Font licenses

[jnahmias]

Hello,
I am interested in packaging this library for inclusion in Debian GNU/Linux. To comply with the Debian Free Software Guidelines, we need to ascertain the licensing/copyright of all files. However, I do not see any information for the six captcha fonts. Would you please share some background on their provenance and some sort of statement from their creators that allows them to be distributed.
Thanks!
--Joe

[Gregwar]

Hello,

I'll be honest it's been a very long time since this library was created and I forgot to document fonts provenance. I just did some research using MD5 checksums of files to find the sources which is here:

• captcha0.ttf https://www.dafont.com/bitstream-vera-mono.font ("Public domain")
• captcha1.ttf https://www.dafont.com/tgl-0-16.font ("100% free")
• captcha2.ttf https://www.dafont.com/code.font ("100% free")
• captcha3.ttf https://www.dafont.com/tepeno-sans.font ("100% free")
• captcha4.ttf https://www.fontsquirrel.com/fonts/linux-libertine ("100% free for commercial use")
• captcha5.ttf: https://www.fontsquirrel.com/fonts/sling ("100% free for commercial use")

[pabs3]

@jnahmias asked the Debian fonts team to help out with the situation, I'm responding in that capacity.

Personally, regardless of the provenance/copyright/license situation, I would always suggest to remove all fonts from all projects and just use whatever fonts are available on the system, by using fontconfig to find their files, or using a font rendering system that does that automatically. When specific fonts are wanted, they should be separate projects in their own right that are pulled in by dependencies when need.

@Gregwar thanks for the URLs to the fonts. Often times the licenses listed on font sites are inaccurate, they acquire font files from anywhere and don't look at the metadata in the font nor at website or other license materials and properly record provenance, copyright and licensing, so personally I would never trust them on licensing.

If you load the fonts in FontForge, you can go to Element -> Font Info and click on each of the tabs (especially PS Names, TTF Names and FONTLOG) to find out some of the font metadata. Other font editors probably have similar tools. You can also use ttx from fonttools to convert fonts to XML and then grep that.

I've done that for each of the five fonts and this is a summary of what I found and the actions I recommend.

captcha0.ttf and captcha4.ttf are clearly well established libre font projects. These should be removed from the source repository and depended on instead, and use fontconfig to look up their paths at runtime, or use a font rendering system that does that automatically.

captcha1.ttf seems to pretty clearly be marked as GPL with font-exception and SIL OFL. The font metadata doesn't have a project URL, but the authors website https://www.peter-wiegel.de/ is mentioned, but it is in German so I can't read it to find the font project URL, font source or other info. Without info about how the font was created and thus what the font source might be, this could be a GPL or DFSG violation, so this is important to track down. It is definitely fine to redistribute and probably fine to add to Debian though.

captcha2.ttf is Copyright (c) 2010 by Svetoslav Simov. All rights reserved. and Code Bold is a trademark of Fontfabric. so it looks like this is proprietary and there is no permission to redistribute this font, so it should be removed from this project. The designer's website is http://fontfabric.com/ and this looks like a commercial font foundry, I don't see any indication they do any libre licensed fonts.

captcha3.ttf is (c) 2009, 2010, 2011, 2012 GrandChaos9000. Some Rights Reserved. and has a link to CC-BY-NC-SA 3.0 (Creative Commons Attribution Non-Commercial Share-Alike 3.0) in the license URL field. So non-commercial use is not allowed. Personally I think this makes it unsuitable for use in an open source project, since the Open Source Definition requires allowing commercial use (via the no discrimination items). The designer website was available at http://grandchaos9000.deviantart.com/ in 2014 but the account was marked as inactive in 2015 so there is no hope of relicensing this font and I suggest the font be removed from this project.

captcha5.ttf is Copyright (c)1994 STAR Retrieval Systems. All Rights Reserved. and there is no indication of any other license nor the designer or font project website. The only references to the company name I can find on the web using the search "STAR Retrieval Systems" -font give a website that doesn't connect. Given how old the copyright year is, it seems unlikely to be possible to contact them to get relicensing, but there are indications of their 2014 phone number and address on the web. Looking in the Internet Archive, I found a page mentioning their fonts http://www.starebc.com/ but it is no longer online, mentions payment for the fonts, makes available evaluation copies of the fonts, but none of the evaluation copies were archived, so we can't look at the evaluation licenses. I think there is no hope of relicensing this font and I suggest the font be removed from this project.

[pabs3]

PS: some links to Debian font policy/packaging:

https://wiki.debian.org/Fonts#Bugs
https://wiki.debian.org/Fonts/PackagingPolicy

[jnahmias]

I ended up dropping the font files from the repo/tarball and using the following patch:

--- a/src/Gregwar/Captcha/CaptchaBuilder.php
+++ b/src/Gregwar/Captcha/CaptchaBuilder.php
@@ -59,6 +59,20 @@ class CaptchaBuilder implements CaptchaB
     protected $builder;
 
     /**
+     * @var array
+     */
+    static protected $defaultFontList = array(
+        "/usr/share/fonts/opentype/cantarell/Cantarell-Regular.otf",
+        "/usr/share/fonts/truetype/lato/Lato-Medium.ttf",
+        "/usr/share/fonts/opentype/linux-libertine/LinLibertine_R.otf",
+        "/usr/share/fonts/truetype/quicksand/Quicksand-Regular.ttf",
+        "/usr/share/fonts/opentype/radisnoir/RadisSans-medium.otf",
+        "/usr/share/fonts/truetype/staypuft/StayPuft.ttf",
+        "/usr/share/fonts/truetype/summersby/summersby.ttf",
+        "/usr/share/fonts/truetype/ttf-bitstream-vera/Vera.ttf",
+    );
+
+    /**
      * @var bool
      */
     protected $distortion = true;
@@ -142,6 +156,9 @@ class CaptchaBuilder implements CaptchaB
         }
         
         $this->phrase = is_string($phrase) ? $phrase : $this->builder->build($phrase);
+
+        // validate fonts in default list
+        static::$defaultFontList = array_filter(static::$defaultFontList, "is_readable");
     }
 
     /**
@@ -415,7 +432,7 @@ class CaptchaBuilder implements CaptchaB
         }
 
         if ($font === null) {
-            $font = __DIR__ . '/Font/captcha'.$this->rand(0, 5).'.ttf';
+            $font = static::$defaultFontList[array_rand(static::$defaultFontList)];
         }
 
         if (empty($this->backgroundImages)) {