Non-free dependency discovered in Forgejo and removed
On 18 July 2024, a small piece of non Free Software was discovered within the Forgejo codebase. It is only used to display the top authors contribution graph (which is part of the repository activity) in the web interface. A replacement was implemented and merged on 20 July 2024. This piece of non-Free Software is no longer contained in the v8.0.0 release and the v7.0.6 point release.
During a discussion about the future of Forgejo’s license, it was discovered that a non-free dependency of a dependency initially created for Gitea was loaded into the project.
The usage of the non-free dependency was reported in the main issue tracker on 18 July. A few hours later, a pull request was opened to remove the dependency. In addition, a discussion was created to track the problem and the resulting consequences as a whole. The pull request was merged just over one day after the initial submission.
The dependency already existed at the time of the fork from Gitea and was therefore included in Forgejo from the beginning. The commitment of Forgejo is to always be free as in freedom, open source and a community-first product. Non-free dependencies and distribution licenses are incompatible with the values of Forgejo. Therefore, it was of high importance to remove the problematic dependency.
The release of 8.0.0 was therefore blocked until the problem was solved. The removal of the binary was also ported to 7.0.6.
Additionally the author of the dependency and Gitea were informed of the non-free subdependency.
In order to rule out further infringements, an improved tool was introduced to check the licenses of all dependencies.
It runs in the CI, and fails if an incompatibility is found.
Due to the new tool which works more precisely, it can lead to more licenses being included in the license.txt - also from dependencies that are removed in the build process.
But better this safe way than missing licenses from dependencies in the end.
Because GSAP, the indirect dependency, is not Free Software, it cannot be distributed in the Forgejo organization hosted by Codeberg. It is prohibited by the Codeberg Terms of Use and goes against the Forgejo core values. The Forgejo binaries and container images will be deleted. It will take some time, since the technical impact on existing Forgejo instances that depend on them has to be carefully addressed.
During the investigation, two other indirect dependencies with incompatible licenses were found.
One is a dependency which was used for citing a repository in APA format (if the repository is set up for this) and has been removed for the moment. It has a more restrictive, copyleft license which is incompatible with the current license of Forgejo. Repositories can therefore currently only be cited in the widely used BibTeX format. As Forgejo decided to accept copyleft license last year, this dependency may be added again in the future.
The other is elkjs included by Mermaid. It also has a more restrictive, copyleft license which is incompatible with the current license of Forgejo. Since elk as renderer is experimental so far, it was decided to remove elk manually. If you decide to set elkjs specifically as a renderer, an error now occurs. This is currently the only solution for the license issue.