Legal review of Prawn licensing
Context
We want to use prawn, prawn-table, and prawn-svg to build out PDF reporting features for our security features.
License and Legal considerations
- Prawn uses the
Prawn::CoreandMITlicenses for Prawn itself - Because of the custom license, we need legal review to confirm compatibility with our products
The Gemfile depencency updates
The proof of concept (poc), resulted in the following diffs of the Gemfile:
changes to the `Gemfile`
diff --git a/Gemfile b/Gemfile
index e0110794c492ef73ef62acd663f0715c796718c1..3ea336474874a4aca8e2424891f78b8abf59d294 100644
--- a/Gemfile
+++ b/Gemfile
@@ -194,6 +194,11 @@ gem 'hamlit', '~> 2.15.0', feature_category: :shared
gem 'carrierwave', '~> 1.3', feature_category: :shared
gem 'mini_magick', '~> 4.12', feature_category: :shared
+# PDF generation
+gem 'prawn', feature_category: :shared
+gem 'prawn-table', feature_category: :shared
+gem 'prawn-svg', feature_category: :shared
+
# for backups
gem 'fog-aws', '~> 3.26', feature_category: :shared
# Locked until fog-google resolves https://github.com/fog/fog-google/issues/421.
diff --git a/Gemfile.lock b/Gemfile.lock
index 0641355477c90d01c03defe9c0553002d591ce69..87dbef00579953a82c7535f561b24ce5bbde94ea 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1443,6 +1443,7 @@ GEM
parslet (1.8.2)
pastel (0.8.0)
tty-color (~> 0.5)
+ pdf-core (0.10.0)
peek (1.1.0)
railties (>= 4.0.0)
pg (1.5.9)
@@ -1450,6 +1451,17 @@ GEM
google-protobuf (>= 3.25.3)
plist (3.7.0)
**** png_quantizator (0.2.1)
+ prawn (2.5.0)
+ matrix (~> 0.4)
+ pdf-core (~> 0.10.0)
+ ttfunk (~> 1.8)
+ prawn-svg (0.36.2)
+ css_parser (~> 1.6)
+ matrix (~> 0.4.2)
+ prawn (>= 0.11.1, < 3)
+ rexml (>= 3.3.9, < 4)
+ prawn-table (0.2.2)
+ prawn (>= 1.3.0, < 3.0.0)
premailer (1.23.0)
addressable
css_parser (>= 1.12.0)
@@ -1883,6 +1895,8 @@ GEM
truncato (0.7.13)
htmlentities (~> 4.3.1)
nokogiri (>= 1.7.0, <= 2.0)
+ ttfunk (1.8.0)
+ bigdecimal (~> 3.1)
tty-color (0.6.0)
tty-command (0.10.1)
pastel (~> 0.8)
@@ -2262,6 +2276,9 @@ DEPENDENCIES
pg (~> 1.5.6)
pg_query (~> 6.0.0)
png_quantizator (~> 0.2.1)
+ prawn
+ prawn-svg
+ prawn-table
premailer-rails (~> 1.12.0)
prometheus-client-mmap (~> 1.2.8)
pry-byebug| library | license | notes |
|---|---|---|
| prawn | custom/the ruby license |
"GPLv2 or GPLv3 (see GPLv2 and GPLv3 files), or the conditions below:" The Prawn license appears to be a gpl license OR the ruby license. I believe we fall under and comply with the "or the conditions below" section as that section is the ruby license, which is approved |
| prawn-table | custom/the ruby license | same license as prawn |
| prawn-svg | MIT |
Relevant Docs
- https://handbook.gitlab.com/handbook/legal/product/#using-open-source-software
- https://docs.gitlab.com/development/gemfile/#license-compliance
- https://docs.gitlab.com/development/licensing/#getting-an-unknown-or-lead-licensed-software-approved
- the ruby license: https://spdx.org/licenses/Ruby.html
Implementation Plan
Based on the above documentation:
-
Verify that prawn is not a pre-approved software using the list here -
Create a new legal issue. Make sure to include as many details as possible: - What license is the software using?
- How and where will it be used?
- Is it being vendored or forked, or will we be using the upstream project?
- Any relevant links.
-
After the usage has been legal-approved, allowlist the software in the GitLab project. See License Finder commands in the above linked docs. -
Make sure the software is also recognized by Omnibus. Create a new MR against the omnibus-gitlabproject. Refer to this MR for an example of what the changes should look like. You’ll need to edit the following files:lib/gitlab/license/analyzer.rbsupport/dependency_decisions.yml
Edited by Michael Becker