I'd like to get the HybridAuth distribution on the packaging whitelist so that it can be used in makefiles for Drupal install profiles.

It is dual-licenced with MIT and GPLv3
It is accessible at ^http://sourceforge.net/projects/hybridauth/files/hybridauth-.+\.zip/download$

Maintainers, if there's no reason why this isn't a good idea, I think you can move this issue over to the drupalorg_whitelist queue.


duozersk’s picture

Project: HybridAuth Social Login » Drupal.org Library Packaging Whitelist
Version: 7.x-2.x-dev »
japerry’s picture

+1, Drupal commons is looking at using hybridauth for the distribution.

duozersk’s picture

Drupal commons is looking at using hybridauth for the distribution.

Wow, this is pretty cool :) Looking forward to it - let me know if I can be of any help for it to happen (I'm the author and maintainer of HybridAuth 7.x-2.x and 6.x-2.x branches).

kreynen’s picture

Status: Active » Needs work

Unfortunately while the HybridAuth code is MIT/GPL2, it includes libraries licensed as Apache v.2.

https://github.com/hybridauth/hybridauth/blob/master/hybridauth/Hybrid/t... (Apache v.2
https://github.com/hybridauth/hybridauth/blob/master/hybridauth/Hybrid/t... (Apache v.2 according to https://code.google.com/p/oauth/)


While an MIT license like https://github.com/hybridauth/hybridauth/blob/master/hybridauth/Hybrid/t... (MIT according to https://code.google.com/p/simple-linkedinphp/) can be relicensed as GPLv2 (ie. JQuery), Apache v.2 MUST remain Apache v.2. While they can be packaged with a GPLv3 project, they are NOT relicensed as GPLv3.

This licensing incompatibility applies only when some Apache project software becomes a derivative work of some GPLv3 software, because then the Apache software would have to be distributed under GPLv3. This would be incompatible with ASF's requirement that all Apache software must be distributed under the Apache License 2.0.

GitHub does NOT subscribe to the same licensing theory as Drupal.org. The act of committing the code to a repo does NOT change its license which is why code licensed as Apache 2 can be packaged with HybridAuth which uses the more flexible MIT/GPLv2 combo.

bojanz’s picture


I wanted to investigate hybridauth for future Kickstart branches too, it looks very smooth.

duozersk’s picture

Status: Needs work » Needs review

Regarding the Facebook SDK being Apache v2 - just did a quick search for "Facebook" in the issue queue:
#1948982: Request to add Facebook PHP SDK to whitelist - closed and fixed, Apache v2 as already noted above...

So what should be our actions here? Revisit the issue I found or re-evaluate the HybridAuth library once again?


Raphael Dürst’s picture

We want to add the HybridAuth module incl. the library in the OpenideaL distribution, but unfortunately the library is not whitelisted.

As duozersk already mentioned, the Facebook PHP SDK is in the whitelist, so I wanted to ask again, if the library could be re-evaluated.


z.stolar’s picture

Issue summary: View changes
Status: Needs review » Active
kreynen’s picture

Status: Active » Postponed

The Facebook SDK should have never been approved. Nothing that is really licensed as only Apache 2, GPLv3 or LGPLv3 is GPLv2 compatible. While the Facebook SDK could potentially be re-added if we #1449452: Give installation profiles/distributions GPLv3+ license as option for packaged downloads, if we're not going allow that then all Apache 2 entries need to be removed.

#2307465: Update Whitelist License Taxonomy to Match Allowed Licenses