[sword-devel] SWORD license issues

Bastian Germann bastiangermann at fishpost.de
Mon Nov 9 14:56:07 EST 2020


Hi,

Packaging SWORD 1.9.0 for Debian, I found possible license issues.

The file src/utilfuns/zlib/untgz.c stems from some older zlib release.
At that state, one could have assumed it to be zlib licensed which is
not clearly stated in any version of that file. I opened a zlib issue at
https://github.com/madler/zlib/issues/531 which documents that the
original author is okay with it being distributed under zlib license.

The SVN revision 283 that introduced that file in Crosswire SVN does not
match untgz in any released zlib versions. 1.1.3 to 1.2.0.4 are the
closest. With the sword changes all the file's revisions in the SVN
violate the following sentence of the zlib license:
"2. Altered source versions must be plainly marked as such,
    and must not be misrepresented as being the original software."

There is also one untgz derived file: src/modules/common/zipcomprs.cpp
This has SWORD's GPL-2 header and is clearly marked as changed.
However, you cannot find the zlib license info by just looking at that
file, the files next to it, or the general license info, so this might
be a violation of: "3. This notice may not be removed or altered from
any source distribution."

If SWORD's untgz.c comes from some other source that is even more
liberal licensed than zlib (public domain equivalent), the previous
claims might be wrong. But that should be documented clearly in the file
then. Please note that the issues do not affect binary SWORD distributions.

A general side note: Maybe you want to reconsider (outdated) zlib
inclusion in the source tree. I understand that this is needed for
compilation on windows. But there are other means to it, e.g., using the
vcpkg tool.

Furthermore, some files in the cmake directory miss accompanying
licenses. At least CMake's 3-clause BSD license, cmake/toolchains's
2-clause BSD license, and the Boost Software License have to be included
in source distributions. The BSD license also applies to binary
distributions but as that only affects the CMake build, there should not
be any copies of those files ending up in the binaries.

And one other issue shortly mentioned as I did not dive too deep into
it: The java-jni and cordova bindings are (partly) licensed under
Apache-2.0 license. They might be derivative works of SWORD. As
GPL-2-only and Apache-2.0 licenses are incompatible, binary
distributions of those bindings might be legally problematic for
non-copyright holders, which can be healed by adding an exception for
the bindings in SWORD's license. More info on this:
https://www.apache.org/licenses/GPL-compatibility.html

Regards,
Bastian


More information about the sword-devel mailing list