Quantcast

[Discourse.ros.org] ROS GNU GPL v1.2 issue

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] ROS GNU GPL v1.2 issue

Procópio Stein via ros-users



Hello - I work for an organization which has stringent legal review for open source products. We have recently scanned ROS Indigo Desktop Full version using open source scanning tool called Blackduck. The scanning tool found some of the ROS components withGPL dependency. One of the component xmlrpcpp is mentioned as  <license>LGPL-2.1</license> in the package.xml file. However, the xmlrpc.h under "lib" folder says it is "GNU GPL" license in the comments section (copied below). Since ROS is distributing this file which is licensed under GPL v2.1, doesn't this make ROS also be GPL product?  While we are thinking of proposing a minimalist approach to have ROS Base edition and add components as needed, found that even ROS Base is distributed with these xmlrpc files that carry GPL v1.2 license requirement mentioned.

Here is the summary of license conflict:
Here is the summary of conflicts  
CPL 1.0  IVCON_generic
GNU LGPL  gazebo_ros_pkgs_generic -
GPL v2.1  KDL_generic v2.1; orocos_kinematics_dynamics; Stage; xmlrpc_generic; xmlrpcpp_generic


Snippet from xmlrpc.h file:
"6.// XmlRpc++ Copyright (c) 2002-2003 by Chris Morley
7.// This library is free software; you can redistribute it and/or
8.// modify it under the terms of the **GNU Lesser General Public**
**9.// License** as published by the Free Software Foundation; either
10.// version 2.1 of the License, or (at your option) any later version."






---
[Visit Topic](https://discourse.ros.org/t/ros-gnu-gpl-v1-2-issue/1642/1) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] ROS GNU GPL v1.2 issue

Procópio Stein via ros-users



Thanks for bringing this issue up. We take license conformance very seriously and want to be sure that we're correctly representing the license status on each package in the ROS ecosystem.

In this case, I'm a little confused: the header file that you mention states that it is released under the GNU LGPL:

https://github.com/ros/ros_comm/blob/lunar-devel/utilities/xmlrpcpp/include/xmlrpcpp/XmlRpc.h#L17-L19

which agrees with the license tag in that package:

https://github.com/ros/ros_comm/blob/lunar-devel/utilities/xmlrpcpp/package.xml#L11

Can you clarify where you're seeing the reference to xmlrpcpp being covered by the GNU GPL (as opposed to the GNU LGPL)?






---
[Visit Topic](https://discourse.ros.org/t/ros-gnu-gpl-v1-2-issue/1642/2) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] ROS GNU GPL v1.2 issue

Procópio Stein via ros-users
In reply to this post by Procópio Stein via ros-users



Gerkey - Thanks for replying. Extremely Sorry for my late response.

You are right on the LGPL on the header. For some reasons the blackduck tool (license scanning tool) classified this as GPL.

However, our legal team questions use of LGPL for production use. What is the guideline ROS provides for example use of xmlrpcpp included in the ROS core for production deployment?


Additionally, we noticed that stage and ivcon components are classified as GPL. These are part of ROS desktop. Will these be used more of a utility?

Appreciate your feedback.

Thanks.






---
[Visit Topic](https://discourse.ros.org/t/ros-gnu-gpl-v1-2-issue/1642/3) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] ROS GNU GPL v1.2 issue

Procópio Stein via ros-users
In reply to this post by Procópio Stein via ros-users



I won't try to speak to whether or not LGPL is acceptable for use in your company, that's up to you. There are plenty of examples outside of the ROS community where LGPL is used in different scenarios on which you can draw experience. Other people/companies in the ROS community might be able to give their experience doing so. Also see this ROSCon talk which covers licenses in ROS and a company's experience auditing those:

https://vimeo.com/142624685

[quote="S_Riluvan, post:3, topic:1642"]
Additionally, we noticed that stage and ivcon components are classified as GPL. These are part of ROS desktop. Will these be used more of a utility?
[/quote]

Stage is a simulator which runs in a stand alone process and communication with it is done over TCP/IP. Also, it is usually used for R&D, not product deployment, so I think that's fine.

ivcon appears to be CPL (common public license) (see: https://sourceforge.net/projects/ivcon/), but in any case it is only used as a utility to convert a mesh file from one format to another. Also, it is only used within the PR 2 description packages, which are only part of desktop-full for use in certain tutorials.

In both cases I do not believe they would be used in a production system and in both cases they are run as stand alone executables rather than used as libraries.






---
[Visit Topic](https://discourse.ros.org/t/ros-gnu-gpl-v1-2-issue/1642/4) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] ROS GNU GPL v1.2 issue

Procópio Stein via ros-users
In reply to this post by Procópio Stein via ros-users



Hi wjwwood - That's for that insightful response. Very much appreciate.

Since xmlrpcpp - a LGPL component - is part of the ROS base itself, will there be any issue if we remove XMLRPCPP from production deployments?

Also, would be interested in knowing how other organizations take LGPL for IP/Production deployment cases.

Thank you.






---
[Visit Topic](https://discourse.ros.org/t/ros-gnu-gpl-v1-2-issue/1642/5) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] ROS GNU GPL v1.2 issue

Procópio Stein via ros-users
In reply to this post by Procópio Stein via ros-users



[quote="S_Riluvan, post:5, topic:1642"]
Since xmlrpcpp - a LGPL component - is part of the ROS base itself, will there be any issue if we remove XMLRPCPP from production deployments?

Also, would be interested in knowing how other organizations take LGPL for IP/Production deployment cases.
[/quote]

xmlrpcpp is used for the core of roscpp. You can't simply remove it. However, the LGPL is specifically meant to allow **dynamic** linking with closed source components, so you should be fine. See section 4 of the LGPL specifically [1].

One important aim of the LGPL is to still allow end-users to use modified versions of the LGPL code. Static linking makes that relatively difficult, whereas its just a matter of providing an alternative shared library when using dynamic linking.

If you must do static linking (for whatever reason), you are allowed to do so if you provide a means for relinking with an alternative version of the LGPL code. You can do that by providing the compiled object (.o) files of your proprietary code. However, using shared libraries is much easier for everyone, and its the way the binary distributions of ROS use xmlrpcpp.

Additionally, the header `base64.h` distributed with xmlrpcpp contains function templates that are longer than 10 lines of code. That means you also need to provide the correct copyright notice(s) and a copy of the LGPL with your binary code to comply with section 3 of the LGPL [2].

However, it's not very clear to me if the file `base64.h` is really part of xmlrpcpp and if it is distributed under the LGPL. It looks like it has been copied verbatim from some other source without appropriate license information. That could be problematic (much more so than complying with the LGPL). There is an email address in comments at the top of the file which you could attempt to contact to find out what the story behind that file is. A quick google for the contents of the file indicates that many other projects also copied the file verbatim. I couldn't quickly find the original publication with a license.

Then again, you already said your legal team has objections. Sounds like you should fight it out with them. And of course the required disclaimer: I'm not a lawyer.

[1] https://www.gnu.org/copyleft/lesser.html#section4
[2] https://www.gnu.org/copyleft/lesser.html#section3






---
[Visit Topic](https://discourse.ros.org/t/ros-gnu-gpl-v1-2-issue/1642/6) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] ROS GNU GPL v1.2 issue

Procópio Stein via ros-users
In reply to this post by Procópio Stein via ros-users



I tried to send an email to the listed address, but the account is no longer active. I got a bounce immediately. Does anyone happen to know where `base64.h` in xmlrpcpp comes from and which license applies to it?






---
[Visit Topic](https://discourse.ros.org/t/ros-gnu-gpl-v1-2-issue/1642/7) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Discourse.ros.org] ROS GNU GPL v1.2 issue

Procópio Stein via ros-users
In reply to this post by Procópio Stein via ros-users



You are right that that wiki page is outdated. It does include a notice at the top though linking to another page with a number of github organizations that each host some parts of ROS [1].

If you're specifically looking for the ROS fork of `xmlrpcpp`, that can be found in the `ros_comm` repository [2].

[1] http://wiki.ros.org/RecommendedRepositoryUsage/CommonGitHubOrganizations
[2] https://github.com/ros/ros_comm/tree/lunar-devel/utilities/xmlrpcpp






---
[Visit Topic](https://discourse.ros.org/t/ros-gnu-gpl-v1-2-issue/1642/10) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Loading...