I wish they’d picked a less awful name.

I’ve tried this. Unfortunately it isn’t anywhere near as good as Git Graph, or at least it wasn’t when I tried it a few months ago. I’ll stick with Git Graph until it stops working I think.

I think that’s actually an MIT license violation?

I think that’s probably fine actually since the place they are distributing the binary from (Codeberg releases) has a copy of the licence easily available.

the MIT license has no requirements about avoiding ambiguity

Err yeah of course not. The issue with creating ambiguous or conflicting legal requirements is that they might not get applied how you’d like if it went to court. For example Amazon might fork Forgejo and keep it closed source, saying “we copied the individual source files and those are MIT licensed” and they might win. The license text doesn’t have to say anything about that for it to be true.

The problem is that there’s ambiguity if you add new code to those files because the file header says it is MIT licensed but the project licence says it is GPL3. It’s contradictory.

I believe they could have resolved the issue by deleting the file headers and including a copy of the MIT license in LICENSE with a note saying something like “Code at this commit is fully licensed under the MIT license which is reproduced here; subsequent code is licensed only under the GPL3. Both licenses must be respected.”

But they haven’t done that, and it doesn’t seem like they’ve even thought about it.

Yeah… But that’s even more confusing since they didn’t change it to “MIT AND GPL3”. So now the whole project is GPL3 but individual files are MIT?

I think they should speak to someone who understands copyright law.

Yes but it doesn’t let you remove the MIT license:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

Doesn’t look like they are complying with those terms to me.

How did they get permission from all previous contributors to do this? It doesn’t have a CLA. Seems sketchy.

I mean… You’re probably going to run the code in the repo eventually anyway right? At least in the majority of cases. Tbh I don’t think it really changes the threat model significantly.

This doesn’t surprise me in the least. For the longest time the only way to update Python was to compile it from source… They just don’t care too much about making their tooling work nicely. And that’s before you even add the complexity of Nix.

I would maybe just not use Nix for this at all and try something like Rye, which is a third party attempt to fix the Python mess. It lets you specify a Python version and supports lock files so in theory everything is actually reproducible… so it’s at least part way to what you’d have with Nix.