Skip to content
This repository has been archived by the owner on Jul 13, 2023. It is now read-only.

Paperclip mimemagic dependency licensing implication #2678

Open
sb8244 opened this issue Mar 24, 2021 · 11 comments
Open

Paperclip mimemagic dependency licensing implication #2678

sb8244 opened this issue Mar 24, 2021 · 11 comments

Comments

@sb8244
Copy link

sb8244 commented Mar 24, 2021

Paperclip is deprecated, but there may still be users of the gem that haven't upgraded for whatever reason.

There was a mimemagic change (rails/rails#41750 mimemagicrb/mimemagic#97) that stems from incorrectly licensing mimemagic as MIT with a GPLv2 dependency. The old versions were yanked (new 0.3.6 added) and new versions are published as GPLv2. Codebases that pull in paperclip will possibly be taking the risk of GPLv2 code (IANAL) instead of MIT code.

I am not sure there's any alternative at the moment, but wanted to create this issue in case someone else runs into it.

Deprecation notice

Paperclip is currently undergoing deprecation in favor of ActiveStorage. Maintainers of this repository will no longer be tending to new issues. We're leaving the issues page open so Paperclip users can still see & search through old issues, and continue existing discussions if they wish.
@sd
Copy link

sd commented Mar 24, 2021
edited
Loading

I have a Pull Request that removes the dependency on mimemagic.

#2677

In the meantime, you can test my branch by using this in your Gemfile:

gem 'paperclip', git: 'https://github.com/sd/paperclip', branch: 'remove-mimemagic'

And report back if it works for you.

@sd sd mentioned this issue Mar 24, 2021
Closed
@Supernats
Copy link

https://github.com/kreeti/kt-paperclip is the listed maintained fork. There have not been changes to this repository in over a year.

@wisetara
Copy link

@sd I hope you'll submit your PR to https://github.com/kreeti/kt-paperclip as @Supernats suggests. I'd rather switch to the "officially" maintained gem than point to your branch, which does not negate my appreciation for your efforts!

@sd
Copy link

sd commented Mar 24, 2021

kreeti#52

kueda added a commit to inaturalist/inaturalist that referenced this issue Mar 24, 2021
@kueda
Attempt to deal with disappearance of mimemagic gem
8c37a7e 
See thoughtbot/paperclip#2678 for details, but the gem
was removed from the rubygems.org due to a licensing problem, causing paperclip
to break. This switches our dependency to an experimental fork that removes that
dependency.
@wennerma
Copy link

I see there's a few PRs, is there an update on when these could be merged? Is a better route for some of us to fork this and make the change ourselves?

@ryantk
Copy link

ryantk commented Mar 25, 2021

Has anyone got feedback for @sd 's branch?
I see the build has failed on Travis but I don't know if this is normal for this project (one would hope not but who knows).
I would like to just use that branch and have done with it but just looking to see if anyone has had any glaring issues.

@GProst
Copy link

GProst commented Mar 25, 2021

@ryantk FWIW, tested in our project, image creation/update/deletion - looks good
Ruby 2.5.7

@sd
Copy link

sd commented Mar 25, 2021

@ryantk we have deployed to prod without issues. We do have the file command available on the server. Otherwise Paperclip blocks all uploads due to "anti-spoofing" checks that cannot confirm the file contents.

@ryantk
Copy link

ryantk commented Mar 25, 2021

Thank you for your work @sd I have done a bit of work and determined I can safely upgrade to minimagic 0.3.7 in the very short term with a view to removing it when it is removed form paperclip.

@psychezone psychezone mentioned this issue Mar 26, 2021
Closed
@pjmartorell pjmartorell mentioned this issue Mar 26, 2021
Closed
matiasgarciaisaia added a commit to instedd/paperclip that referenced this issue Apr 1, 2021
@matiasgarciaisaia
Drop mimemagic dependency
909ed09 
See thoughtbot#2678 for context
matiasgarciaisaia added a commit to instedd/cdx that referenced this issue Apr 1, 2021
@matiasgarciaisaia
Stop depending on mimemagic
cb02622 
mimemagic was yanked due to licencing issues. We've forked paperclip
to remove the mimemagic dependency to be able to keep building the
project.

See thoughtbot/paperclip#2678
@johnnyshields
Copy link
Contributor

How about we do #2685 - Transfer gem ownership to Kreeti and apply their fixes from kt-paperclip instead?

ftarulla pushed a commit to instedd/cdx that referenced this issue Apr 22, 2021
@matiasgarciaisaia @ftarulla
Stop depending on mimemagic
915fd83 
mimemagic was yanked due to licencing issues. We've forked paperclip
to remove the mimemagic dependency to be able to keep building the
project.

See thoughtbot/paperclip#2678
@joshnabbott
Copy link

@sd I'm more than a year late, but thank you

ducvan0212 added a commit to phylotastic/phylotastic-portal that referenced this issue Oct 29, 2022
@ducvan0212
Update Gemfile
dc0f911 
update Gemfile and move mimemagic in gemfile.lock to 0.3.10

rails/rails#41750
thoughtbot/paperclip#2678
https://stackoverflow.com/questions/66829141/heroku-push-rejected-error-failed-to-install-gems-via-bundler-probably-caused/66869930#66869930
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Replace mimemagic with marcel gem pjmartorell/paperclip
9 participants
@sd @joshnabbott @johnnyshields @sb8244 @ryantk @Supernats @wennerma @wisetara @GProst