If you are a Rails 6.1+ user, you probably have noticed something is up in the past couple days.
Good morning everyone! If you have a Rails app 6.1+, you probably noticed all of your bundle installs are failing! A gem, mimemagic, had a licensing issue and needed to yank all of its old (illegal) versions and relicense. Your options:
— Nate Berkopec (@nateberkopec) March 24, 2021
Sweet, what every rails developer wants to see bundle install
is failing. Looking further leads you to this Rails PR:
https://github.com/rails/rails/issues/41750
Dependency on mimemagic 0.3.x no longer valid
The gem mimemagic (see minad/mimemagic#97 & minad/mimemagic#98 ) has resolved a licensing issue today by yanking all builds prior to 0.4.0, but Rails itself (activestorage) has a dependency on mimemagic (~> 0.3.2).
Quinn brought up an issue on the mimemagicrb github that by removing all gem versions prior to 0.4.0 broke CI installs of rails because it depends on the 0.3.x gem version.
Ok, well that doesn't sound good. At all.
The fix that is suggested is to move to gem version 0.3.6 that is released under GPL-2.0 now.
Oh goodness, you wouldn't think this is a big deal but it. is. huge.
MIT licenses and GPL licenses are very different. I am just a software engineer, not a lawyer but in layman's terms it can be generalized to:
MIT = “permissive license” pretty short and essentially says “do whatever you want with this, just don’t sue me.”
GPL = "share-alike license", approximately it says “if you make a derivative work of this, and distribute it to others under certain circumstances, then you have to provide the source code under this license.”
MIT is the easy going do what you will license, GPL has sharing provisions, it dictates if you use this software then your software needs to be conform to it too. There is a lot of people that know more then I do, I would say definitely read them for a more nuanced take on this.
Also relevant and something you may have also be wondering about, is that GPL license is written and maintained by the Free Software Foundation. The FSF was started by Richard Stallman, which may be a name you have seen pop up lately too.
Here is EFF's statement on the re-election of Richard Stallman to the Free Software Foundation board. How disappointed is EFF? Profoundly. https://t.co/t5rcJ0s4ag
— Eva (@evacide) March 24, 2021
What does this have to do with mimemagic?
When mimemagic pulled old versions and switched to using the GPL license for all new versions, it enforced that more restrictive licenses and as Gustavo put it:
I'm not a lawyer, but in my understanding, the mimemagic change to GPL licence forces rails to be distributed in GPL also, which forces all projects that are using Rails to be open-sourced
And Rails isn't going to be changing its license anytime soon, because there are a lot of dependent companies who have policies against using GPL licensed software.
But why now with the licensing changes?
Welcome to the wonderful world of DMCA takedown notices. Strap in, and get ready for a ride if you want to see all that was going in with shared mime info
Also Philippe Ombredanne has shared the DMCA notice that was received against his fork and information from GitHub up on a gist. Pretty much, GitHub informed him that he had 1 day to respond to the takedown notice otherwise the repository was going to be disabled.
So how does this get fixed?
Well it hasn't been...yet. It is very much still something that is being discussed. One path forward is:
The best way forward is probably to create a version of the gem which is licensed under the MIT license and loads the mime database at startup. This is the approach proposed by the maintainer of shared-mime-info
But now that full PR is locked by Rails. So where should you be looking at? There is a new PR opened by Daniel Mendler it does look like there is a light at this very long, and very twisty tunnel.
Need a workaround?
Checkout mdominiak's suggestion to update your Gemfile:
Here's the temporary workaround to reference the yanked gem version mimemagicrb/mimemagic@01f92d8 in Gemfile until this issue is resolved:
gem 'mimemagic', github: 'mimemagicrb/mimemagic', ref: '01f92d86d15d85cfd0f20dabd025dcbd36a8a60f'
Let there be a fix!
If you need a fix, looks like Rails just released an update
Hey everyone! Rails versions 5.2.5, 6.0.3.6 and 6.1.3.1 have been released. These versions upgrade Active Storage’s Marcel dependency to version 1.0.0.
Before 1.0.0, Marcel—which is distributed under the terms of the MIT License, like Rails—indirectly depended on MIME type data released under the incompatible GNU General Public License. Marcel 1.0.0 instead directly packages MIME type data adapted from Apache Tika, released under the permissive and compatible Apache License 2.0.
Top comments (18)
Please install shared-mime-info and add FREEDESKTOP_MIME_TYPES_PATH in your environment.
if you use windows or linux, please download from gitlab.freedesktop.org/xdg/shared-... and extract it
This package has no
freedesktop.org.xml
, justfreedesktop.org.xml.in
I renamed the file to
freedesktop.org.xml
and it worked for me.Regarding: github.com/rails/rails/issues/4175...
Maybe I miss a piece, but in't it allowed to ship GPL code alongside your code as long as it stays packaged and its license it kept? Or does this only apply to compiled code?
That header is my favorite meme of the week 😂
😂😂😂
Awesome, thanks for the update with the latest Rails version for the fix! I had no idea what was going on until I found your post. Thanks so much!!
Welcome! It was great to see Rails get out a fix so quick on this.
Christine thanks for the write-up. I had a momentary panic attack this morning running bundle install and this showed up right away!
Glad the write-up helped!I found it interesting tracking down the why on this one, and thought others in the community might enjoy the read.
Any update on this? I still can't bundle install.
Install
shared-mime-info
manually, then runbundle update
OS X:
brew install shared-mime-info
Linux (debian-based distro):
apt-get install shared-mime-info
(I think, I didn't test this)Thanks for sharing a workaround, but this could potentially have copyright impacts if you start using pulling in shared-mime-info because I believe it is GNU GPL v2 licensed.
An alternative could also be github.com/rails/rails/issues/4175...
Yes, this workaround wasn't in that thread when I posted this.
Absolutely the better option, by far.
Thanks for this great summary!
This write-up is great, thanks for sharing it. Am I missing something, or is there no communication of this sort from official Rails channels? (Have checked their Twitter, website, and forum and haven't found an announcement of the issue and how it's being addressed.) All I can find are threads in GitHub issues.
This seems crazy given how big an issue this is.
Looks like Rails just released an update that discusses this a bit, but I agree it did feel like it was kind of radio silence on this issue: weblog.rubyonrails.org/2021/3/26/m...
Great, updating Rails, I did can build my docker container again, because the command "build install" was failing