Developer Accuses Tencent of Copyright Violation After Python Utility’s License Changed from GPLv3 to BSD

In July, Fay Stegerman, developer of the open source reproducible-apk-tools library, filed a complaint on GitHub accusing Tencent of violating copyright by modifying one of her Python utilities and altering its license. The library is a collection of scripts to help make APKs reproducible.

The violation came to light when the developer noticed that Tencent had used the zipalign.py utility—a part of the larger reproducible-apk-tools library—porting it to Python 2 and replacing the original GPLv3+ license with the BSD 3-Clause license.

GitHub Slow to Respond to DMCA Takedown Request#

The issue was first reported by Stegerman in a GitHub issue and later detailed on Mastodon. Four days after reporting the problem to Tencent, Stegerman updated the license’s library to AGPLv3, presumably to strengthen the licensing terms and prevent further misuse or unauthorized modifications.

Tencent not only changed the license but also replaced the copyright notice in their modified version of the code. Even if she had published her code under a more permissive license like BSD instead of GPL, removing the copyright notice would still have been a clear violation of the license terms.

This prompted the developer to file a Digital Millennium Copyright Act (DMCA) takedown request with GitHub. However, the response from GitHub has been slow, leaving the developer waiting for over a month without a clear timeline for resolution.

“To be honest, I'm not sure whether to be more offended by the license/copyright violation or the fact they ported my code to the very much EOL python 2.7,” Stegerman said.

Tencent’s Response: Partial Compliance#

After significant attention on social media, Tencent eventually responded to the accusations. They removed the developer's code from the master branch of their repository, though they continued distributing it in earlier releases.

The developer notes that despite Tencent's partial compliance, the issue remains unresolved as the utility is still being distributed in some forms.

After some discussion, Tencent developers concluded that they are unable to use the library under its current license: “Considering the risks to our project with the AGPL license, we are preparing to remove all git histories, tags, and PyPI packages that include the zipalign.py file in the project.”

At this point, simply removing the code from the master branch doesn’t fully resolve the issue. Stegerman advised that the code must also be removed from PyPI, as it was distributed there, and that Tencent should communicate to the users of their packages that contain the zipalign.py utility, as they might unknowingly be in violation as well if they distribute it.

Navigating the Legal and Ethical Obligations of Open Source Licensing Compliance#

Though a resolution seems to be in progress, this incident highlights the responsibilities of companies in respecting copyright and software license. Violations like this likely go unreported more often than we realize, slipping through unnoticed or uncontested. There’s also an imbalance of power where individual violators may have their code removed nearly instantly but complaints filed against large corporations can drag on for months under the guise of “review.”

The GPLv3 license used by the developer requires that any modified versions also remain under the same license. By changing it to the more permissive BSD license, Tencent was allegedly attempting to bypass these terms, potentially infringing on the developer's rights. Changing a license without permission undermines the protections that open source developers put in place to ensure their work remains accessible and freely available under specific terms.

Developers and organizations may also find themselves on the other side of the coin—trying to be compliant but unaware of upstream license issues where a violation or unexpected license change could put them at legal risk.

Socket’s Copyleft License Alert#

This recent situation is an example of where Socket’s Copyleft License alert can help teams quickly identify and address potential licensing conflicts before they become a problem in projects where copyleft licensing could impose incompatible requirements on a project.

Copyleft is a general licensing concept that grants the right to freely use, modify, and distribute software, but with one important condition: any modified versions or derivative works must also be distributed under the same copyleft license. This ensures that all future versions of the software, including any improvements or changes, remain open and freely available.

In essence, copyleft prevents individuals or companies from taking open-source software, modifying it, and then releasing it under a more restrictive license. The most well-known copyleft license is the GNU General Public License (GPL).

Socket alerts users to packages with copyleft licensing, so you can be aware if you’re adding a new dependency or updating to another version. It’s a low-severity alert among other licensing alerts designed to help developers stay compliant and make informed decisions about integrating software with potential legal or distribution obligations.

These licenses can have varying degrees of "copyleft," from strong copyleft (like GPL, which requires all derivative works to use the same license) to weak copyleft (like LGPL and MPL, which allow linking with non-copyleft software). Socket flags both strong and weak copyleft licenses.

If copyleft licensing is a concern for your organization, it’s crucial to know right away if the dependencies you’re adding have such licensing before deeply integrating these libraries into your codebase. Otherwise, you could face a compliance mess to clean up down the road, similar to the recent situation with Tencent detailed above.

Next Steps for Managing Copyleft Dependencies#

If you are surprised to discover copyleft software among your dependencies, it's important to immediately assess its impact on your project’s compliance, distribution rights, and how it aligns with your organization’s licensing policies.

1. Review the License Terms:

• Carefully read the specific copyleft license (e.g., GPL, LGPL, AGPL) of the flagged dependency. Each copyleft license has different requirements on how you can use, modify, and distribute the software.

2. Assess Compatibility with Your Project:

• Determine if the copyleft license is compatible with your project's licensing and distribution model. For example, some copyleft licenses may require you to make your project’s source code available if you distribute the software.

3. Consult Legal Guidance:

• If you are unsure about how the copyleft license impacts your project, consult with your organization's legal team or a lawyer familiar with open-source licenses to understand the implications fully.

4. Replace the Dependency:

• If the copyleft license poses a risk, consider finding an alternative package with a more permissive license (e.g., MIT, Apache 2.0).

5. Isolate the Copyleft Dependency:

• If you must use the copyleft-licensed dependency, consider isolating it to limit its scope within your project. For instance, using it in a separate module or service can help avoid spreading its license obligations to the entire codebase.

6. Comply with License Requirements:

• If using the copyleft dependency is necessary, ensure you comply with its licensing requirements, such as providing attribution, making source code changes available, or including the license text with your software distribution.

7. Monitor Future Updates:

• Keep track of any updates to the dependency and re-evaluate the license with each new version. Socket's alerts can help you stay informed about any changes in licensing terms.

The best course of action depends on your project’s requirements, legal constraints, and how comfortable you are with the obligations imposed by the copyleft license. Identifying and managing these dependencies early can save significant headaches down the line.

In addition to the Copyleft alert, Socket also flags packages with no license, non-permissive licenses, explicitly unlicensed, and other potentially concerning designations. If you’re not yet using Socket, install our free GitHub app to monitor your projects and take inventory of your dependencies’ licensing status. It will help you avoid situations with costly and painful compliance violations.