tea is Gitea’s CLI front-end command line program, which has been adopted by many Linux distributions such as Manjaro and Arch Linux. However, when the netizen Artemis Everfree packaged the tea program, he accidentally found that many of the program’s dependencies did not have a clear open source license.

For example, after scanning tea’s dependencies with Golicense (a tool that scans Go programs for dependencies and licenses), the results show:

🚫 gitea.com/noerw/unidiff-comments   <license not found or detected>

This is a file diff parser for Go, Artemis further checked the gitea.com/noerw/unidiff-comments dependency and found that the unidiff-comments package is actually just a mirror of the godiff project on GitHub, packaged separately for Go modules.

And what’s more: the original godiff repository isno license, and it hasn’t been updated in six years. Noerw, the author of unidiff-comments, also realized that he fork an unlicensed project. As early as 2020, he mentioned Issue in the original repository to ask the author to add an open source license, but he has not received a response.

However, after Artemis Everfree’s blog on this matter caused heated discussions, some netizens contacted the original author, who commented in surprise: “This is a project from 7 years ago, I really didn’t expect anyone to use my code. , so I don’t care about the license. But if it helps, then I’ll add an MIT license.”

Questions about this dependency have been fixed for the time being, but this also reflects some problems: Linux distributions focus only on the license of the package itself, but lack scrutiny of the package’s dependency tree. Be aware that the GNU Free System Distribution Guidelines clearly state:

• The distribution’s information and source files must be provided under an appropriate free license.
• distributionRepositories that should not have non-free softwareor instructions for installing nonfree software.
• Nor should distributions point to third-party repositories that do not promise to contain only free software.
• The distro’s developers try their best to avoid nonfree software, and promise to remove nonfree programs as soon as they become aware of them.

However, in many Linux distributions this time, there are go packages that do not meet the license terms and contain a lot of unlicensed code, which obviously does not meet the requirements of the release guidelines.

Of course, the problem is definitely not limited to Go packages, but the ecology of statically compiled dependencies further exacerbates the vulnerability of the Linux distribution infrastructure.

Static linking means embedding a program’s dependencies directly into the program, it’s the opposite of dynamic linking (or dynamic loading), which keeps dependent libraries in separate files that are loaded when the program starts (or runs) .

Static linking makes the dependency an integral part of the program and cannot be easily replaced by another version. If one of the libraries is vulnerable, the entire program must be relinked to the new version.

For a long time, Linux distributions (Debian/Fedora/Gentoo, etc.) have been against static linking, fixed dependencies and dependency bundling, but with little success, because programming languages ​​like Go and Rust completely rely on static linking, and the ecology of these languages ​​is still In continuous development and growth. This leads to the fact that every time a distribution includes a new GO/Rust software, it needs to check the licenses of itself and the explosive dependency tree one by one, which is a very heavy burden for the review work.

In addition, the hot discussion of the incident in the Reddit post also exposed another problem – most developers do not have a clear understanding of the importance of open source licenses, and they only know a little about the differences between different licenses. There is a long way to go.