Winamp (the closed source product) contained modified GPL code, violating the GPL

[kallisti5]

So wait, the closed-source Winamp contained modified GPL code?

This...

• https://github.com/WinampDesktop/winamp/tree/main/Src/external_dependencies/libdiscid-0.6.2

Sure as hell looks like...

• http://ftp.musicbrainz.org/pub/musicbrainz/libdiscid/libdiscid-0.6.2.tar.gz

However, the sources are modified from the originals. (namely files missing / pruned, etc)
Y'all may want to just re-license as MIT ASAP as a gesture of good faith ... I'm just saying.

[MichaelAgarkov]

Imagine if this was the case all those years, and they exposed it by open-sourcing it now. That'd be better than a Seinfeld episode.

[kallisti5]

I'm cloning this huge-ass repo now to see if they modified any sources beyond pruning out what they didn't need. It would be pretty ironic for them to release under this weird-ass closed license, but then expose themselves as violating the GPL.

[giantplaceholder]

I'm cloning this huge-ass repo now to see if they modified any sources beyond pruning out what they didn't need. It would be pretty ironic for them to release under this weird-ass closed license, but then expose themselves as violating the GPL.

If needed, here's a copy of the initial state of community branch at the day of the original publication:

https://web.archive.org/web/20240924143858if_/https://codeload.github.com/WinampDesktop/winamp/zip/refs/heads/community

[kallisti5]

Oops. Someone at winamp realized it an hour ago, and removed the sources from the community repo:

• e721b2e

it still exists in main though:

• https://github.com/WinampDesktop/winamp/tree/main/Src/external_dependencies/libdiscid-0.6.2

[ulysses-sl]

@kallisti5 Here you go, a permalink

[davidbitterlich]

However, the sources are modified from the originals. (namely files missing / pruned, etc) Y'all may want to just re-license as MIT ASAP as a gesture of good faith ... I'm just saying.

This won't happen. They don't care about the fact that their license is bullshit, that their license is in conflict with GitHub's ToS and that they violate various licenses. They even distributed protected code from Dolby and others...

[LightYagami28]

I go to write a DMCA

[kallisti5]

Alright, I checked the source code between their vendored copy of libdiscid, and the upstream one:

Here's the only addition they made to libdiscid (i'm omitting the 10's of thousands of prunes / removals of stuff they didn't use):

diff -Naur libdiscid-0.6.2/include/discid/discid.h /home/kallisti5/Code/winamp/Src/external_dependencies/libdiscid-0.6.2/include/discid/discid.h
--- libdiscid-0.6.2/include/discid/discid.h	2017-01-29 06:49:03.000000000 -0600
+++ /home/kallisti5/Code/winamp/Src/external_dependencies/libdiscid-0.6.2/include/discid/discid.h	2024-09-26 11:49:35.129688303 -0500
--
 #endif
 
-#define DISCID_VERSION_MAJOR 0
-#define DISCID_VERSION_MINOR 6
-#define DISCID_VERSION_PATCH 2
-#define DISCID_VERSION_NUM 602
+#define DISCID_VERSION_MAJOR @libdiscid_MAJOR@
+#define DISCID_VERSION_MINOR @libdiscid_MINOR@
+#define DISCID_VERSION_PATCH @libdiscid_PATCH@
+#define DISCID_VERSION_NUM @libdiscid_VERSION_NUM@
 
 #ifdef __cplusplus
   extern "C" {

It's ✨ technically ✨ a GPL violation, but not a massive one.

[kallisti5]

WAIT! Another contender appears!

• Src/Plugins/Input/in_vorbis/vcedit.c vcedit.h contains a GPLv2 header

The header mentions including a full copy of the GPL license (which they didn't do)

vcedit.c / vcedit.h seems to be a much older version of:

• https://github.com/xiph/vorbis-tools/blob/master/vorbiscomment/vcedit.c

[ulysses-sl]

FSF guys are known to really whip the llama's ass on the technicality, so... yeah.

(Edit: Otherwise, they won't have the case for enforcing their licenses. Just like how copyright enforcement works.)

[kallisti5]

FSF guys are known to really whip the llama's ass on the technicality, so... yeah.

Just to call out.. I wouldn't care, or be interested in picking things apart if they just open sourced it under "some" (namely any) somewhat open-source license.

The whole "this is our thing, you can look but not touch unless you want to work for us for free" just rubs me the wrong way. 😆

[giantplaceholder]

New addition:
https://github.com/WinampDesktop/winamp/blob/community/Src/Plugins/Input/in_mod/fir_proc.cpp (GPLv2 or later, LICENSE or COPYING is nowhere to be found)

[MichaelAgarkov]

From what I see the code is littered with copyright violations. How dumb do they have to be to publish this?

[giantplaceholder]

And more:

https://github.com/WinampDesktop/winamp/blob/community/Src/Plugins/Encoder/enc_lame/BladeMP3EncDLL.c (GPLv2 or later, no LICENSE or COPYING is present)
https://github.com/WinampDesktop/winamp/blob/community/Src/Plugins/Encoder/enc_vorbis/ogg/include/ogg/ogg.h (goes to the Vorbis one)
https://github.com/WinampDesktop/winamp/tree/community/Src/Plugins/Encoder/enc_vorbis/Libs (in binary form without corresponsing licenses and/or source)

[ulysses-sl]

Just to call out.. I wouldn't care, or be interested in picking things apart if they just open sourced it under "some" (namely any) some what open-source license.

A lot of people seem to feel the same. It wouldn't have triggered my morbid curiosity enough to fetch dependencies and do recursive diffs if there weren't any copyright troll clauses in their license, specifically.

From how it's worded, if you use your own unpublished code snippet to contribute to Winamp, they will obtain the copyright for your code, and then they may attempt (emphasis on "attempt") to sue you if you publish your own version elsewhere later. That's just wrong.

[kallisti5]

It's absolutely possible they could have "used GPL code", and mentioned it in an about window (and linked to the GPL code they compiled the application with), so every reference of GPL may not be a violation of the GPL... however I'm not seeing anything fitting that in the source code.

[giantplaceholder]

It's absolutely possible they could have "used GPL code", and mentioned it in an about window (and linked to the GPL code they compiled the application with), so every reference of GPL may not be a violation of the GPL... however I'm not seeing anything fitting that in the source code.

Linking is one thing. Including modified versions of GPL-licensed code in your commercial product - or even shipping unmodified GPL-licensed code without a copy of a license or with a license header removed - is another.

Moreover, including parts of the GPLv2-licensed code in your product whilst licensing the product itself under proprietary restrictive license is legally dubious at best.

[ulysses-sl]

And if they haven't bothered to read the very first point of T&C (include the source code in its entirety, as well as the copy of the license text), I wonder if they would have taken that extra step of mentioning it anywhere.

[ulysses-sl]

Oof, one more I found (permalink)

libvpx

We take libvpx from https://github.com/ShiftMediaProject/libvpx, modify it, and pack it to archive.
[...]

libmpg123

We take libmpg123 from https://www.mpg123.de/download.shtml, modify it, and pack it to archive.
[...]

In the previous version of README.md, they specifically mention that they take and modify all of their dependencies for their builds, listing almost every single one.

Curiously, the only dependency that was not mentioned here was libdiscid, which is under LGPL and the only one that has an additional baggage coming with modification. Its source code was certainly modified like others. Coincidence or admittance of guilt?

[KingDuckZ]

I have received confirmation from user DiffieHellman on IRC liberachat #fsf that as per what's been said so far:

Yep, winamp confirmed to have been infringing the GPLv2, LGPLv2 and LGPLv2.1 all this time
I would argue that everyone is free to delete the current proprietary license and go with the GPLv2
The licensing is really a compete mess and it'll take serious analysis to work out which licenses apply, but what I can see, the current proprietary license is not compatible with either the; LGPLv2, LGPLv2.1, GPLv2 or MPLv1.1
It'll take a lot of work to track down the license headers, as I'm seeing a lot of deleted license headers - which is a serious copyright violation.
Src/Plugins/Visualization/vis_avs/evallib/bison shows traces of GNU bison

So as I understand, this should solve #16 and #6 as the real licence of Winamp is GPLv2. If I'm correct, then this is free software and this whole discussion about the bad licence is moot. It may still be necessary to strip away the Dolby stuff and the rest of the copyrighted code.

User DiffieHellman also asked me to remind you all:

please stop surrendering your freedom to microsoft

I can only +1 that. Thank you all.

[nukeop]

Linking against GPLv2 libraries doesn't require releasing your own code under GPLv2.

So as I understand, this should solve #16 and #6 as the real licence of Winamp is GPLv2. If I'm correct, then this is free software and this whole discussion about the bad licence is moot. It may still be necessary to strip away the Dolby stuff and the rest of the copyrighted code.

No, you don't understand how licensing works.

[KingDuckZ]

@nukeop I advise you ask the friendly people on #fsf, I'm not the expert here. But I'll admit that yes, I think the difference between GPL and LGPL is that if you link to the former you have to be GPL-compatible as well, no idea if I'm right or not. My code is usually all GPL so I rarely face this problem.

[morsik]

@nukeop you're wrong -> https://www.gnu.org/licenses/gpl-faq.en.html#GPLStaticVsDynamic

GPLv2 poisons also linked application, both dynamically or statically linked. And I know that also because on our project we had this problems for many years, and technically we're moving that problem to our players (as it's q3engine-based game) and the players technically violate that license and load custom game modules which are not GPL[1]

LGPL allows linking though, and you mistaken GPL with this one.

---

[1] if anyone interested why players (non)intentionally violate GPL license on our game is... it's fork of Enemy Territory: Wolfenstein which had it's own SDK license from closed-source times, but later released as GPLv3 - so it's dual licenced, but since our game is GPLv3 fork and old mods use old ET SDK license, technically those two are not compatible, so legally speaking, players can't load ET SDK-licensed mods with GPLv3 game engine. Altough this topic was never solved because mods are not even dynamically linked, but dynamically loaded, so... maybe I'm mistaken now?! But apparently I'm correct according to FSF. I think similar issue would be with any Q3engine-based game later released as GPL.

[Trolldemorted]

So as I understand, this should solve #16 and #6 as the real licence of Winamp is GPLv2.

Iirc licenses don't magically change like that. Any author of a GPL dependency can choose to go to court and enforce the application of the GPL (which might result in more software being released under GPL), but they don't have to.

Nevertheless I'd love to see this in court 🍿

[KingDuckZ]

@morsik thanks for clarifying, though I don't think "poisons" is the right term here

Here's what I'm being told:

@nukeop Yes, derivative works of GPLv2-only works can be licensed under the GPLv2-only, GPLv2-or-later or even under a compatible license like MIT expat or 3-clause BSD - but the work as a whole must be GPLv2-only. Please read section 2b of the GPLv2; https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html and I suggest afterwards all of it. #265

@morsik The GPLv2 rather defends against proprietary poisoning by ensuring the software remains free. The LGPLv2.1 is a set of exceptions on top on the GPLv2, which allows putting derivative works under the license of your choice provided that license doesn't restrict the library itself (the user needs to be able to be able to modify and relink the library, either via a dynamic link or provided object files) and also allows reverse engineering the proprietary parts to debug modifications to the library. Many proprietary licenses and "EULAs" have terms that infringe the LGPLv2.1's requirements; https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html

[morsik]

though I don't think "poisons" is the right term here

@KingDuckZ I don't know either, I'm non english-native and I found that term ("GPL-poisoning") years ago and it fits pretty nicely to what GPL does - or rather - how it poisons other software licenses in a specific ways :D

[nukeop]

While FSF claims that this GPL also affects linking, it has never been tested in court, and it's not clear or definitive that it would hold up. A license might not have the power to require that. In fact there's precedence (Google v Oracle).

[KingDuckZ]

Well I'd say "poison" has a negative connotation in most languages, being it something that is toxic and potentially deadly and all the rest. GPL is good for freedom, so I wouldn't associate something that is good for the larger audience with something that is toxic and dangerous. I'm sure there are better ways to express what you meant to say in a less derogatory way @morsik

[morsik]

@nukeop "Google vs. Oracle" was about using public APIs and recreating code from scratch just based on exported APIs names. Here in European Union we call that "interoperability", and it's given to us by law.

This is clear copyright infringement because Winamp used actual GPL source code in it's engine. Not just exported API/headers for which code was recreated from scratch by Winamp devs.

So that's not a precedence, as it was entirely different case.

[Aerocatia]

@morsik GPL is a distribution license not a user license, so what users link with on their own does not break the license.
It only concerns distributing it as a complete package. Winamp is in violation here because everything was released in one installer, and again in one github repo.

@nukeop It does, because the area of issue is that Winamp was released with all of this incompatible code in one package.

How a user runs a GPL program after getting it is not restricted by the license. You can have a GPL media player load incompatible plugins and not break any license, it would only become a problem if you tried to release it as one product. (You have to make people get the incompatible stuff separately to respect the license)

[morsik]

GPL is a distribution license not a user license

@Aerocatia: oh lol thanks... I've never considered this :D So my mystery finally solved!

[Aerocatia]

@morisk yeah people often misunderstand this. Here is a source for future reference. https://www.gnu.org/licenses/gpl-faq.html#GPLAndPlugins
A main program that is separate from its plug-ins makes no requirements for the plug-ins.
So the GPL only kicks in if it is "combined" and not "separate". Loading ET SDK licensed works obtained separately would be fine, distributing them with GPL code would not.

[3doplayer67484]

there's so many violations of the GPL at this point they might as well relicense the whole thing to BE GPL

[Aerocatia]

It would be the easiest way out of this mess.

[morsik]

@3doplayer67484 @Aerocatia not really, as there are other parts/libraries in this which are not GPL-compatible 🤣

[KingDuckZ]

It needs cleaning, it'd be good to have an official fork to begin with, so that

1. we can get rid of the spam
2. it can be cleaned from the proprietary blobs and the non-free crap
3. it can be ported to Linux so I can start caring :)

[LWSS]

eh does this really matter? The software's about dead right?

This just proves that most people ignore licenses and paste away. If you release your code to the public, it's basically public domain until you take them to court. It's also meaningless unless they're a big company like Sony or Cisco, and you have legal resources.

[ReinventingTheSquareWheel]

@morsik >it fits pretty nicely to what GPL does - or rather - how it poisons other software licenses in a specific ways
Separate merely aggregated software under separate licenses are in no way impacted by either the GPLv2 or GPLv3.
It's only if you make the explicit choice to make a derivative work of the software that the requirements of ensuring that the software remains free apply - as a result, the GPLv2 and GPLv3 spreads freedom like a spider plant, instead of like a virus or a "poison" - if you don't want the freedom to spread, there is always the legal option of not using the software.

@nukeop >While FSF claims that this GPL also affects linking, it has never been tested in court, and it's not clear or definitive that it would hold up. A license might not have the power to require that. In fact there's precedence (Google v Oracle).
The FSF has been raring to go to court over this for years - it's just that nobody has been dumb enough to be ready to lose and set the precedence.
The google via oracle case is not relevant, as google didn't copy a meaningful amount of oracle's code - they merely re-implemented their API.
If you were to re-implement the API of a GPLv2 library via clean room reverse engineering and then delete the GPLv2 library and use your library instead, that would be perfectly legal - but that is not what has happened.

@Aerocatia >GPL is a distribution license not a user license, so what users link with on their own does not break the license.
It only concerns distributing it as a complete package. Winamp is in violation here because everything was released in one installer, and again in one github repo.
Please actually read the GPLv2; https://www.gnu.org/licenses/old-licenses/gpl-2.0.html
Although the user is given copyright permission to do whatever they want with privately, that only applies to private usages; https://www.gnu.org/licenses/gpl-faq.en.html#GPLRequireSourcePostedPublic
If you made a derivative work of a GPLv2 library by linking with it and then distributed that derivative work, there is no legal difference if you distribute both in one repo, or both in two different repos with instructions to put the two together - as both are clearly two parts of one whole.

How a user runs a GPLv2 program after getting it is not restricted by the license. You can have a GPLv2 media player load incompatible plugins and not break any license, it would only become a problem if you tried to release it as one product. (You have to make people get the incompatible stuff separately to respect the license)
The user would be free to program their own plugins under whatever license, but distributing the resulting derivative works is only allowed if the license terms of such plugins are compatible with the GPLv2.
The plugins are clearly not separate works if they only actually operate with specific software.

So the GPL only kicks in if it is "combined" and not "separate". Loading ET SDK licensed works obtained separately would be fine, distributing them with GPL code would not.
You cut off the important first sentence; If the main program and the plugins are a single combined program then this means you must license the plug-in under the GPL or a GPL-compatible free software license and distribute it with source code in a GPL-compliant way.
Before jumping that that conclusion, you must first determine if the works are actually separate, or are just one larger program; https://www.gnu.org/licenses/gpl-faq.html#GPLPlugins
The winamp plug-in mechanism doesn't appear to be a simple fork() and exec() - it appears to be a runtime linking mechanism for libraries.

@LWSS >This just proves that most people ignore licenses and paste away. If you release your code to the public, it's basically public domain until you take them to court. It's also meaningless unless they're a big company like Sony or Cisco, and you have legal resources.
Public domain specifically means not copyrighted. If you release your code to the public, unless you've validly released it to the public domain, it is copyrighted.
Yes, proprietary software developers will relentlessly infringe your copyright unless you enforce your license.
Cisco has been sued for copyright infringement by the FSF previously (who has limited funds) and they chose to comply with the GPLv2 and settle rather than dragging the case out (even big companies can't drag such kind of case out for long, as it's really an open and shut case - either the company has a license to distribute the software and they need to point out which one, or they're distributing the software in intentional infringement of the copyright).

--
Posted without falling into the JavaScript Trap; https://www.gnu.org/philosophy/javascript-trap.html