Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Copyright clarifications #4591

Closed
doko42 opened this issue Apr 26, 2020 · 13 comments
Closed

Copyright clarifications #4591

doko42 opened this issue Apr 26, 2020 · 13 comments

Comments

@doko42
Copy link

doko42 commented Apr 26, 2020

During a review, Debian found some missing/unclear copyright issues in the pillow sources.
See https://bugs.debian.org/952899

For the Debian packages, I already remove Tests/icc and the testsuite gracefully skips these tests when this directory is not found, So I could extend that for other test cases as well. However I'd like to run as many tests as possible.

Could you have a look, what could be addressed upstream?

@radarhere radarhere changed the title copyright clarifications Copyright clarifications Apr 26, 2020
@wiredfool
Copy link
Member

For reference, this is the included bug report:

Source: pillow
Version: 6.2.1-2
Severity: serious
Justification: Policy 2.3, 4.5, 12.5

During review in binary-NEW, I found the following issues with
d/copyright.  Since the issues already exist in the archive I did not
REJECT, but they should be fixed.

Note that I am filing an identical list of problems against
src:pillow-python2 as the orig.tar is now in the archive twice.

- Needs "Alex Clark **and contributors**" from LICENSE

- Copyright information for Tests/fonts not in d/copyright.

- Google suggests that Tests/images/bmp is GPL-3 and also that the files
  are generated using C code.  If that's right, we would need to at
  least include that code for generating the images in
  debian/missing-sources/ (and ideally regenerate them).

- Tests/images/pillow3.icns looks like it contains a colour space
  copyright 1998 Hewlett-Packard Company; unclear how licensed.

- Tests/test_file_fli.py says that Tests/images/a.fli came from the web
  and I cannot see any free license; probably needs to be filtered out.

- Tests/test_file_mcidas.py says something similar for some other
  images; this should be accounted for.

- Several files matching {docs/example,src/PIL}/*ImagePlugin.py and
  src/libImaging/BcnDecode.c are public domain/CC0.

- Most files matching
  src/PIL/{ImageMorph,MspImagePlugin,SpiderImagePlugin,_binary}.py and
  src/libImaging/{Jpeg2K*,Quant*,SgiRleDecode.c,UnsharpMask.c} have
  different copyright holders.

- src/Tk/_tkmini.h has different copyright holders and license; possibly
  not DFSG-free due to "GOVERNMENT USE" section.

- src/libImaging/{QuantOctree.c,raqm.h,nmake.opt} have different
  licenses and copyright holders.

@wiredfool
Copy link
Member

The only two I can address off of the top of my head are the ICNS/Colorspace issue, which Debian has complained about before in other files, and the BMP test images.

The colorspace issue is definitely something that Debian has referenced before, I'm not sure of the actual copyrightability of a standard colorspace that is describing an image, but Debian has felt strongly about it in the past.

The BMP test images are from here: https://github.com/jsummers/bmpsuite. The images are public domain, except for the embedded icc profiles. The code to create them is gplv3.

@wiredfool
Copy link
Member

A quick bit of searching found this: https://metadata.ftp-master.debian.org/changelogs//main/t/tcl8.6/tcl8.6_8.6.6+dfsg-1_copyright

Which is substantially the same license grant as the src/Tk/_tkmini.h file.

@hugovk
Copy link
Member

hugovk commented Apr 26, 2020

  • Tests/test_file_mcidas.py says something similar for some other
    images; this should be accounted for.

https://github.com/python-pillow/pillow/blob/master/Tests/test_file_mcidas.py:

    # https://ghrc.nsstc.nasa.gov/hydro/details/cmx3g8
    # https://ghrc.nsstc.nasa.gov/pub/fieldCampaigns/camex3/cmx3g8/browse/
    test_file = "Tests/images/cmx3g8_wv_1998.260_0745_mcidas.ara"

Added in #2552, which says:

Test file is free data from NASA, from ghrc.nsstc.nasa.gov/hydro/details/cmx3g8 and specifically ghrc.nsstc.nasa.gov/pub/fieldCampaigns/camex3/cmx3g8/browse

@hugovk
Copy link
Member

hugovk commented Apr 26, 2020

  • Copyright information for Tests/fonts not in d/copyright.

https://github.com/python-pillow/Pillow/blob/master/Tests/fonts/LICENSE.txt says:

NotoNastaliqUrdu-Regular.ttf and NotoSansSymbols-Regular.ttf, from https://github.com/googlei18n/noto-fonts
NotoSansJP-Thin.otf, from https://www.google.com/get/noto/help/cjk/
AdobeVFPrototype.ttf, from https://github.com/adobe-fonts/adobe-variable-font-prototype
TINY5x3GX.ttf, from http://velvetyne.fr/fonts/tiny
ArefRuqaa-Regular.ttf, from https://github.com/google/fonts/tree/master/ofl/arefruqaa
ter-x20b.pcf, from http://terminus-font.sourceforge.net/

All of the above fonts are published under the SIL Open Font License (OFL) v1.1 (http://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=OFL), which allows you to copy, modify, and redistribute them if you need to.


10x20-ISO8859-1.pcf, from https://packages.ubuntu.com/xenial/xfonts-base

"Public domain font.  Share and enjoy."

@hugovk
Copy link
Member

hugovk commented Apr 26, 2020

  • Google suggests that Tests/images/bmp is GPL-3 and also that the files
    are generated using C code. If that's right, we would need to at
    least include that code for generating the images in
    debian/missing-sources/ (and ideally regenerate them).

https://github.com/python-pillow/Pillow/blob/master/Tests/images/bmp/README.txt says:

These images are from the bmpsuite:
https://github.com/jsummers/bmpsuite and are in the public domain
according to the readme in the project.

@nulano
Copy link
Contributor

nulano commented Oct 7, 2020

  • Copyright information for Tests/fonts not in d/copyright.

https://github.com/python-pillow/Pillow/blob/master/Tests/fonts/LICENSE.txt says:

NotoNastaliqUrdu-Regular.ttf and NotoSansSymbols-Regular.ttf, from https://github.com/googlei18n/noto-fonts
NotoSansJP-Thin.otf, from https://www.google.com/get/noto/help/cjk/
AdobeVFPrototype.ttf, from https://github.com/adobe-fonts/adobe-variable-font-prototype
TINY5x3GX.ttf, from http://velvetyne.fr/fonts/tiny
ArefRuqaa-Regular.ttf, from https://github.com/google/fonts/tree/master/ofl/arefruqaa
ter-x20b.pcf, from http://terminus-font.sourceforge.net/

All of the above fonts are published under the SIL Open Font License (OFL) v1.1 (http://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=OFL), which allows you to copy, modify, and redistribute them if you need to.


10x20-ISO8859-1.pcf, from https://packages.ubuntu.com/xenial/xfonts-base

"Public domain font.  Share and enjoy."

DejaVuSans-bitmap.ttf, DejaVuSans.ttf, FreeMono.ttf, KhmerOSBattambang-Regular.ttf are missing from this list.

DejaVuSans.ttf appears to be https://github.com/dejavu-fonts/dejavu-fonts/blob/master/LICENSE
FreeMono.ttf appears to be GPLv3 https://github.com/opensourcedesign/fonts/blob/master/gnu-freefont_freemono/COPYING
KhmerOSBattambang-Regular.ttf appears to be LGPLv2.1 or later http://www.khmerfonts.info/fontinfo.php?font=95

@radarhere
Copy link
Member

DejaVuSans-bitmap.ttf, DejaVuSans.ttf, FreeMono.ttf, KhmerOSBattambang-Regular.ttf are missing from this list.

DejaVuSans-bitmap.ttf was removed in #4955. I've created #5215 to address the rest.

@radarhere
Copy link
Member

Tests/test_file_fli.py says that Tests/images/a.fli came from the web
and I cannot see any free license; probably needs to be filtered out.

Fyi, I contacted libav.org about samples.libav.org, and got this reply

This is a collection of multimedia files. either random or triggering bugs in mplayer/ffmpeg a very long time ago. Source and License of many files are probably unknown by now.

@radarhere
Copy link
Member

I received a more detailed answer from libav.org -

these files have been collected long ago. Most of them are from the early 2000s, when MPlayer was the player to use.
Some of the files were created specifically as test files for MPlayer (and later FFmpeg). Some were cuts from commercial sources that triggered bugs. And some were even full copies of such files.

The files in question have a modification date of 2001-12-09, almost 20 years ago. Back when things were most chaotic. They were uploaded by Gabucino which was one of the developers of MPlayer back then. If the files belong to him (might or might not be the case), then it is safe to assume that he handed them over to the project. At least he was fully aware where they would end up (he put it there himself). If it didn't, it will be almost impossible to figure out what the original source was. Now here comes the fun part:
According to Swiss law (that's where the server is located), the files have been online for so long, that it is safe to assume
that the original author is aware of them being there and thus implicitly giving us the permission to distribute them in such a manner. In case he isn't, worst case he can do is sending us a letter to stop distributing them. We cannot be sued for distributing them without being first informed that we ought to remove the files.

So, where does that put you:

  1. Because we do not know for sure who is the crator we cannot say which countries law applies. Thus the minimum rules of the Berne convention apply and nobody is allowed to distribute the files until 2051, when the copyright of these files expires.

  2. Because the files have been online for so long and because of their original uploader, it is safe to assume that the copyright owner of the files is ok with them being distributed in this way (this way being: for the purpose of helping OSS A/V software development)

  3. Because the file is so short, it could be seen as sample and interpreted under (US style) fair use clause that most
    countries have and thus not fall under copyright protection.

  4. Either way, it is very unlikely that anyone is going to sue you or even send a cease & desist letter for these files.

  5. If you are dealing with debian (I guess they kind of triggered this question) and their... way of interpreting
    the law, then your only option is to make sure it never ends up in one of the debian packages or debian build systems.

IMHO, it is safe to keep these files in your collection of test files. But IANAL.

@radarhere
Copy link
Member

I've created PR #6062 to replace pillow3.icns with another version that does not have a copyrighted color space.

@radarhere
Copy link
Member

Gathering together the responses in this issue.

- Needs "Alex Clark **and contributors**" from LICENSE

That's an item for Debian, not for this repository.

- Copyright information for Tests/fonts not in d/copyright.

As stated #4591 (comment), we have Tests/fonts/LICENSE.txt, and #5215 added missing fonts.

- Google suggests that Tests/images/bmp is GPL-3 and also that the files
  are generated using C code.  If that's right, we would need to at
  least include that code for generating the images in
  debian/missing-sources/ (and ideally regenerate them).

As stated in #4591 (comment), we have Tests/images/bmp/README.txt

- Tests/images/pillow3.icns looks like it contains a colour space
  copyright 1998 Hewlett-Packard Company; unclear how licensed.

#6062 resolved this by replacing the image.

- Tests/test_file_fli.py says that Tests/images/a.fli came from the web
  and I cannot see any free license; probably needs to be filtered out.

In #4591 (comment) and #4591 (comment), I detail a response I got from libav.org about this.

- Tests/test_file_mcidas.py says something similar for some other
  images; this should be accounted for.

As stated in #4591 (comment) / #2552, this is "free data from NASA".

- Several files matching {docs/example,src/PIL}/*ImagePlugin.py and
  src/libImaging/BcnDecode.c are public domain/CC0.

My attempt to remove this difference in #5220 was declined. IANAL, but I see how it would be a problem for end users that some of our code has fewer rights.

- src/Tk/_tkmini.h has different copyright holders and license; possibly
  not DFSG-free due to "GOVERNMENT USE" section.

#4591 (comment) seems to be saying that Debian already accepts code under a similar license.

That leaves

- Most files matching
  src/PIL/{ImageMorph,MspImagePlugin,SpiderImagePlugin,_binary}.py and
  src/libImaging/{Jpeg2K*,Quant*,SgiRleDecode.c,UnsharpMask.c} have
  different copyright holders.

- src/libImaging/{QuantOctree.c,raqm.h,nmake.opt} have different
  licenses and copyright holders.

nmake.opt became tiff.opt in #4084 and was then removed in #5359, but otherwise, these last two points still stand.

So unless we wanted to chase down the authors of that code and ask for permission to fold their code into our regular Pillow license, has everything in this issue been addressed?

@hugovk
Copy link
Member

hugovk commented Feb 17, 2022

During a review, Debian found some missing/unclear copyright issues in the pillow sources.
See https://bugs.debian.org/952899

That issue has been closed in April 2021 with "Fixed in version pillow/8.1.2+dfsg-0.1", so yes, let's close this too (and can reopen if needed).

Thanks!

@hugovk hugovk closed this as completed Feb 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants