MPL 2.0, cacert.pem, certdata.txt, and UE

I’ve seen two responses (a, b) from @atypic re: MPL 2.0 and the UE EULA, but they appear to be from older versions, so I’ll ask anew.

I’m trying to make my understanding from those earlier threads consistent with the certificate data in UE itself; this is not a question about MPL 2.0-covered work licensees might add to their product or to a private fork of UE. Additionally, I’d like to make sure we’re following the part of the UE EULA about avoiding “authorized use of unmodified Engine Code or Content originally provided to you by Epic under this Agreement.”

For example, in a UE 4.15.1 install from EGL, it appears there’s certificate data in /Engine/Content/Certificates/ThirdParty/cacert.pem, with the MPL 2.0 discussed in /Engine/Content/Certificates/ThirdParty/cacert.pem.tps . Or alternatively see, for example, the certdata.txt section notice in Robo Recall (which I’m assuming from the comments in cacert.pem, but cannot be certain, is referring to this same data).

So what’s the current approach about certdata.txt/cacert.pem and distributing UE apps?

  • We can only distribute the cacert.pem from UE if it is in a separate file?
  • … But we can’t distribute it in a packaged form like a UE .pak file made for shipping apps, or in an iOS .ipa package, etc. and we need to somehow exclude that file?
  • What’s the specific Source Code Form (ex. specific revision of certdata.txt) for the cacert.pem files in UE - or is it just the URL listed in the comments therein, which appears to point to the always latest version of certdata.txt?

Thanks!

Epic avoids MPL2 for a few reasons, and we don’t recommend it for licensees. But it’s not per se a Non-Compatible License under the UE EULA. In this case, the substance of the cerdata file is pretty innocuous - a series of certificate keys. For that reason, the patent suit provisions of MPL2 are very unlikely to be a concern.

To answer your questions, there is no prohibition from Epic on your re-use of those files. You should comply with the terms of the MPL2 license if you do so. Since I’m not your lawyer, I want to be careful about providing you legal advice about how to do that.

I think, on reflection, we will be updating our Robo Recall notice to also point to where the “source” form of the “code” can be obtained via a link.

Hmm - let me ask a different way. IIUC, the certdata.txt that cacert.pem is created from is under MPL 2.0 from the mozilla project. I understand you can’t advise about whatever license a third-party may be offering to us, but with regards to Epic distributing cacert.pem (not certdata.txt) to us:
Is Epic licensing cacert.pem to us as Source Code Form under the MPL 2.0 sec 3.1, and/or is Epic licensing cacert.pem to us as Executable Form but under the UE EULA (see: MPL 2.0 sec 3.2.b), and/or is Epic licensing cacert.pem as part of the ‘Larger Work’ UE under the UE EULA (see MPL 2.0 sec 3.3)? Or has Epic not contributed anything to cacert.pem, and we only have to follow the rules of whatever third-party owns certdata.txt?

Within the engine, we’re licensing to you both in Source Code and Executable Form (because we provide both). But in either case it’s part of a Larger Work, which is Unreal Engine.