Hi, I'm a researcher doing binary analysis work and I was running some SCA experiments on Android libraries. This repo came up in my dataset and I found some things worth flagging.
No LICENSE file in the repo, but the binaries have GPL code statically linked in — which is a bit of an awkward combination.
libffmpeg.so under app/libs/ has both x264 and FFmpeg baked in, and the FFmpeg build config string is actually embedded in the binary itself:
--enable-gpl --enable-libx264 --enable-nonfree --enable-openssl
--enable-gpl means this isn't the LGPL build of FFmpeg — it's GPL. And libx264.a under Live/libs/ is just the x264 static library directly, which is also GPL-2.0.
For reference, signature matching on libffmpeg_arm64.so came back with:
| Component |
License |
Matched Signatures |
| FFmpeg |
LGPL/GPL |
14,022 |
| x264 |
GPL-2.0 |
519 |
| OpenSSL |
Apache-2.0 |
7,960 |
The practical problem is that without a license file, the repo is "all rights reserved" on paper, but the binaries are carrying GPL obligations that silently pass on to anyone who forks or ships this. Most people won't catch it.
Easiest fix is probably just adding a GPL-2.0 LICENSE file and noting somewhere in the README that the binaries are GPL — and ideally making the x264/FFmpeg build sources available to stay compliant. Happy to share more from the analysis if it helps.
Hi, I'm a researcher doing binary analysis work and I was running some SCA experiments on Android libraries. This repo came up in my dataset and I found some things worth flagging.
No LICENSE file in the repo, but the binaries have GPL code statically linked in — which is a bit of an awkward combination.
libffmpeg.sounderapp/libs/has both x264 and FFmpeg baked in, and the FFmpeg build config string is actually embedded in the binary itself:--enable-gplmeans this isn't the LGPL build of FFmpeg — it's GPL. Andlibx264.aunderLive/libs/is just the x264 static library directly, which is also GPL-2.0.For reference, signature matching on
libffmpeg_arm64.socame back with:The practical problem is that without a license file, the repo is "all rights reserved" on paper, but the binaries are carrying GPL obligations that silently pass on to anyone who forks or ships this. Most people won't catch it.
Easiest fix is probably just adding a GPL-2.0 LICENSE file and noting somewhere in the README that the binaries are GPL — and ideally making the x264/FFmpeg build sources available to stay compliant. Happy to share more from the analysis if it helps.