Twenty Nineteen: missing license information for assets

[poena]

The themes readme.txt file is missing license and copyright information
for the bundled svg icons.

In twentynineteen\classes\class-twentynineteen-svg-icons.php we can find references like:

'link' => /* material-design – link */ '

But there is no other information about where the icons are from,

The theme needs to be 100% compatible with GPL, and it needs to include the license and copyright information for all assets.
If there are other assets included that are missing this information, that needs to be added as well.

[williampatton]

I was about to post a ticket for this very same issue. Since this one already exists I am posting my questions here.

What icons are used in the theme and what is their licence? Are they all material.io icons from Google used under Apache Licence 2.0?

Could we have that documented in the readme file for the theme? I see that is used to be noted there but was removed very early in the dev cycle for the theme at github.

Also note that for other themes distributed on .org repository we require that theme authors include a note or licence statement about all the applicable resources they use so that any derivatives of the themes are aware in advance of the licences they are bound by when using any given bundled resource.

[williampatton]

CC: @kjellr, @allancole could you help me out with looking into this? I see in the git history you have both worked with the commits adding icons to the theme.

We need to have a clear licence declaration for the icons used. I was initially thinking they were all from the same package but after a closer check I see that some were added at later points and that when they were added it wasn't clear to me where they were coming from or what licence they were being used under.

I'd like to try and get this sorted out soonish because I've been asked about it several times now by theme authors and theme reviewers.

[pento]

Thanks for the check in, @williampatton!

Just to give you an update, Automattic folk have a few contacts over on the Google Material team, so for the sake of efficiency, they've been talking directly about license compatibility. As OSS licenses tend to be less frequently tested in court, different lawyers will have different opinions on what different clauses mean, so it's an ongoing discussion. Nevertheless, the lawyers are the experts here, so I'll leave it them to work out the details. 🙂

Let's keep this in the 5.2 milestone, I agree that we need to get it addressed properly. It'll just take a bit of time, as these discussions can be a little slower moving.

[williampatton]

Hey @pento,

Awesome to hear lawyers are talking behind the scenes. They can make make decisions I'm uncomfortable making and I can just guide this one through to being committed when it's able to be resolved. Perfect :)

Also the update, on a Sunday as well, is much appreciated :)

[poena]

Hi

All of the icons are not necesarilly Google Material icons though.

Some of them were added to the theme from pull requests from different developers who did not include any license information or source information.

Example:
​https://github.com/WordPress/twentynineteen/pull/472

[kjellr]

Thanks, @poena — aside from Material icons, there are two other types of icons bundled in the theme:

Custom Icons

I think there's only one of these, and it was made by me. It lives here:

​https://github.com/WordPress/twentynineteen/blob/7eebe8f48b5c51e64b229052f5e357f28fb873ea/classes/class-twentynineteen-svg-icons.php#L163-L169

I believe this icon was ultimately unused though. I'll double check and if that's the case, I'll get a patch going to eliminate it if so.

Social icons

These were included following the precedent of the social media logos included in Twenty Seventeen:

​https://raw.githubusercontent.com/WordPress/twentyseventeen/master/assets/images/svg-icons.svg

I'm not sure of the origins of the Twenty Seventeen ones, but my understanding is that the initial set in Twenty Nineteen was sourced from here:

​https://github.com/Automattic/social-logos

This was before I was involved with the theme though, so perhaps @allancole can confirm.

From a quick look through the GitHub history, it looks like the last.fm icon you linked to is the only brand new social icon addition since the initial commit of those icons. (Other PRs simply updated the icon > URL mapping).

​https://github.com/WordPress/twentynineteen/commit/970dd7368d1d035452b62646bcef739b504d7d73#diff-345c080c95a164e6ab1651e1020602a7

If/when we have clarity around the appropriate license language and/or changes that need to happen. I'm happy to create the patch for us.

[williampatton]

@kjellr I think the TwentySeventeen icons are FontAwesome. That's what's decared in the readme anyways. ​https://themes.svn.wordpress.org/twentyseventeen/2.1/README.txt

[desrosj]

With 5.2 beta 1 in a little over a day's time, I am going to punt this to 5.3 as there is no patch or defined action to take (if any is required).

[pento]

Moving back to 5.2 for now, as we need to address this sooner, rather than later.

(Status update for folks following along: getting Google lawyers to respond to things is... slow.) 🙂

[williampatton]

Oh I bet it is slow waiting on a reply there lol.

I agree that it would be preferable to resolve this ASAP.

The other themes hosted in the .org directory are subject to a checking process which makes sure they declare all resources used and for all of them to be 100% GPL compatible. In this theme however there is no declaration of the icons and indeed some seem to have been added to the collection without proper checking or notice of the licence they are used under.

I am happy to write a quick patch that can add in notes of the icons I can figure out the details for - but some of them I was not able to find out origins of at all :(

Replying to pento:

Moving back to 5.2 for now, as we need to address this sooner, rather than later.

(Status update for folks following along: getting Google lawyers to respond to things is... slow.) 🙂

[desrosj]

@pento Do we have any update on this, or any actionable steps?

[pento]

Nothing to action at this point.

For an update, Google lawyers have responded, we're reviewing their position at the moment. @pesieminski (Automattic General Counsel, and my favourite lawyer in the world, sorry other lawyers) has kindly offered to spend some time digging into the nuances. 🙂

[williampatton]

I do not know why we need laywers here to make this one actionable. In my view there is a simple solution - we add a note about the licence the icons we know are used here and we remove the ones we dont know (@kjellr thinks there may only be a single image that is not material icons and is unused).

In my view the Apache licence 2.0, which material icons are distributed under, is quite clear about the requirements to include original licence statements. If this theme uses the icons under different licence terms than that they we should document that fact.

Also as a requirement to distribute the contents of this theme we MUST properly inform users of the licence terms they are bound by when they use/modify/distribute it. That includes telling them the limitations of the icons and informing them of their requirements should they choose to redistribute.

It's also just nice to credit the sources and I feel that being nice about it would be sufficient reason to add in. I don't understand why there is any pushback or delays against adding this.

If this were not a core theme I would not hesitate to suspend it from the directory untill it is resolved. It's my job to make sure all themes that are distributed in the directory here are correctly licenced and clearly inform people of those licences. TwentyNinteen is not doing that.

[pento]

We need to talk to lawyers because the default themes have traditionally had further restrictions than other themes. They can't just use any OSS licenses for their assets: everything needs to be licensed in a way that it can be released under GPLv2.

WordPress' current position is that packages, modules, assets, etc, licensed under Apache 2.0 can't be released under GPLv2. We're discussing alternative licensing options with Google, as well as exploring WordPress' position on Apache 2.0/GPLv2 compatibility.

It's a significantly bigger issue than providing licensing annotation for a handful of icons, hence why it's going to take some time to sort out.

[pento]

Moving to 5.3, as I won't be able to get a definitive answer on this before 5.2 is released.

[williampatton]

@pento with 5.3 under way already is this one a candidate for pushing to the next milestone instead?

[pento]

This is fine to leave in 5.3 for now, we can always move it later if there's still no progress.

[williampatton]

Replying to pento:

This is fine to leave in 5.3 for now, we can always move it later if there's still no progress.

Sounds good, I'll check in again closer to freeze time for 5.3 then. Thanks for tagging along in this ticket with me :)

[pento]

This is stalled at the moment. I'm moving it to Future Release, since there's currently no timeline for when these larger issues will resolved.

[poena]

Would it not be better to just replace the assets. WordPress is meant to be GPL compatible.

[poena]

@pento Any update on this?

[pento]

Thanks for the reminder, @poena. I've just had a read through the previous discussions with Google on this, it unfortunately was never fully resolved. My understanding of Google's opinion is that Apache 2.0 is GPL compatible in this case (they published ​an in-depth analysis of resolving ambiguity in OSS licenses several years ago).

The FSF documents that ​Apache 2.0 is incompatible with GPLv2, primarily due to Apache 2.0's patent termination and indemnification clauses. In the humble opinion of this developer, that probably doesn't apply to icons, since they're not exactly novel inventions worthy of patenting. As such, I think it's reasonable for us to take Google at their word.

So, with that in mind, I would be inclined to document the license of these icons, and move on. This shouldn't be interpreted as a change of policy on the inclusion of non-GPL libraries in themes (especially not code compatibility), but an exception for this particular case. @chanthaboune, is this approach good with you, or would you prefer a difference course?

• Adds GPLv2 and Apache 2.0 licenses
• Includes information in the Copyright section about the Material Design icons by Google
• Adds credits to Resources section

Trac 45795

[sabernhardt]

I would prefer replacing many icons, but I made a PR in case that might be enough for now. It assumes Twenty Nineteen's use of icons is acceptable and includes (some) more license information to help determine whether works based on the theme may not fit the licenses.

Material Design icons by Google

I compared the paths against the 3.0.1 branch of the ​Material Design repository (first checking the production directory, though some matched design). Most of these have been updated since 2016.

Discrepancies compared to Twenty Nineteen:

1. The encircled down arrow matches arrow_circle_down, not arrow_drop_down_circle.
2. The comment icon matches the Material Design icon's dimensions but does not have the inner (speech) lines.
3. The icon under keyboard_arrow_left matches the current arrow_left.
4. The icon under keyboard_arrow_right matches the current arrow_right.
5. The watch_later icon name simply needs an underscore instead of a hyphen.

Copyright years (2014-2023):

• ​first release in 2014
• ​4.0.0 released in 2020
• ​readme updated on GitHub this year

Custom icons

Trac has the following notice when uploading attachments to a ticket: "By contributing code to WordPress, you grant its use under the GNU General Public License v2 (or later)." I did not find a similar notice in CONTRIBUTING.md, but I expect any direct contributions to the theme on GitHub should fall under the same license.

1. Kjell Reigstad's custom arrow_drop_down_ellipsis icon is used in twentynineteen_add_ellipses_to_nav menu function. @kjellr ​added one version, and it was modified and moved before merging ​PR 485.
2. Toni Laakso's Last.fm icon was added in ​PR 472.

Social Logos

Most icons in the social array seem to come from ​Automattic's Social Logos. 28 of the theme's 43 social icons match the paths from the un-minified SVG collection as of 2018.

Discrepancies compared to Twenty Nineteen:

1. The repo does not include 500px, apple, bandcamp, chain, deviantart, digg, etsy, goodreads, meetup, slideshare, snapchat, soundcloud, vk, yelp, or (as expected) the custom lastfm icon.

Copyright years (2015-2023):

• ​initial commit in 2015
• ​GitHub has an update for the Mastodon icon this year

WordPress Social Link Block

Gutenberg PR 16897 specifically mentions ​Social Logos as a possible source. Twenty Twenty credits the WordPress Social Link Block for its logos because that theme ​intentionally matched the block. Updating Twenty Nineteen icons to match the block and Twenty Twenty (as much as possible) would be good.

Discrepancies compared to Twenty Nineteen:

1. The block has a ��newer version of the Facebook logo, which I found in the current Social Logos.
2. Reddit and Tumblr have a different SVG in the current Social block, but I did not find matches to those in the Social Logos repo.
3. The ​first commit with icons toward the block's PR 16897 had exactly the same paths as the icons in Twenty Nineteen, though Google Plus was not included in the PR. Apple, Digg, SlideShare and StumbleUpon icons were removed before merging.

For more information, I made a ​Google Sheet to compare the icon sets.

[poena]

@sabernhardt thank you for all your work on this issue.
I believe it is still waiting for a final decision from @chanthaboune.

[karmatosed]

Adding a keyword to note we need a second opinion on this in order to progress.