Problem/Motivation
For assets which are licensed under the GPL and "distributed" to the end-user's web browser, Drupal is required to facilitate access to the corresponding source code in "the preferred form of the work for making changes in it", which is not currently the case if those assets are aggregated and/or minified.
This is a follow-up to
#2258313-107: Add license information to aggregated assets β
(and also the earlier discussion in comments #93 and #94 of the same).
That issue was for adding license information to the aggregated assets, but the GPL furthermore requires that users have access to the source code when a GPL'd program has been distributed, and Javascript assets (at minimum) are "distributed" by necessity (to the end-user's machine, where they are executed).
The fact that the user has (again, by necessity) access to the minified and/or aggregated derivative version of the code which is actually being executed is not sufficient for that requirement of the license, as the GPL defines source code as "the preferred form of the work for making changes in it"; so whenever such assets are aggregated and/or minified, it is necessary to ensure that the un-aggregated un-minified original files are also available if requested.
Thanks to the preceding issue, we have @license values for these assets and, along similar lines, Section 3.2.4 "Stylized comment" near the bottom of https://www.gnu.org/software/librejs/free-your-javascript.html recommends the use of a @source value to indicate how to access the corresponding source code, so I believe a header comment for all aggregated or minified files should display a @source value for each GPL'd asset, providing access to the original source file.
At present I'm seeing examples like the following in core/core.libraries.yml:
ckeditor5.editorClassic:
remote: https://github.com/ckeditor/ckeditor5
version: "35.3.1"
license:
name: GNU-GPL-2.0-or-later
url: https://raw.githubusercontent.com/ckeditor/ckeditor5/v35.3.1/LICENSE.md
gpl-compatible: true
js:
assets/vendor/ckeditor5/editor-classic/editor-classic.js: { minified: true }
dependencies:
- core/ckeditor5
It has been suggested that the remote value could be used as a @source value, however the GPL further requires that the source code be the "complete corresponding machine-readable source code" -- i.e. that users have the ability to inspect the sources for the specific code that Drupal would cause them to execute -- so I believe it's not adequate to simply link to a remote repository (unless, perhaps, that link is pinned to the specific revision that was used).
(I do agree completely that the remote value should be provided though, along with version, and that in practice that combination is probably the most helpful thing for most end-users who are wanting the source; but I believe that would be an addition to the solution, rather than the solution itself.)
By my reading of https://www.gnu.org/licenses/gpl-faq.html#MustSourceBuildToMatchExactHas... and https://www.gnu.org/licenses/gpl-faq.html#SourceAndBinaryOnDifferentSites it's Drupal's responsibility to (at least endeavour to) ensure that users are provided with an obvious way of accessing the corresponding source for the specific code they are running, and that this is the case regardless of the availability of the remote source; so I think that by preference, wherever possible, Drupal should be able to serve these source files on request.
Therefore, as well as a path for a minified file, I think these libraries.yml files should also be declaring a local path for the original source code file, and then Drupal can supply that as a @source URL (in addition to mentioning the remote value) in the comments for these assets.
Looking again at core/core.libraries.yml, it seems to me that none of the examples with minified files include a path for a non-minified variant of the file. I've tried to figure out what the equivalent for "variants" in the older https://git.drupalcode.org/project/libraries/-/blob/94c7904d86536ddcb598... is, but it seems to me that at present this isn't accounted for at all, so I believe that needs to be added (offhand I'd suggest a source: attribute for each file).
Steps to reproduce
The only step is to look for @source comments in the aggregated JS: Is there any link to the original corresponding source code, in the preferred form of the work for making changes in it, for any asset which is licensed under the GPL and which has been modified by aggregation and/or minification in the version being used by Drupal.
Proposed resolution
*.libraries.yml files should declare a source path for each asset file licensed under the GPL, or any other license which is equivalent in the respects being discussed here (but maybe just as standard). The previous example might then look like the following (but the specifics are entirely up for discussion, and in this particular example I've messed with the path of the minified JS file in order to rename it to *.min.js instead of just *.js, as one generally expects for minified code. Comment #3 also suggests we may be able to obtain these sources URLs in a different manner):
ckeditor5.editorClassic:
remote: https://github.com/ckeditor/ckeditor5
version: "35.3.1"
license:
name: GNU-GPL-2.0-or-later
url: https://raw.githubusercontent.com/ckeditor/ckeditor5/v35.3.1/LICENSE.md
gpl-compatible: true
js:
assets/vendor/ckeditor5/editor-classic/editor-classic.min.js: {
minified: true,
source: assets/vendor/ckeditor5/editor-classic/editor-classic.js
}
dependencies:
- core/ckeditor5
- Aggregated asset files should contain comments indicating a corresponding
@source URL for the source value declared in the associated *.libraries.yml file. This might look something like the following:
/**
* @license GNU-GPL-2.0-or-later https://www.drupal.org/licensing/faq
* @source https://www.example.com/core/assets/vendor/ckeditor5/editor-classic/editor-classic.js
*/
- Aggregated asset files should additionally contain comments indicating the
remote and version values (if any) included in the associated *.libraries.yml file. E.g.:
/**
* @license GNU-GPL-2.0-or-later https://www.drupal.org/licensing/faq
* @source https://www.example.com/core/assets/vendor/ckeditor5/editor-classic/editor-classic.js
* @remote https://github.com/ckeditor/ckeditor5
* @version 35.3.1
*/
Noting that at present we just have the following comment:
/* @license GNU-GPL-2.0-or-later https://www.drupal.org/licensing/faq */
These existing comments appear repeatedly through the aggregated content, prefixed to each of the sections of aggregated content, rather than all together at the top of the aggregated file. I think it's fine to continue with that approach, so I think we just want to add the new information to the existing comment output, as shown in the list items above.
Remaining tasks
- Implement
*.libraries.yml support for source
- Ensure that all GPL'd core libraries include the corresponding source code files in any cases where currently only minified files are included
- Declare the
source value in *.libraries.yml for each of those libraries
- Implement
@source comments during aggregation when a source value is available.
- Implement
@source comments during aggregation when a remote value is available.
- Re-use as
@source the URL for the file which is being aggregated in cases where all of the following apply: (a) the library has a GPL license; (b) the library is missing a source value; and (c) the library does not have minified: true.
- Add status report errors for any GPL'd libraries where it was not possible to add a
@source.
User interface changes
N/A
API changes
N/A
Data model changes
Addition of source to the *.libraries.yml specifications.
Release notes snippet
TODO.