Re: [Social-mediagoblin] Fwd: Re: Templates, CSS, Images, JS, licensing

[Christopher Allan Webber]

Brett Smith <address@hidden> writes:

> On Wed, Apr 13, 2011 at 10:27:18PM -0500, Christopher Allan Webber wrote:
>> There's nothing really complex in there yet since I've been working at a
>> mainly lower layer.
>> 
>> This is the most complex thing we have so far, and it's just a macro for
>> cleanly rendering forms lazily:
>> 
>> https://gitorious.org/mediagoblin/mediagoblin/blobs/master/mediagoblin/templates/mediagoblin/utils/wtforms.html
>> 
>> ... but in the future we'll be calling methods like they're python
>> objects.  As an example, you'd probably have something like:
>> 
>>   {% for file in media_entry.attachments() %}
>>     <a href="{{ request.mainstorage.get_url(file.filepath) }}">
>>       {{file.name }}</a>
>>   {% endfor %}
>> 
>> This is a pretty simple example but clearly there's a python call going
>> on with get_url.
>
> Hmm.  So, this is really tricky, because when the templates are this
> powerful, if you just grant them a blanket exception, you run the risk
> of making a loophole in your license.  Anybody who wants to make
> changes to Mediagoblin without sharing them may be able to do so by
> writing the functionality in a separate Python file, and then calling
> it from the templates as appropriate.  Whether or not they succeed may
> depend on relatively detailed criteria like exactly what data was
> passed from Mediagoblin to the template and on to the new code.  But
> declaring the templates to be a separate work at least gives them an
> opening to try to work with.
>
> How realistic do you think it is that some unscrupulous developer
> might try this?

It's totally possible and I never thought about it before.  Jinja2 lets
you do a lot of stuff... you could write tags which import python
modules, whatever.  So in that case, yes, totally possible... you could
even use those templates to do a hell of a lot more.

Honestly I don't think I'm *that* worried about it, but I guess it's
pretty much a huge, gaping loophole.  I didn't realize it would open up
this exception... that wasn't the intent, certainly.

So, this was very helpful.  I think Will and I are both on the side now
of using AGPLv3 for templates.  I don't think it's *too* much else to
ask.  It may be worth archiving this information... I know will already
wrote some licensing rationale stuff in the docs... could you capture
this change, and why we considered CC0 for the templates and changed it,
Will?  That would be both helpful for us in the future, and maybe other
projects which consider similar things.

 - cwebb

-- 
http://dustycloud.org/