Re: wip/cliqz: Request for review

[Santhosh Raju <santhosh.raju%gmail.com@localhost>]

On Sun, Apr 14, 2019 at 11:21 AM Greg Troxel <gdt%lexort.com@localhost> wrote:
>
> Santhosh Raju <santhosh.raju%gmail.com@localhost> writes:
>
> >>   It has a fixed requirement on clang, rather than just some c++
> >>   version.  If that is really the way it is and documented to be that
> >>   way by upstream, that's 100% fine.  But if it's not documented
> >>   upstream, then an upstream bug is probably appropriate and certainly a
> >>   comment about why.
> >
> > The cliqz project basically uses Firefox and since there was a recent
> > shift in Firefox building using clang everywhere, I guess the change
> > applies here too. I believe this is probably why you see the fixed
> > requirement on clang.
>
> If this is the same as firefox, then it's fine.  (Note that I am far
> more inclined to put in comments explaining things than most others.)
>

Cool.

> >>   The DESCR talks about "proprietary" things, but then I see the license
> >>   is mpl.  Perhaps that's taken from upstream, but it would be good to
> >>   reword if they really just mean "cliqz has filtering/saftey features
> >>   not found in other browsers".   If there is an aspect of this which is
> >>   not really open source, then then license tag needs adjusting.
> >
> > The "proprietary" thing here is the extension developed by Cliqz and
> > used by Cliqz browser, this extension basically gets baked into their
> > browser build and is part of the distfile. The browser and the source
> > is open since it follows basically Firefox upstream hence the mpl
> > license. Which is why the wording has been put like that by the makers
> > of the browser.
> >
> > So yes, there is an aspect of it which is not really open source, Any
> > advice on how to proceed with the license tag here?
>
> I'm not really following what you are saying, but this is important to
> get right.
>
> The part I don't understand is "proprietary extension is part of the
> distfile" and "the source is open"; those don't line up.  But I think
> you are separating "source code to build the program" and "extension
> file that is loaded by the program".
>
> It sounds like the cliqz distfile has essentially all of the contents of
> the normal firefox distribution, and that those files are under the same
> terms as firefox releases them.  Is that true?
>

Thank you for bringing this up, it made me look into the details of
how Cliqz browser is built and the various ingredients that go into
it.

Let me elaborate this further since License is an important thing for
the users of pkgsrc.

So Cliqz develops an extension[1] for Firefox which helps with
anti-tracking / ad blocking / search facilities etc.

The extensions itself is open source[2] and comes under MPL 2.0. So
one can install this plugin directly into any generic Firefox
installation and it should work.

In addition to the above Cliqz also has their own customized version
of Firefox called Cliqz browser[3] which keeps track of upstream
Firefox. When building this browser which is what this package does,
it does pull in the Cliqz plugin automatically along with couple of
other plugins and all of these are mentioned in the distinfo[4] (I
think mentioned this wrongly as distfile).

The propriety part is the "search service" provided by Cliqz (if I
understand correctly) where in when you type a string in the address
bar it will return possible search results via the Cliqz plugin (which
is open source). This search service is provided by Cliqz and this the
proprietary part which is mentioned in their description.

So AFAIK, the plugins which are pulled into the browser during build
time are open source, but they are not built during the browser build
process.

The search service provided by Cliqz is proprietary. And this is my
understanding.

> Then, you are talking about an "extension", but I don't understand
>
>   1) is this extension in the distfile?  Does it make its way into the
>   installed package?  What is the license on it?  Is it a blob, or is it
>   source?
>

The extension[1] does make it's way into the installed package. And it
is MPL 2.0 / GPLv2.

>   2) Is there some other mechanism at play, where the browser downloads
>   the extension automatically, so that the package is Free Software,
>   but it's set up so that what the user runs isn't?  Or something else?
>

During the build time, the scripts[3] download (in fetch phase) the
above mentioned extension[1] and bake into the final Cliqz branded
Firefox build.

So everything the user downloads and uses is MPL 2.0 / GPLv2. It is
the search service provided by Cliqz which if the user wishes to use
that is proprietary and not the software itself. Once again this is my
understanding by looking at descriptions and the code they have put
up.

> Basically, we have license tags so that users do not end up running
> non-Free software without being clearly aware of it.   So that's the
> guiding principle in license tags.
>

Understood. And I agree with the fact it things should not slip past
this unnoticed.

> There is a subtlety if things are downloaded later.  In f-droid (which
> is not pkgsrc and has different rules, but it's interesting to think
> about), that would be cause to get an antifeature warning "this program
> promotes non-Free addons".   pkgsrc has not really dealt with the
> downloading things later issue.  I would say that if it just happens
> without the user explicitly asking for it (which is different than the
> user getting a popup and clicking ok!), then the LICENSE of the package
> should reflect the licensing of whatever is downloaded.
>
> And, we often disable any kind of automatic phoning home, as that's a
> security bug.
>

I agree with this, in this specific scenario the other two plugins,
one of them is https-everywhere[5] and the other is gdprtool[6] they
are pulling in are GPLv2 and MPL 2.0 respectively.

The pkgsrc script pulls in all 3 extensions during the fetch phase and
they have their respective hashes checked against in the distinfo[4]
file.

I am not sure if pulling in these directly constitute any sort of
License violation from the current one which is being done, if so I am
ready to take the necessary steps to make the user who is installing
aware of these files being pulled in.

>

Hopefully this provides more clarity on the licensing parts of the software.

References

1. https://addons.mozilla.org/en-US/firefox/addon/cliqz/
2. https://github.com/cliqz-oss/browser-core
3. https://github.com/cliqz-oss/browser-f
4. https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=blob;f=cliqz/distinfo;h=e9032f20a6e830ef19562740188710ab3c100020;hb=HEAD#l11
5. https://github.com/cliqz-oss/https-everywhere
6. https://github.com/cliqz-oss/re-consent

Regards
Santhosh