The current wordpress security release made me look into kses.php today. But my review ended before going over the first 10 lines already.
Guess what I ran over? Jup, another wordpress GPL license violation. How did I find it? It popped into my eyes that no licensing information was given. As it is an external library file, this made me curious as normally external files have those. I checked it against the original sources. And sure, it has legal comments on top of the file:
<?php # kses 0.2.1 - HTML/XHTML filter that only allows some elements and attributes # Copyright (C) 2002, 2003 Ulf Harnhammar # # This program is free software and open source software; you can redistribute # it and/or modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2 of the License, # or (at your option) any later version. # # This program is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for # more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA or visit # http://www.gnu.org/licenses/gpl.html
As you can see, the file is released under the terms of the GNU GPL. But if you look into the file in your wordpress directory, it tells some other story. This is the beginning of the kses.php file in wordpress:
<?php /** * HTML/XHTML filter that only allows some elements and attributes * * Added wp_ prefix to avoid conflicts with existing kses users * * @version 0.2.2 * @copyright (C) 2002, 2003, 2005 * @author Ulf Harnhammar <firstname.lastname@example.org> * * @package External * @subpackage KSES
As you can see, the original legal statements were removed. Only some copyright related information has been preserved in PHPDoc comments which are not fitting anything useful when it comes to copyright. They can help for automated analysis and that’s it.
How about not giving the legal notices the way it is (not) done in kses.php in wordpress?
It is no secret that WordPress Core Committers are against having legal comments in files (Via). But that does not mean that the GNU GPL is ducking away when copyright notices and license statements are tainted. Infact, the license is pretty clear about those legal comments. Let’s actually read the license, I quote from version 2 here:
1. You may copy and distribute verbatim copies of the Program’s source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
So if you want to copy GPLed code, you must retain the important legal information that you normally find at the very top of each file in form of a PHP comment. The License wording is pretty clear. If you don’t go conform, you don’t have the right to copy.
And that is even for verbatim copying only. The developer of WordPress.org did not only copy the code, Matt Mullenweg as he pulled the code in, was in fact creating a derivate of kses. WordPress is a derivate of kses. You can compare that with the plugin situation: wordpress extends from kses as it uses the functions of that file within other files.
Next to creating a new work based on kses, multiple developers have modified the code and extended it a bit over the years. Fixed stuff, added functions and all that. Everything we like in free software development. The interchange and the work in a community. Normally you expect the rights to use, copy, modify and to redistribute modified versions of a software that is available under GPL. But these rights come with conditions so to protect the freedom. Let’s take a look into the license again:
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above […].
That means, that for modifying the code and to copy it and redistribute the modifications, the terms of Section 1 above need to be fulfilled as well. So all the rights we normally expect from a GPLed software are not granted if you remove the copyright statements, the licensing information or the disclaimer. And that’s really useful, otherwise the software’s users won’t know about their rights. But the knowledge is important to preserve the freedom of use.
So now after it’s clear that removing such is a serious licensing issue, what does this mean? The GNU GPL v2 license text is dealing with it in §4:
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License.
The GPL has protection build-in: In case the conditions are not met the rights to copy, modify, sublicense or distribute the program are void. They automatically terminate. This means, that the software still is licensed under GPL, but the GPL is not granting any rights. Instead, the copyright holder is back in full power. The user, here wordpress.org, has lost all rights by attempting to sublicense the file within their own software package.
What does this mean for all users who downloaded the software? The violation of the GPL for this case dates back to christmas 2003 that’s as far away as one alpha version of WordPress 1.0. Not a nice christmas present, right? Well it just means, as wordpress.org didn’t have any rights to redistribute kses, the download is legally spoken problematic. As you can not gain any rights from that piece of software any longer, you would literally need to build your own software from properly licensed GPLed sources.
As you can imagine these cases can be pretty hard to deal with. The best thing is to get in contact with the original copyright holder and politely ask if he or she is willing to re-instantiate rights again and under which circumstances. This is necessary as the rights are automatically terminated. So not contacting the copyright holder but putting the legal comments back in does not solve the problem. WordPress.org would have still lost the right to make use of the code.
Gladly in this case, Ulf Härnhammar, the orginal author of kses has offered to allow the use again if certain conditions are met. A friend notified him about the case:
I grant WordPress the right to continue to use the kses library under GPL v2 or later, if you put back the Copyright and Disclaimer information at the top of the file.
Now that’s a statement that made me upload some patches. So the only thing left is actually wordpress comitters to apply them and do a release to give this year some happy ending.
Ticket #16039: Copyright Problem: Original Copyright Statement, Licensing Information and Disclaimer removed from kses.php
Previous: WordPress, Copyright, Hello Dolly Lyrics, the GNU GPL and I
Next: Akismet Introduces GPL Version to WordPress
Series: WordPress Licensing Issues
Image Credits: The Cardsharps, ~1594, by Michelangelo Merisi da Caravaggio
Pingback: GPL violation in WP's use of Kses - happy ending possible.
If WP linked to the GPL license (http://www.gnu.org/licenses/gpl.html) in their PHPDoc for KSES, would that be sufficient?
I’m guessing that would.
What would that be sufficient for?