If you are a Rails 6.1+ user, you probably have noticed something is up in the past couple days.
Good morning everyone! If you have a Rails app 6.1+, you probably noticed all of your bundle installs are failing! A gem, mimemagic, had a licensing issue and needed to yank all of its old (illegal) versions and relicense. Your options:— Nate Berkopec (@nateberkopec) March 24, 2021
Sweet, what every rails developer wants to see
bundle install is failing. Looking further leads you to this Rails PR:
Dependency on mimemagic 0.3.x no longer valid
The gem mimemagic (see minad/mimemagic#97 & minad/mimemagic#98 ) has resolved a licensing issue today by yanking all builds prior to 0.4.0, but Rails itself (activestorage) has a dependency on mimemagic (~> 0.3.2).
Quinn brought up an issue on the mimemagicrb github that by removing all gem versions prior to 0.4.0 broke CI installs of rails because it depends on the 0.3.x gem version.
Ok, well that doesn’t sound good. At all.
The fix that is suggested is to move to gem version 0.3.6 that is released under GPL-2.0 now.
Oh goodness, you wouldn’t think this is a big deal but it. is. huge.
MIT licenses and GPL licenses are very different. I am just a software engineer, not a lawyer but in layman’s terms it can be generalized to:
MIT = “permissive license” pretty short and essentially says “do whatever you want with this, just don’t sue me.”
GPL = “share-alike license”, approximately it says “if you make a derivative work of this, and distribute it to others under certain circumstances, then you have to provide the source code under this license.”
MIT is the easy going do what you will license, GPL has sharing provisions, it dictates if you use this software then your software needs to be conform to it too. There is a lot of people that know more then I do, I would say differently read them for a more nuanced take on this.
Also relevant and something you may have also be wondering about, is that GPL license is written and maintained by the Free Software Foundation. The FSF was started by Richard Stallman, which may be a name you have seen pop up lately too.
Here is EFF’s statement on the re-election of Richard Stallman to the Free Software Foundation board. How disappointed is EFF? Profoundly. https://t.co/t5rcJ0s4ag— Eva (@evacide) March 24, 2021
What does this have to do with mimemagic?
When mimemagic pulled old versions and switched to using the GPL license for all new versions, it enforced that more restrictive licenses and as Gustavo put it:
I’m not a lawyer, but in my understanding, the mimemagic change to GPL licence forces rails to be distributed in GPL also, which forces all projects that are using Rails to be open-sourced
And Rails isn’t going to be changing its license anytime soon, because there are a lot of dependent companies who have policies against using GPL licensed software.
But why now with the licensing changes?
Well welcome to the wonderful world of DMCA takedown notices. Strap in, and get ready for a ride if you want to see all that was going in with shared mime info
So how does this get fixed?
Well it hasn’t been…yet. It is very much still something that is being discussed. One path forward is:
The best way forward is probably to create a version of the gem which is licensed under the MIT license and loads the mime database at startup. This is the approach proposed by the maintainer of shared-mime-info
But now that full PR is locked by Rails. So where should you be looking at? There is a new PR opened by Daniel Mendler it does look like there is a light at this very long, and very twisty tunnel.