Comments

webchick’s picture

Status: Active » Postponed (maintainer needs more info)

Another one of these. :) Could we do this with patches instead, so the whitelist only references the canonical library?

libraries[ckeditor][patch][] = "http://drupal.org/files/1337004-ckeditor-remove-samples-3.patch"

webchick’s picture

Status: Postponed (maintainer needs more info) » Reviewed & tested by the community

Ah, but actually the upstream respond JS doesn't seem to be in the whitelist yet, so re-purposing for that.

https://github.com/scottjehl/Respond seems to be the canonical repo and according to README.md it's dual-licensed MIT and GPL. Marking RTBC for the upstream library. For any Panopoly-specific modifications, those should happen with just standard 3rd-party-library patching in the drupal_org.make file, IMO.

geerlingguy’s picture

Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

kreynen’s picture

Issue summary: View changes
Status: Closed (fixed) » Needs review

I don't know why this was tagged as MIT and GPLv2. Based on https://github.com/scottjehl/Respond/blob/master/LICENSE-MIT, I think it's only MIT.

geerlingguy’s picture

I think, with some of the original ones I added, I had mistakenly added MIT *and* GPLv2 because of the repetition with the libraries being added. You may find one or two more like that.

apaderno’s picture

Actually, the license was added on November, 2013, later than when the library was added to the whitelist here. It could be the author changed mind later.

apaderno’s picture

In fact, in https://github.com/scottjehl/Respond/blob/master/README.md I now read Licensed under the MIT license. I am going to remove the library.

apaderno’s picture

Status: Needs review » Fixed

In the case it is needed, these are the whitelisted URLs it contained.

^(git|https|http)://github\.com/scottjehl/Respond[.git/].+$
^(https|http)://raw.githubusercontent\.com/scottjehl/Respond/.+$
^(https|http)://codeload.github.com/scottjehl/Respond/.+$
^https://raw\.github\.com/scottjehl/Respond/.+$
dsnopek’s picture

Hrm. Removing respondjs is going to break releasing Panopoly and all Panopoly-based distributions. :-/ I only just discovered it now, when trying to do a security release of Panopoly for the Features release (SA-CONTRIB-2016-020) yesterday.

Is it possible to get special dispensation for this one security release and then allow the Panopoly community to figure out a solution immediately afterwards?

dsnopek’s picture

Actually, since this library is to support IE6-8, I think I'm just going to remove it from Panopoly and put instructions to install the library in the release notes. This would have been nicer to do when doing a non-security release, but we'll make do. :-)

webchick’s picture

Er. Since when is it a problem for MIT-only licensed code to be in the whitelist?

kreynen’s picture

Not sure why this was removed. MIT can now be committed to a project, but it can still be whitelisted. Not being able to inform developers (or even being able to figure out who is using this entry) is why we haven't removed any of the whitelist entries that violate the clarified policy. If you have suggestions for how we should handle this moving forward, please add them to #2307487: Warn distributions using non-whitelisted licenses that entries will be removed

webchick’s picture

For now, I'd recommend restoring the whitelist entry, and having the LWG handle any removals, which ideally could come with ample notice to project maintainers like dsnopek so they're not caught unawares whilst trying to get a security release out.

kreynen’s picture

apaderno’s picture

I apologize for my mistake, but I took there was a problem with the licensing of the library, which was changed in the while. If LWG means Library Packaging Whitelist, I am part of the LWG. I don't watch this project queue as moderator.

dsnopek’s picture

Hrm, I wish I had waited 4 more hours to release! We have a policy of releasing the same day (or at latest the next day) for any security issues in core or contrib that affect Panopoly, and so I felt like I was already running late. :-/

Anyway, thanks for adding it back and the clarification on what's allowed, but especially for the plans to give more notice in the future! That would really help a lot. :-)

Thanks again!

geerlingguy’s picture

I have a feeling we may want to have another informal meeting at this year's DrupalCon to talk about policy/process for a package's removal, plus where things are going in terms of Composer support and its impact on this entire whitelisting effort...

kreynen’s picture

The meeting in LA wasn't really planned. I was actually shocked that we were able to discuss licensing and packaging with key people as long as we were. Unfortunately most of the LWG won't be in NOLA including me. The most of the University of Colorado's development teams will be there, but we're expecting a baby that week. I'm actually going on paternity leave soon, so I can commit to getting all of the LWG changes published for community feedback to keep things moving forward.

There are a number of conversations going on about both licensing and packaging in various issues and email threads. The DA has also asked for professional legal advice on some of these topics.

I've started publishing the proposed changes to documents that we've actually been able to agree on to http://drupal-lwg.github.io/. We've started with FAQ and haven't even gotten into the backlog of whitelist issue, but please provide feedback or PRs.

geerlingguy’s picture

@kreynen - Thank you so much for your leadership here, and enjoy the baby!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.