Unsourced/undocumented libraries; missing license files; and other issues

[MTecknology]

I noticed that there are some compiled javascript files that don't list an upstream source. I was able to find some in public/assets/librejs/librejs.html, but seem to be missing the following:

dropzone-4.2.0
jquery.datetimepicker-2.4.5
jquery.are-you-sure
pdfjs-1.4.20
codemirror-5.17.0
autolink.js
gitgraph
draw
font-awesome-4.6.3
octicons-4.3.0
public/less/?
public/../github-min.js?
public/themes/fonts?

Could we get librejs.html updated with this information, please? Also, if there have been any modifications of these files, have they been documented anywhere?

While I was looking through public/img/, I saw images such as slack.png, openid-x.png, and github.png that I would assume are proprietary and don't provide sources. The emoji/ directory also seems to have a large number of images that probably have sources that I missed.

I would like to locate a license grant for any proprietary images or see documentation pointing at the upstream source and license. Ideally, I'd like some script that could be used without requiring network access that can reproduce the images in public/img/.

In a perfect would, the packaging process would strip public/ and rebuild everything in it, but the above is a bare minimum if I have any hope of getting this into Debian.

Thanks!!

[MTecknology]

Beyond just complete documentation, this actually represents a license violation in it's current state... as do many vendor/ dependencies, but the latter has been resolved in downstreams.

[MTecknology]

Clicked the wrong comment button...

[lofidevops]

Report from LibreJS (Firefox extension) on try.gitea.io running v1.1.0:

List of accepted JavaScript in https://try.gitea.io/

This script is detected as free
https://try.gitea.io/js/libs/jquery.are-you-sure.js
This script is detected as free
https://try.gitea.io/js/libs/emojify-1.1.0.min.js
This script is detected as free
https://try.gitea.io/js/libs/clipboard-1.5.9.min.js

List of blocked JavaScript in https://try.gitea.io/

This script is detected as nonfree, external, and as defining functions or methods
https://try.gitea.io/js/libs/autolink.js
NONTRIVIAL: eval has been found in code
https://try.gitea.io/js/index.js?v=1ed9cef4e7846494bd7df1cc16ae65fc
NONTRIVIAL: Creates an xhr object
https://try.gitea.io/js/jquery-1.11.3.min.js
NONTRIVIAL: Creates an xhr object
https://try.gitea.io/js/semantic-2.2.1.min.js

Web Labels pages being used for this session

https://try.gitea.io/assets/librejs/librejs.html

[bkcsoft]

@MTecknology Sorry for the late response 🙂

WRT Logos

Slack: https://slack.com/brand-guidelines

You're entitled to say that your website or application is integrated with Slack (we like people integrating with Slack!), but please don't use the Slack marks as part of the name of your company, application, product, or service, or in any logo you create.

OpenID: http://openid.net/add-openid/logos/

for use in presentations, articles, blog posts, etc.

(It'd say this falls under "etc.")

GitHub: https://github.com/logos

Do these awesome things:

Use the Octocat or GitHub logo to advertise that your product has built-in GitHub integration

WRT sources

Ideally, I'd like some script that could be used without requiring network access that can reproduce the images in public/img/.

Not really possible without polluting the repo with providers tar-balls (not always available either...)
We can however add public/img/gitlab.png.LICENSE and friends if that would make it better.

The emoji/ directory also seems to have a large number of images that probably have sources that I missed.

EmojiOne, we move it to public/plugins/emojione-{{ .Version }} and add their LICENSE-file in there...

the packaging process would strip public/ and rebuild everything in it

This would requires internet-access and is not an option. There's a reason why we have vendor/ 😉

[lunny]

It seems some PR fix this issue?

[bkcsoft]

@lunny No, #1728 is something completely different.

[MTecknology]

I'm only just now hopping back into this issue (Debian 9 released)

The problem I see with the slack logo's Brand Guidelines is this:

By using the Slack marks you agree to follow these guidelines as well as our Terms of Service and all our rules and policies.

This seems pretty unambiguous to me... by using the logo, you agree to their Brand Guidelines, their Terms of Service, and whatever "rules and policies" means. I'd prefer see the logo swapped out for '#' until that wording is changed. The rest of their guidelines seem perfectly reasonable, but this seems very wrong.

As for the javascript stuff, I get the impression @kwill is more capable than me at digging into how we can correctly get only foss javascript libraries in place and correctly documented. Digging through js stuff like this is quite difficult for me, but I do have a few thoughts (finally)...

• Stick all javascript in the public/js/ directory
• Drop the public/js/libs/ sub-directory
• Drop the version number from the filenames (big deal for off-line rebuild)
• Build a "proper" file documenting sources and version numbers
• [proper] don't know what that looks like, but machine/human readable would be excellent
• Remove everything that can't be attributed (git logs show some stuff is original... let's say what is)
• Same thing with assets, css, ... -pretty much- everything under public/

Not really possible without polluting the repo with providers tar-balls (not always available either...)
This would requires internet-access and is not an option. There's a reason why we have vendor/

I recall discussing w/ @bkcsoft, on IRC, what it means to build gitea without a network connection and without having vendor/ available. (Everything needs to come from a package already available in Debian.) At first, it meant ~100 golang libs needed to be added to the Debian repos (in the correct reverse dependency order...), now it means about 20 more javascript packages.

I'd like to get what's best and most correct figured out so I can beg someone to work on that while I learn how to package javascript libraries and then learn how correctly utilize those packages.

[lofidevops]

I don't actually know how, I just installed LibreJS in Firefox and recorded the results when visiting https://try.gitea.io :) I'll check if the listed libraries/files are already known to be free (I'm guessing they are).

[bkcsoft]

At first, it meant ~100 golang libs needed to be added to the Debian repos (in the correct reverse dependency order...), now it means about 20 more javascript packages.

Unless these have a separate package for each version that don't conflict with eachother you're gonna have a bad time.

• Drop the version number from the filenames (big deal for off-line rebuild)
• Build a "proper" file documenting sources and version numbers
  • machine/human readable
• Remove everything that can't be attributed (git logs show some stuff is original... let's say what is)
• Same thing with assets, css, ... -pretty much- everything under public/

This can mostly be addressed by using npm/yarn (just like we use govendor for go deps). The only thing we might have issues with is figuring out what we're actually using, and which version of it we're using.

As for the Slack-logo, I think we can just replace all mentions of "Slack" with "Mattermost" TBH, since the API for Mattermost is a superset of Slacks API.

[bkcsoft]

Drop the public/js/libs/ sub-directory

This is generally a bad idea, since now you have to manually figure out what is vendored and what is original content. From a PMs point-of-view I'd prefer to have js/libs since then I could just rm -rf public/js/libs and go with that.

Packaging JS-libs separately is going to break though unless you create symlinks all over the place... that's gonna break too since the webserver isn't going to allow following symlinks 😒

[MTecknology]

How about ...?

public/
  css/
  js/
  img/
  ^-- custom stuff covered under 
vendor/
  vendor.json
  ^- upstream location, packaged version (or date + git tag)
  less/
  img/
    emoji/
  js/
    autolink.js
    clipboard.min.js
    emojify.min.js
    semantic.min.js
    ^- no version numbers in file names
  plugins/

Then I get to exclude only public/vendor/ and rebuild it during the build process, which lets me make sure the package meets DFSG. If I can check off that box, then #1524 can get a push in the right direction, and we'd be that much closer to closing #31 and #122.

[MTecknology]

@kwill I did a bit of a rework, as earlier described. I'm struggling to figure out why librejs isn't detecting some scripts like highlight.pack.js and gitgraph aren't being detected as free despite being in librejs.html. I have my copy currently hosted at http://tempgit.lustfield.net:3000/mike/test/graph. Beyond that, it seems like the new structure and update of public/ manages to resolve this issue as well as C0.0 of #1534.

[strk]

Still to be ported to 1.2 branch (before it is finalized)

[MTecknology]

After PR #2374, if there are no other issues from PR #2375, I will create a PR to cherry-pick these changes.

[lofidevops]

Long overdue test results running LibreJS on Gitea Version d545e32 try.gitea.io. Success:

List of accepted JavaScript in https://try.gitea.io/

    This script is detected as free
    https://try.gitea.io/vendor/plugins/cssrelpreload/loadCSS.min.js
    This script is detected as free
    https://try.gitea.io/vendor/plugins/cssrelpreload/cssrelpreload.min.js
    This script is detected as free
    https://try.gitea.io/vendor/plugins/jquery/jquery.min.js
    This script is detected as free
    https://try.gitea.io/vendor/plugins/jquery.areyousure/jquery.are-you-sure.js
    This script is detected as free
    https://try.gitea.io/vendor/plugins/autolink/autolink.js
    This script is detected as free
    https://try.gitea.io/vendor/plugins/emojify/emojify.min.js
    This script is detected as free
    https://try.gitea.io/vendor/plugins/clipboard/clipboard.min.js
    This script is detected as free
    https://try.gitea.io/vendor/plugins/vue/vue.min.js
    This script is detected as free
    https://try.gitea.io/vendor/plugins/semantic/semantic.min.js

    Script appears to be free under the following license: Expat License (sometimes called MIT Licensed)

    	/*
    	@licstart  The following is the entire license notice for the
            JavaScript code in this page.

    	Copyright (c) 2016 The Gitea Authors
    	Copyright (c) 2015 The Gogs Authors

    	Permission is hereby granted, free of charge, to any person obtaining a copy
    	of this software and associated documentation files (the "Software"), to deal
    	in the Software without restriction, including without limitation the rights
    	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    	copies of the Software, and to permit persons to whom the Software is
    	furnished to do so, subject to the following conditions:

    	The above copyright notice and this permission notice shall be included in
    	all copies or substantial portions of the Software.

    	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    	AUTHORS OR COPYRIGH…

    Script appears to be free under the following license: Expat License (sometimes called MIT Licensed) -- This script is trivial
    [{"attribute":"onload","value":"this.rel='stylesheet'"}]

    This script is free according to a JS Web Labels page visited recently (at https://try.gitea.io/vendor/librejs.html# )
    https://try.gitea.io/js/index.js?v=d3c4579ed0a3d20038d5e2ff5d1251c2

List of blocked JavaScript in https://try.gitea.io/

    LibreJS did not block any scripts on this page:
        There may be no scripts on this page (check source, C-u).
        All the scripts on this page may be trivial and/or free.
        You may have whitelisted this domain name or url from the preferences (Type about:addons in your location bar to check)
        You may have clicked the "allow all scripts" button, which causes LibreJS to load all JavaScript on a page regardless of whether it is free, trivial, nontrivial or nonfree. This policy is effective for the entire duration of a Firefox session.
        If for any reason you think LibreJS should have blocked JavaScript code on this page, please report this issue to: bug-librejs@gnu.org

Web Labels pages being used for this session

    https://try.gitea.io/vendor/librejs.html