but it. is. huge.
MIT licenses and GPL licenses are very different. I am just a software engineer, not a lawyer but in layman's terms it can be generalized to:
MIT = “permissive license” pretty short and essentially says “do whatever you want with this, just don’t sue me.”
GPL = "share-alike license", approximately it says “if you make a derivative work of this, and distribute it to others under certain circumstances, then you have to provide the source code under this license.”
MIT is the easy going do what you will license, GPL has sharing provisions, it dictates if you use this software then your software needs to be conform to it too. There is a lot of people that know more then I do, I would say definitely read them for a more nuanced take on this.
Also relevant and something you may have also be wondering about, is that GPL license is written and maintained by the Free Software Foundation. The FSF was started by Richard Stallman, which may be a name you have seen pop up lately too.
Here is EFF's statement on the re-election of Richard Stallman to the Free Software Foundation board. How disappointed is EFF? Profoundly. https://t.co/t5rcJ0s4ag— Eva (@evacide) March 24, 2021
I'm not a lawyer, but in my understanding, the mimemagic change to GPL licence forces rails to be distributed in GPL also, which forces all projects that are using Rails to be open-sourced
And Rails isn't going to be changing its license anytime soon, because there are a lot of dependent companies who have policies against using GPL licensed software.
Welcome to the wonderful world of DMCA takedown notices. Strap in, and get ready for a ride if you want to see all that was going in with shared mime info
Also Philippe Ombredanne has shared the DMCA notice that was received against his fork and information from GitHub up on a gist. Pretty much, GitHub informed him that he had 1 day to respond to the takedown notice otherwise the repository was going to be disabled.
Well it hasn't been...yet. It is very much still something that is being discussed. One path forward is:
The best way forward is probably to create a version of the gem which is licensed under the MIT license and loads the mime database at startup. This is the approach proposed by the maintainer of shared-mime-info
Here's the temporary workaround to reference the yanked gem version mimemagicrb/mimemagic@01f92d8 in Gemfile until this issue is resolved:
gem 'mimemagic', github: 'mimemagicrb/mimemagic', ref: '01f92d86d15d85cfd0f20dabd025dcbd36a8a60f'
If you need a fix, looks like Rails just released an update
Hey everyone! Rails versions 5.2.5, 22.214.171.124 and 126.96.36.199 have been released. These versions upgrade Active Storage’s Marcel dependency to version 1.0.0.
Before 1.0.0, Marcel—which is distributed under the terms of the MIT License, like Rails—indirectly depended on MIME type data released under the incompatible GNU General Public License. Marcel 1.0.0 instead directly packages MIME type data adapted from Apache Tika, released under the permissive and compatible Apache License 2.0.