Bug 1281479

Summary: cloc bundles non-free code
Product: [Fedora] Fedora Reporter: Petr Šabata <psabata>
Component: clocAssignee: Rick Elrod <relrod>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 24CC: bughunt, relrod
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cloc-1.66-1.fc22 cloc-1.66-1.fc23 cloc-1.66-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-05 02:51:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Šabata 2015-11-12 15:42:25 UTC 
While fixing the FTBFS issue (bug #1239400, bug #1271897), I noticed the cloc script bundles code from an ancient release of Regexp::Common, published under the Artistic license.  This license isn't considered free by Fedora Project:
https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Bad_Licenses

This is pretty bad.  There are only two ways out:

1) You unbundle the non-free code and re-package the upstream tarball;
   the current releases of Regexp::Common are free -- perhaps try updating the
   bundled blocks?  Or even better, change cloc to use the package provided by
   Fedora.

2) You kill the package.

All Fedora and EPEL packages are affected.


Extra note: cloc also bundles parts of SLOCCount (`GPL'), Win32::Autoglob (`GPL+ or Artistic'), and Algorithm::Diff (also `GPL+ or Artistic'), therefore the current License tag is incorrect.  There's no point in updating it until the abovementioned issue is resolved, though.
Comment 1 David Tonhofer 2015-11-29 13:11:21 UTC 
(Disclaimer: Not an IP lawyer or a license Guru, but I have the book on Open Source Licenses)

Well, I needed the latest cloc 1.65 (now at https://github.com/AlDanial/cloc) for Fedora 22 (which has an old 1.62), so I took a look:

cloc itself is "GNU GPL 2 or later"

but states that it:

# Includes code from:
#   - SLOCCount v2.26
#     http://www.dwheeler.com/sloccount/
#     by David Wheeler.
#   - Regexp::Common v2.120
#     http://search.cpan.org/~abigail/Regexp-Common-2.120/lib/Regexp/Common.pm
#     by Damian Conway and Abigail.
#   - Win32::Autoglob
#     http://search.cpan.org/~sburke/Win32-Autoglob-1.01/Autoglob.pm
#     by Sean M. Burke.
#   - Algorithm::Diff
#     http://search.cpan.org/~tyemq/Algorithm-Diff-1.1902/lib/Algorithm/Diff.pm
#     by Tye McQueen.

Regexp::Common (2013031301): "AL 2.0, MIT or BSD"
http://search.cpan.org/~abigail/Regexp-Common-2013031301/lib/Regexp/Common.pm#LICENSE_and_COPYRIGHT

That would solve the problem...

Others:
-------

SLOCCount: "released under the General Public License (GPL)"
Regexp::Common v2.120

Win32::Autoglob: "http://search.cpan.org/~sburke/Win32-Autoglob-1.01/Autoglob.pm#COPYRIGHT_AND_DISCLAIMERS"
"This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself."

Algorithm::Diff: "http://search.cpan.org/~tyemq/Algorithm-Diff-1.1902/lib/Algorithm/Diff.pm#LICENSE"
"This program is free software; you can redistribute it and/or modify it under the same terms as Perl."

Perl is distributed under AL or GPL (http://dev.perl.org/licenses/).
Comment 2 Petr Šabata 2015-11-30 08:48:10 UTC 
The problem is the bundled code is from R::C 2.120, which was Artistic only (you can check that on BackPAN), as mentioned in the original comment, along with the rest.  Later releases are more permissive but the one the code was taken from wasn't free.

I don't know what the code does but all this bundling is really ugly.  Why not just use the module's API?
Comment 3 David Tonhofer 2015-11-30 09:13:00 UTC 
I think it just needs to be bumped to the latest version.

+1 for calls instead of bundle, but the author will have to do that.

The README is also uncertain about the license:

https://github.com/AlDanial/cloc#___top
Comment 4 David Tonhofer 2015-11-30 09:13:31 UTC 
I meant:

https://github.com/AlDanial/cloc#License
Comment 5 Rick Elrod 2015-12-01 17:25:28 UTC 
Sorry for missing this report. I'll file an issue upstream and see if we can get them to bump Regexp::Common or stop bundling it.
Comment 6 Rick Elrod 2015-12-01 17:32:24 UTC 
I just filed https://github.com/AlDanial/cloc/issues/36.
Comment 7 David Tonhofer 2015-12-04 16:21:31 UTC 
Thanks Ricky.
Comment 8 Rick Elrod 2015-12-05 09:26:10 UTC 
The author fixed this here: https://github.com/AlDanial/cloc/commit/157c37071b985623501a53175422bf663f3ee2ad

I will bump the Fedora packages to that commit and submit to testing later today.
Comment 9 Petr Šabata 2015-12-07 11:58:14 UTC 
Don't forget to update the License tag, too :)
Comment 10 Jan Kurik 2016-02-24 15:29:26 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 11 Fedora Update System 2016-05-19 00:08:22 UTC 
cloc-1.66-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0526bc3356
Comment 12 Fedora Update System 2016-05-19 00:27:09 UTC 
cloc-1.66-1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-eb9a871511
Comment 13 Fedora Update System 2016-05-19 17:12:50 UTC 
cloc-1.66-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-75ecd1ffab
Comment 14 Fedora Update System 2016-05-21 01:23:09 UTC 
cloc-1.66-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-eb9a871511
Comment 15 Fedora Update System 2016-05-21 02:27:52 UTC 
cloc-1.66-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0526bc3356
Comment 16 Fedora Update System 2016-05-21 06:22:05 UTC 
cloc-1.66-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-75ecd1ffab
Comment 17 Fedora Update System 2016-06-05 02:51:19 UTC 
cloc-1.66-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2016-06-05 02:57:35 UTC 
cloc-1.66-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2016-06-21 21:50:01 UTC 
cloc-1.66-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.