Yesterday I stumbled upon a rather interesting tidbit of information. I opened Twitter in the middle of a conversation between between Chip Bennett and Ben Cook, and I saw this tweet:

Curiosity piqued, I dug back through the tweets until I found a link to the thread Ben was referring to. It turns out that it is a bug report on the WordPress bug tracking system, opened by user “hakre”:

The wordpress software packages to download form the website contain mostly source-code. But as it’s known, there are files and parts in these, that are binary blobs and w/o their source as specified in the terms of the GNU GPL. According to §1, §2 and §3 of the terms of the GNU GPL v2, the wordpress project must offer full source-code in order to distribute the whole package under GPL. In §3 it’s made more specific what sources are: The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. I was looking over the wordpress homepage but I could not find any information where to obtain the according sources that are missing from the packages – either in full source packages or in it’s additional form. Probably I’ve overlooked something, please help me obtaining such information. – hakre

What hakre was referring to was a specific section of the GNU General Public License v2.0, which is the license that WordPress is released under. The requirements of the license dictate that anyone is free to modify or redistribute the software package, as long as the license itself stays intact, and as long as whoever receives the software package either gets a copy of the source code, an offer in writing that they will make the source code available on request, or a copy of the offer to make said source code available if that is how it was originally offered. Basically either the actual source code must be supplied, or a clear concise guarantee that it can be supplied on demand, must be included with the distribution. For the bulk of WordPress this is no problem and would never be an issue. The core WordPress files are written in php, with some elements in Javascript or html. All 3 of those languages, unless encoded in some special way, run as is straight from the source code. Php and Javascript are “scripting” languages and html is not actually a programming language. If someone wants to see or edit the “source code” for any of those files all they need to do is open them in a text editor and just look at them.

However, what hakre was talking about was the 1 and only executable file* (see hakre’s comment below for clarification) that is currently distributed with WordPress, a file named swfupload.swf, which is located in the wp-includes/js/swfupload directory. It is a Flash file, is not considered editable by normal means, and it is compiled, not in source code form. The concern that hakre raises is quite valid, since without the source code being distributed along with this file it makes it impossible to distribute WordPress as GPL v2 software. This is a Very Big Deal, especially when you consider the rift that Matt Mullenweg created in the WordPress community over the whole issue of what GPL did and did not cover. Almost 2 years ago Matt asked a lawyer from the FSF to back up what Matt was saying, and in the closing paragraph of that post he made the following statement:

So as before, we will only promote and host things on WordPress.org that are 100% GPL or compatible. – Matt Mullenweg

The fact that WordPress can’t follow the license that they are claiming everyone else needs strict adherence to makes all of Matt’s previous pettiness just that much worse.

One of the WordPress contributers, Otto42, closed the ticket when he found it. In fact, he asked the question “What sources are missing?” in the same post, but marked the ticket as “invalid” without bothering to wait for an answer. The thread was then reopened by hakre again, after which Chip Bennett joins the conversation. In a nutshell, it’s a back and forth with Otto arguing that the source code for that file is not required, since WordPress authors did not write it, and since that particular executable is not GPL, and is instead released under the MIT License. The problem with his argument is that it is, of course, dead wrong. The GPL license does indeed allow you to distribute non-GPL licensed software within a GPL package, as long as a) the non-GPL license is less restrictive than the GPL (which the MIT license is), and b) the source code is included (which, again, WordPress is not doing here).

At one point Otto makes the following claim:

As for the GPL, we are under no obligation to provide anything at all. Understand that the people here wrote the code and share a joint ownership of it. The GPL places no obligation whatsoever on the actual copyright holders of the code. They can release it anyway they like. The GPL only applies to licensees of the code in question; the downstream people using and redistributing that code. – Otto42

That of course sums up a bigger core misunderstanding of the situation that makes me wonder if more WordPress contributers are under the same illusion… that the GPL only applies to what other people can do with WordPress, and doesn’t actually apply to the contributers, or to the WordPress Foundation, or to Matt Mullenweg. Maybe all of Matt’s talk of how the GPL embodies all of WordPress’s core values managed to bury the reality of why the GPL was being used for WordPress. The truth is, WordPress is licensed under the GPL v2 because they have no choice in the matter, they have to use it. WordPress, you see, is a derivative of yet another software package, b2/cafelog, which was licensed under the GPL v2 as of March 2nd, 2002.

Otto also is also under the misconception that the following statement in the license covers them:

If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code

As a developer I am rather surprised at Otto’s lack of grasp on the IF…THEN… element to that statement. If the executable is being distributed from a remote location, then offering the source at that same location counts as distribution of the source code. An example of an executable being offered from a designated place would be Microsoft distributing software that requires their mfc32.dll to run, and giving you a link to their website where that can be downloaded. WordPress does not say “To use our Flash uploader you will need to download the executable from here“… they distribute that executable with the WordPress package itself, which means, by the terms of the GPL license they are required to follow, that they must offer the source code as well.

The final argument in the bug report relies on the fact that inside one of the Javascript files that are bundled with SWFUpload there several links referenced, and if you follow one of those links and dig around you will eventually find the source code in question. Even this, however, is not actually sufficient. As Otto points out in several places during the discussion, SWFUpload is not in and of itself GPL, and are under no obligation to offer the source code. Therefore that site could disappear altogether and the source code would no longer be available. A link that is not a direct download being mentioned in a Javascript file is not even close to WordPress offering a place for people to download the source code.

Otto is right in one respect though, the flash file in question is under the MIT License. This license is short and sweet, and in it’s entirety reads:

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

That middle line in the license, “The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.”, is non-trivial. It plainly states that a copy of this license must be included with the software. It does not say that “a copy of the notice or a link to it” is required, it clearly states that the notice itself needs to be there… and this notice just happens to be missing from the copy of the software distributed with WordPress. It also happens to be missing from from the thickbox package that is found in wp-includes/js/thickbox as well. The fact that either copy of the license was missing from wherever the WordPress developer who included it in the package got it originally is no excuse for WordPress being non-compliant, either. It is Matt Mullenweg’s responsibility, as the distributor, to ensure that all of the licenses are in line.

There is no question, ever since WordPress included the SWFUpload software without it’s source code, which as near as I can determine started in version 2.5, they have been in clear violation of the very license they have been bashing other people over the head with. Fixing it now will not change the fact that they violated it for years, either. There really is no excuse for this.

Update: I just wanted to include a section in the GPL FAQ that I missed before that is strongly relevant to this discussion, “I downloaded just the binary from the net. If I distribute copies, do I have to get the source and distribute that too?”

Yes. The general rule is, if you distribute binaries, you must distribute the complete corresponding source code too. The exception for the case where you received a written offer for source code is quite limited.

Honestly, it doesn’t get any clearer than that. Mind you, that won’t stop people from trying to argue the point further, but the FSF themselves are very succinct on that point. SWFUpload is a binary that the WordPress developers downloaded from somewhere else and included in their package, the GPL requires that the source code be included. WordPress has been in violation of the GPL for a few years now at least.