Add Twitter Bootstrap to whitelist

It's released under the apache 2.0 license which is compatible with the gpl.

The reason why it has to be compatible with the gpl is because these licenses are distribution licenses and while we don't host it by packaging it we are distributing the software and have to worry about the license.

So we are v2 or later. I guess the question is are we re-licensing all the software that is in the distribution package as gpl v2 or later? Or are they keeping their respective licenses? If we are re-licensing then I think we should re-license the distributions as gpl v3 or later. This would solve the incompatibilities.

@cweagans #4 - absolutely. They'd have to grant it to anyone (since downloaders of drupal.org tarballs are not necessarily "drupal.org contributors").

@redndahead - makes sense, but I don't think we are likely to start saying "this tarball is GPLv3 based on the combination of software in it")

@greggles I'm not sure why we shouldn't. The reason we ask for gplv2 in code is because we haven't relicensed core yet. I don't think there is any legal/technical/spiritual reason why someone would object to making the distribution gpl v3 or later. Technically it's already gpl v3.

I'm willing to start a new issue on this. Where would be the best place to start it?

The reason we ask for gplv2 in code is because we haven't relicensed core yet.

There are also no plans to relicense core to remove support for gplv2 - http://drupal.org/licensing/faq#q12

The concern I have is that there may be a 3rd party library that is only gplv2 and then something like this that is only gplv3 and if we add them both to the whitelist people could make a package that has incompatible licenses. So, yes, "core + twitter bootstrap" is fine. But "core + twitter bootstrap + something else" could create a problem. I don't know where the best place is for this discussion.

I have started an issue here. #1449452: Give installation profiles/distributions GPLv3+ license as option for packaged downloads

Marking as postponed until there's some movement on #1449452: Give installation profiles/distributions GPLv3+ license as option for packaged downloads.

Any news about adding Twitter Bootstrap to whitelist?
I need it for a distribution with a theme based on http://drupal.org/project/bootstrap...

I sure wish this issue would be addressed. We need Bootstrap for the Open Atrium 2 project as well.

Don't have a ton of time but am willing to help resolve this issue. Any movement since last post? Any suggestions on path of least resistance? Looks like some headway was made on #1449452: Give installation profiles/distributions GPLv3+ license as option for packaged downloads but has recently stalled.

@mpotter, what did you guys end up doing for OA2?

Per my comments in https://github.com/twbs/bootstrap/issues/2054, the idea that ALv2 is somehow incompatible with GPLv2 is very arguable. Eben stated that nearly a decade ago, contrary to all discussion with people at the Apache Software Foundation. The ASF believes they are compatible. Eben/FSF say otherwise.

There should be no problem including Bootstrap as ALv2 into Drupal. If you believe there is a problem, then I'd be curious why you hold that belief (beyond "the FSF website says so").

(see the Bootstrap issue for additional info)

pirog: For OA2 we ended up referencing Bootstrap via an external CDN in the theme's template.php:

drupal_add_js('netdna.bootstrapcdn.com/twitter-bootstrap/2.3.1/js/bootstrap.min.js', 'external');

I really dislike needing to do this (adding a hardcoded external dependency) but at least in this regard we are in no way "distributing" Bootstrap with Drupal+OA2. I don't have time to deal with licensing issues either, so hopefully others in the field (Drupal and/or Bootstrap) will resolve this someday.

Congrats @cweagans! 2+ years later, It looks like future releases of Bootstrap will be dual licensed as APL2 and MIT.

https://github.com/twbs/bootstrap/issues/2054
https://github.com/twbs/bootstrap/pull/9994#issuecomment-25754638
https://github.com/twbs/bootstrap/pull/11105

For v3.1 we will be changing the license from Apache to MIT and are in the process of collecting permissions to do so from all authors of Bootstrap code that is still in the current code base.

how is this done with http://drupal.org/project/twitter_bootstrap_ui?

could that module be used as an alternative for developers to include bootstrap on their own?

The use case is what happens when you are on a website and you loose internet access. While content might not be visible, you shouldn't loose your UI. Many elements just won't work.

#22 is unrelated.

https://github.com/twbs/bootstrap now appears to have the MIT license added as of a month ago. As this is a pretty major package for d.o. to have access to w/ the popularity of bootstrap I'm not going to push this ahead but definitely +1'ing adding it to the packaging white-list.

On https://github.com/twbs/bootstrap it still says...

With v3.1, we're moving from the Apache 2 to the MIT license for the Bootstrap code (not the docs)

Posted https://github.com/twbs/bootstrap/issues/11487 to confirm

my assessment was less it saying it's going to be MIT and more the license that's packaged

https://github.com/twbs/bootstrap/releases/tag/v3.0.2 comes with LICENSE-MIT and https://github.com/twbs/bootstrap/commit/dd5c8a53eec70ea84bc89235e2a4cd0... has the commit that made this change (a month ago).

It would have been a lot less confusing if they didn't commit the MIT license until 3.1 or excluded from the 3.0.2 download, but I'm assuming that was done to prepare for the change as part of the "By contributing your code, you agree to dual-license your contribution" clause they added with the same commit.

Unless someone with authority to speak for the project says otherwise in a response to https://github.com/twbs/bootstrap/issues/11487 or the license in the header of https://github.com/twbs/bootstrap/blob/master/dist/js/bootstrap.js changes, I think we should assume this is still Apache v.2 until the 3.1 release.

https://github.com/twbs/bootstrap/issues/11487

All new contributions to Bootstrap since the release of v3.0.1 are dual-licensed under both the Apache License, Version 2 and the MIT License. Fully changing Bootstrap's license to MIT is indeed scheduled for v3.1.

It looks like this has happened earlier than expected.

At least, I can find no reference to the Apache 2 license in the readme or the javascript:

https://github.com/twbs/bootstrap/blob/master/dist/js/bootstrap.js#L10

Indeed it has https://github.com/twbs/bootstrap/issues/2054#issuecomment-30894685

This is getting really close, but there still isn't a packaged release that can be whitelisted. We could whitelist https://github.com/twbs/bootstrap, but then developers could pull any release. I think most developers could be trusted to only pull the MIT licensed master, but we already have copies of the Apache 2.0 in contrib and don't seem to have any structure to get non-GPLv2+ or GPLv2 compatible code removed once it's been committed.

#2175005: [META] Changes are required before it will be safe to assume code from Drupal.org's git repo is really GPLv2+ or GPLv2 compatible

Until we can remove an Apache 2.0 licensed version of Bootstrap quickly or Boostrap releases a stable, packaged release we can whitelist from a URL like https://github.com/twbs/bootstrap/releases/download/v3.1..., whitelisting the git path now is only going make a bad situation worse.

Unless there is a way to prevent pulling the old Apache 2.0 files with a regular expressions, I think we're still waiting on a release and will only be able to whitelist release > that 3.1.

We can't prevent everything. I would probably wait until the stable release comes out and then whitelist the normal way. You certainly don't want to work with whitelisting 3.1 then 3.2 etc. And I don't think the extra regex work is worth it.

Probably missing something here, but isn't 'master' likely to stay MIT now?

https://raw.github.com/twbs/bootstrap/master/dist/js/bootstrap.js

Know there's a chance it could change again, but it doesn't seem that big a risk?

I would've thought it'd make sense to have the development branch(es) of a library like this available for installations, for use in development branches of distributions etc. on drupal.org

As I say, I might well be missing something here though. And not in any rush, think 3.1 could be here anytime soon.

The issue isn't the Bootstrap license changing, but developers taking advantage of a regular expression that is too flexible to grab the 3.0.3 release instead of the soon-to-be released 3.1.0 release. We'd normally just whitelist ^(git|https)://github\.com/twbs/bootstrap/.+$

That would allow you to use either of these in their .make...

libraries[bootsrap][download][type] = git
libraries[bootsrap][download][url] = "git://github.com/twbs/bootstrap.git"
libraries[bootsrap][download][revision] = af5cebf76bac01177c9307adb2d38c896ce6f04e
libraries[bootsrap][download][branch] = master

libraries[bootsrap][download][url] = https://github.com/twbs/bootstrap/archive/master.zip

Both of those would be fine, but you could also add..

libraries[bootsrap][download][type] = git
libraries[bootsrap][download][url] = "git://github.com/twbs/bootstrap.git"
libraries[bootsrap][download][revision] = 3887f540b978d593f433bfef15888bc2d103de72

libraries[bootsrap][download][url] = https://github.com/twbs/bootstrap/releases/download/v3.0.3/bootstrap-3.0...

That would get you the older Apache 2.0 version.

But @lightsurge, is correct that the regex for the raw link would work because it can be limited to only the master.

Adding ^https://raw\.github\.com/twbs/bootstrap/master/.+$ would allow a developer to package https://raw.github.com/twbs/bootstrap/master/dist/js/bootstrap.js, but not be commit tag like https://raw.github.com/twbs/bootstrap/3887f540b978d593f433bfef15888bc2d1....

The downside of the raw links is every file has to be downloaded individually and the directory structure recreated, but it's a start. I added https://drupal.org/node/2175973 so developers who want to get started packaging this can. Changing the status to "needs work". As soon as there is an actual release, we'll whitelist that as well.

I think we are fine to use the generic whitelist. If you can come up with a regex that will allow 3.1+ then that would be fine too, but certainly not whitelist 3.1 then whitelist 3.1.1 etc.

As soon as there is an actual release, we'll whitelist that as well.

http://blog.getbootstrap.com/2014/01/30/bootstrap-3-1-0-released/

Today we're stoked to ship Bootstrap v3.1. We've got a handful of new features, plenty of bug fixes and improvements, and updated build tools.

New license

We've been talking about it for what seems like forever, but thanks to all our contributors and the core team, we've finally done it. As of v3.1, Bootstrap ships under the MIT license to allow as many people to utilize Bootstrap as possible. Thanks to all our contributors for helping make it happen.

Shall whitelist now update as below?

^https://github\.com/twbs/bootstrap/.+$

I updated https://drupal.org/node/2175973 to include any 3.1.x or 3.2.x release in addition to the raw.github.com expression that was already allowed (that allowed any file in the master branch directly like https://raw.github.com/twbs/bootstrap/master/js/modal.js).

^https://github\.com/twbs/bootstrap/releases/download/v3\.1/.+$
^https://github\.com/twbs/bootstrap/releases/download/v3\.2/.+$

Because 3.1.x changes more than just the license, anyone using Bootstrap is likely going to need to update their project before including the 3.1.x release. Whitelisting future 3.2.x should allow this entry to work for several years. After 3.2, it would probably be safe to allow any Bootstrap release since there would be very little incentive to using an older, Apache 2.0 licensed release.

Of course complying w/ these strict GPLv2 policies makes Drupal less competitive with other CMSes. Joomla already includes the Apache 2.0 version of Bootstrap in their core 3.x release...

https://github.com/joomla/joomla-cms/blob/staging/media/jui/js/bootstrap.js

... yet the Joomla project is still distributed w/ a GPLv2 or later license.

WordPress has allowed any license that's GPLv2 or later (meaning licenses compatible with GPLv3) to be included in plugins...

http://make.wordpress.org/core/2012/04/30/the-plugin-directorys-licensin...

This gives WordPress developers the flexibility to include more libraries than Drupal developers as well as fonts using several font specific FLOSS licenses (SIL Open Font License, GPLv2 w/ font exception, Ubuntu Font License, etc) and Creative Commons v4 licensed images and content.

I'm glad this specific issue is finally resolved for the developers trying to play by the rules, but unless something is actually going to be done with the Apache 2 licensed versions of Bootstrap already in Drupal's git repo and being distributed from Drupal.org, this just seems like a waste of everyone's time.

Thank you for the fix (finally, after 2 years...), so now can include Bootstrap code officially and legally.

On the other hand, I can't agree more about "this just seems like a waste of everyone's time"... IMHO, applying GPLv2+ in Drupal is not the ONLY reason for encourage people for contribution. Now a day, people just hope to contribute, and don't really care about licensing anymore...

Now a day, Drupal.org GPLv2+ ONLY policy no longer a catalyst for encourage contribution, but just discouraging the adoption and integration of latest FOSS community progress...

Sorry kreynen the regex is not really works...

See drustack 7.x-26.68 build message:

>> The library 'bootstrap' cannot be downloaded from https://github.com/twbs/bootstrap/releases/download/v3.1.1/bootstrap-3.1..., the URL must be in the whitelist available at http://drupal.org/packaging-whitelist.
>> The Drupal.org validation check failed -- see http://drupal.org/node/1432190 for more information.

Please consider to update it from:

^https://github\.com/twbs/bootstrap/releases/download/v3\.1/.+$
^https://github\.com/twbs/bootstrap/releases/download/v3\.2/.+$

To:

^https://github\.com/twbs/bootstrap/releases/download/v3\.[1-9][0-9]*[\.0-9]*/.+$

I updated it to accept any version beginning with v3.[1-9], instead of checking 3.1.x or 3.2.x specifically. Tested with 3.1.1, 3.1.0, and 3.2.1, should be working.

^https://github\.com/twbs/bootstrap/releases/download/v3\.[1-9].+$

https://github.com/twbs/bootstrap/releases/tag/v3.0.1 and everything < 3.1 is still apache2.

The regex above should work fine; it only allows 3.1 and greater, at least according to http://regexpal.com/