Background

What happens if a library is licensed under MIT, but internally that library have a dependency which license under GPL 3.0? Can we still use this library?

I know that libarchive can be configured in a way the resembles the above situation so let’s use that as an example.

Libarchive

Let’s look a bit at the dependencies of libarchive as distributed in Ubuntu. The dependencies according to Ubuntu, as listed here https://packages.ubuntu.com/groovy/libarchive13, are:

• libacl1

• libbz2-1.0

• libc6

• liblz4-1

• liblzma5

• libnettle8

• libxml2

• libzstd1

• zlib1g

If we’re using ldd we get:

$ ldd /usr/lib/x86_64-linux-gnu/libarchive.so.13 | cut -d "=" -f 1
	linux-vdso.so.1 (0x00007ffc075d0000)
	libnettle.so.7 
	libacl.so.1 
	liblzma.so.5 
	libzstd.so.1 
	liblz4.so.1 
	libbz2.so.1.0 
	libz.so.1 
	libxml2.so.2 
	libc.so.6 
	libpthread.so.0 
	libdl.so.2 
	libicuuc.so.66 
	libm.so.6 
	/lib64/ld-linux-x86-64.so.2 (0x00007f26fd4b2000)
	libicudata.so.66 
	libstdc++.so.6 
	libgcc_s.so.1 

And using dependencies.sh:

$ dependencies.sh --png /usr/lib/x86_64-linux-gnu/libarchive.so.13.4.0 
Log file created: /home/hesa/.vinland/compliance-utils/elf-deps/libarchive.so.13.4.0.log
Created dot file: /home/hesa/.vinland/compliance-utils/elf-deps/libarchive.so.13.4.0.dot
Created png file: /home/hesa/.vinland/compliance-utils/elf-deps/libarchive.so.13.4.0.dot.png

we get a graphical view:

Looking up the licenses, which in itself is a topic we will dive in to in coming posts, and excluding libraries from GNU C Library (glibc) and GNU C++ library both released under GPL but with exceptions (again, exceptions will be covered in coming posts):

• libnettle.so.7 (LGPLv3+ | GPLv2+)

• libacl.so.1 (LGPLv2.1+ & GPLv2+)

• liblzma.so.5 (GPLv2+)

• libzstd.so.1 (BSD)

• liblz4.so.1 (BSD 2-Clause)

• libbz2.so.1.0 (bzip)

• libz.so.1 (Zlib)

• libxml2.so.2 (MIT)

• libicuuc.so.66 (ICU)

• libicudata.so.66 (ICU)

… and of course libarchive itself

• libarchive.so.13.4.0 (New BSD)

Let’s copy the dot file, remove the libc(++) libs and enter the licenses

$ cp /home/hesa/.vinland/compliance-utils/elf-deps/libarchive.so.13.4.0.dot libarchive.so.13.4.0-fixed.dot 
$ emacs libarchive.so.13.4.0-fixed.dot
$ cat libarchive.so.13.4.0-fixed.dot
digraph depends {
 node [shape=plaintext]
"libarchive.so.13.4.0 (New BSD)" -> "libacl.so.1 (LGPLv2.1+ & GPLv2+)"
"libarchive.so.13.4.0 (New BSD)" -> "libbz2.so.1.0 (bzip)"
"libarchive.so.13.4.0 (New BSD)" -> "liblz4.so.1 (BSD 2-Clause)"
"libarchive.so.13.4.0 (New BSD)" -> "liblzma.so.5 (GPLv2+)"
"libarchive.so.13.4.0 (New BSD)" -> "libnettle.so.7 (LGPLv3+ | GPLv2+)"
"libarchive.so.13.4.0 (New BSD)" -> "libxml2.so.2 (MIT)"
"libarchive.so.13.4.0 (New BSD)" -> "libz.so.1 (Zlib)"
"libarchive.so.13.4.0 (New BSD)" -> "libzstd.so.1 (BSD)"
"libicuuc.so.66 (ICU)" -> "libicudata.so.66 (ICU)"
"libxml2.so.2 (MIT)" -> "libicuuc.so.66 (ICU)"
"libxml2.so.2 (MIT)" -> "liblzma.so.5 (GPLv2+)"
"libxml2.so.2 (MIT)" -> "libz.so.1 (Zlib)"
}
$ dot -Tpng -O libarchive.so.13.4.0-fixed.dot

The graph now looks like this:

Most parts if the graph look OK. In the libacl case we can chose the LGPL license instead of the GPL. But the following should stir up some emotions:

"libarchive.so.13.4.0 (New BSD)" -> "liblzma.so.5 (GPLv2+)"
"libxml2.so.2 (MIT)" -> "liblzma.so.5 (GPLv2+)"

If we plan to keep the license of libarchive and libxml as New BSD and MIT then we get in to a tricky situation. We can however license the combined work (all the libraries above combined) under GPLv2+.

Note: the dot file is here: libarchive.so.13.4.0-fixed.dot.

A program using libarchive

Let’s say we want to create a file browser that uses libarchive. Examples of file browser are Dolphin and Nautilus / Gnome Files. Do they use libarchive?

$ which dolphin | xargs ldd | grep libarchive
$ which nautilus | xargs ldd | grep libarchive
	libarchive.so.13 => /lib/x86_64-linux-gnu/libarchive.so.13 (0x00007f9fe9afc000)

Nautilus uses libarchive but Dolphin does not. So let’s look at Nautilus, which is released under GPL-3.0. Software released *under GPL-3.0 can use GPL-2 components so no problemts there.

But if we want to create a new program, let’s call Dolphinus using libarchive (which, as a reminder, now has the outbound license GPL2 (configured as with Ubuntu)) and release this program under the MIT license. We can’t do this if we want to keep the outbound license of the program (or rather the combined work) as “MIT”.

Conclusions

So libarchive can be distributed as Debian and Ubuntu (and most likely Fedora, RedHat and the rest of the GNU/Linux distributors) do it. Even though a BSD library is dependent (uses) on a GPL component.

However we need to keep in mind that the outbound license for libarchive as a combined work is GPLv2 instead of New BSD (as is the license of libarchive itself).

When checking compliance manually or with license tools, such as flict, we need to make sure we or the tool determine(s) the outbound license of a software. Otherwise we might come to the conclusion that a program like Dolphinus (as a combined work) above can have the outbound license MIT which is not correct.

Note: flict will support a change in the outbound license “quite soon” (famous last words)

About the cover image

Flea market in Majorna, Gothenburg, Sweden from flickr, (c) 2017 Henrik Sandklef released under Attribution-ShareAlike 2.0 Generic (CC BY-SA 2.0)

Hmmm, the reason for using this picture isn’t that good. I figure the guy in the picture is looking in to an archive. Kind of lame. But I like the picture so let’s use it.