License Conflict

Discussion for TimeTrex open source community developers.
Locked
joako
Posts: 15
Joined: Fri Sep 24, 2010 12:48 am

License Conflict

Post by joako »

During a security audit of a firm that uses TimeTrex we discovered Google Analytics code in the login screen. In the process of removing the offending code I discovered:


{* REMOVING OR CHANGING THIS LOGO IS IN STRICT VIOLATION OF THE LICENSE AGREEMENT *}
<img src="{$IMAGES_URL}powered_by.jpg" alt="Time and Attendance">

I removed the URL again due to the (minimal) security concerns of the data that the browser sends when clicking links. However I find the comment in the code to conflict with the AGPL license under which TimeTrex claims to be distributed under.
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: License Conflict

Post by shaunw »

Removing the "Powered By TimeTrex" logo is a definite violation of the AGPLv3 license that TimeTrex Standard Edition is distributed under, as it is considered "Appropriate Legal Notices" under Section 7(b). In fact this clause is one of the primary clauses that the AGPL license is designed to account for.

http://www.gnu.org/licenses/agpl-3.0.html
Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:
...
b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or
...

Please also see the header of source code files as well, which I have included here for your convenience, the last paragraph is key:

Code: Select all

/*********************************************************************************
 * TimeTrex is a Payroll and Time Management program developed by
 * TimeTrex Payroll Services Copyright (C) 2003 - 2010 TimeTrex Payroll Services.
 *
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU Affero General Public License version 3 as published by
 * the Free Software Foundation with the addition of the following permission
 * added to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED
 * WORK IN WHICH THE COPYRIGHT IS OWNED BY TIMETREX, TIMETREX DISCLAIMS THE
 * WARRANTY OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
 * details.
 *
 * You should have received a copy of the GNU Affero General Public License along
 * with this program; if not, see http://www.gnu.org/licenses or write to the Free
 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301 USA.
 *
 * You can contact TimeTrex headquarters at Unit 22 - 2475 Dobbin Rd. Suite
 * #292 Westbank, BC V4T 2E9, Canada or at email address info@timetrex.com.
 *
 * The interactive user interfaces in modified source and object code versions
 * of this program must display Appropriate Legal Notices, as required under
 * Section 5 of the GNU Affero General Public License version 3.
 *
 * In accordance with Section 7(b) of the GNU Affero General Public License
 * version 3, these Appropriate Legal Notices must retain the display of the
 * "Powered by TimeTrex" logo. If the display of the logo is not reasonably
 * feasible for technical reasons, the Appropriate Legal Notices must display
 * the words "Powered by TimeTrex".
 ********************************************************************************/
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: License Conflict

Post by shaunw »

Just to add some clarification to this thread for others, removing the "Powered by TimeTrex" logo or any copyright notices is in strict violation of the license, however you seemed to confuse that with Google Analytics.

The Google Analytics tracking is simply used to help improve the software and doesn't collect any employee or private personal data, it just lets us know what screens are used most and how users navigate through the software, no different than visiting any other website (as TimeTrex is web based after all). If you think TimeTrex is already perfect and can't be improved upon any further, or simply don't wish to provide such information, you can disable it by adding the following line to your timetrex.ini.php file:

[other]
disable_google_analytics = TRUE
nandou
Posts: 3
Joined: Mon Mar 03, 2014 12:13 pm

Re: License Conflict

Post by nandou »

About licence violations:

What about providing the source code? Where is the interface source code?

Code: Select all

6. Conveying Non-Source Forms.

You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:
a) ..
...
e).
Please tell us where (how) to get the flex interface source code.

Thanks
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: License Conflict

Post by shaunw »

We no longer offer the Flex sourcecode as the Flex interface is being discontinued shortly and replaced by a pure HTML5 interface, which the full sourcecode will be available upon its release.
nandou
Posts: 3
Joined: Mon Mar 03, 2014 12:13 pm

Re: License Conflict

Post by nandou »

Well, HTML5 will be very welcome, flex is nice looking, but have a lot of problems attached.

Hope it's sooner rather than later, can you advance a prespective on the date?

Thanks for the awnser.
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: License Conflict

Post by shaunw »

Its in early beta testing with some Cloud Hosted customers now, so it will likely be a few months before its available in the Community Edition.
amiller030
Posts: 52
Joined: Sun Feb 23, 2014 2:50 pm
Contact:

Re: License Conflict

Post by amiller030 »

Is there a way that I can get in to the beta test? I am using the community cloud hosted.
Adam Miller
TimeTrex Administrator - New Ulm Robotics
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: License Conflict

Post by shaunw »

If you are using our Cloud hosted service simply change the end of the URL from "flex" to "html5". For example:

http://ondemand2001.timetrex.com/interface/flex

Gets changed to:

http://ondemand2001.timetrex.com/interface/html5
amiller030
Posts: 52
Joined: Sun Feb 23, 2014 2:50 pm
Contact:

Re: License Conflict

Post by amiller030 »

Thank you.
Adam Miller
TimeTrex Administrator - New Ulm Robotics
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: License Conflict

Post by shaunw »

Please let us know if you experience any problems or discover any issues whatsoever.
amiller030
Posts: 52
Joined: Sun Feb 23, 2014 2:50 pm
Contact:

Re: License Conflict

Post by amiller030 »

There are some permission issues. If you would like more details, please let me know. I logged in as an employee with very minimal permissions, and they were still able to see the edit employee button along with some other things that they shouldn't have access to.
Adam Miller
TimeTrex Administrator - New Ulm Robotics
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: License Conflict

Post by shaunw »

Please start a new topic and describe in detail the issue so we can get it resolved as soon as possible.
amiller030
Posts: 52
Joined: Sun Feb 23, 2014 2:50 pm
Contact:

Re: License Conflict

Post by amiller030 »

sounds good.
Adam Miller
TimeTrex Administrator - New Ulm Robotics
amiller030
Posts: 52
Joined: Sun Feb 23, 2014 2:50 pm
Contact:

Re: License Conflict

Post by amiller030 »

Adam Miller
TimeTrex Administrator - New Ulm Robotics
Locked