Re: wip/cliqz: Request for review

[Greg Troxel <gdt%lexort.com@localhost>]

Santhosh Raju <santhosh.raju%gmail.com@localhost> writes:

> On Sun, Apr 14, 2019 at 11:21 AM Greg Troxel <gdt%lexort.com@localhost> wrote:
>>
>> Santhosh Raju <santhosh.raju%gmail.com@localhost> writes:
>>
> Thank you for bringing this up, it made me look into the details of
> how Cliqz browser is built and the various ingredients that go into
> it.
>
> Let me elaborate this further since License is an important thing for
> the users of pkgsrc.
>
> So Cliqz develops an extension[1] for Firefox which helps with
> anti-tracking / ad blocking / search facilities etc.
>
> The extensions itself is open source[2] and comes under MPL 2.0. So
> one can install this plugin directly into any generic Firefox
> installation and it should work.
>
> In addition to the above Cliqz also has their own customized version
> of Firefox called Cliqz browser[3] which keeps track of upstream
> Firefox. When building this browser which is what this package does,
> it does pull in the Cliqz plugin automatically along with couple of
> other plugins and all of these are mentioned in the distinfo[4] (I
> think mentioned this wrongly as distfile).

So if these are all the same license that's completely ok.

> The propriety part is the "search service" provided by Cliqz (if I
> understand correctly) where in when you type a string in the address
> bar it will return possible search results via the Cliqz plugin (which
> is open source). This search service is provided by Cliqz and this the
> proprietary part which is mentioned in their description.

I see.  But essentially all of the other search engines are not open
source, so f-droid would say "promotes non-Free network service".  So
really this is just "this browser defaults to the cliqz search engine".

> So AFAIK, the plugins which are pulled into the browser during build
> time are open source, but they are not built during the browser build
> process.
>
> The search service provided by Cliqz is proprietary. And this is my
> understanding.

> I agree with this, in this specific scenario the other two plugins,
> one of them is https-everywhere[5] and the other is gdprtool[6] they
> are pulling in are GPLv2 and MPL 2.0 respectively.
>
> The pkgsrc script pulls in all 3 extensions during the fetch phase and
> they have their respective hashes checked against in the distinfo[4]
> file.

So we should add to LICENSE "and gnu-gpl-v2".

> I am not sure if pulling in these directly constitute any sort of
> License violation from the current one which is being done, if so I am
> ready to take the necessary steps to make the user who is installing
> aware of these files being pulled in.

The only real issue is if the licenses are compatible, but on the other
hand a plugin with a browser smells like aggregation rather than derived
work (but IANAL, TINLA).  I decline to object :-)

> Hopefully this provides more clarity on the licensing parts of the software.

Thanks - that helps a lot.

Besides adding GPL2 to LICENSE, I think it would be good to adjust DESCR
to describe what's different from firefox, so that somebody would get
the right impression on first reading.

I think this is something like

  Cliqz is based on firefox, but pre-installs the Cliqz add-on, which
  [?]  and causes search terms to be sent to Cliqz as the default search
  engine.  Advertising is downloaded in bulk and presented based on
  local evaluation of search terms, rather than the conventional
  server-side profiling and ad choice.  In addition the HTTPS Everywhere
  addon is installed, and an addon to manage consent to data processing.

Until now, I had no idea about the local ad notion.  I may have the
above wrong in the details, but I am suggesting that kind of information
for the prospective user.