Question: `electron` IP checks going forward
Background Information
Hi @wbeaton. we (Eclipse Theia) wondered if the way we've been dealing with the project updating its Electron 3PP is still the way to go (on our end it's a non-trivial, quite involved process).
As we remember, the Foundation's IP team had two main concerns regarding Electron, which bundles a version of Chromium they build from sources, which in turn bundles a version of the FFmpeg dynamic library (also built from sources by the Electron project):
- FFmpeg is licensed under LGPL, but can be under GPL if some optional sources are included in the build (through using a CLI build option)
- FFmpeg delivered with Electron bundles alleged proprietary codecs (h264, aac)
We cover concern #2 (moved) by having infrastructure in our repo to replace the bundled FFMpeg with an alternative one made available by the Electron project, for "IP sensitive" customers, that does not contain those codecs. We validate that by having a build-time test harness load the FFmpeg library and use its API to list all available codecs, and confirm that the proprietary codecs are not among those listed.
This IP Check ticket here is covering concern #1 (closed). We figure-out the exact FFmpeg commit used for the given electron version and use a provided build artifact that identifies source files used in the build to filter-down to the exact content that was used to build FFmpeg, then we zip those source files and attach that archive for the IP team's analysis.
Question
Since we've been doing this for a while and had no bad surprises, would it be reasonable to trust the Electron project, to build their bundled Chromium and its bundled FFmpeg, without including GPL source code? If we did, it means we could forego a ticket such at this one here, for future Electron upgrades. Probably as well the "parent ticket" we were initially asked to create about the corresponding Electron (e.g. #7508 (closed))
We have the infrastructure to replace FFmpeg with the version that has no proprietary codecs and to validate this worked as expected, each time we build, so I see no reason not to continue doing that.
Additional Information
- Past Electron IP Check: #7508 (closed)
- Past FFmpeg IP Check: #7507 (closed)