Hmmm, curious.
The dep in question is chardet, which is being pulled in from the
"requests" direct dependency.
However the LGPL dep is not new, and has been in requests since 2017
<https://github.com/psf/requests/commit/1ea27b35649571abb796f7cffbab83938d882a8d>
-- released mid 20187
Airflow graduated in Jan 2019 -- I don't recall us discussing this
issue at graduation, nor in any of the previous incubator releases, so
I guess this got missed then, as we have depended upon "requests" for a
while. The view of the requests team is this
<https://github.com/psf/requests/issues/3389#issuecomment-396642172>
As stated above, none of the maintainers are lawyers, but our usages
have been approved by legal teams well-versed in software licensing.
I /believe/ the specific clause that is worth noting is LGPL2.1 ยง 5
<https://opensource.org/licenses/LGPL-2.1>:
A program that contains no derivative of any portion of the Library,
but is designed to work with the Library by being compiled or linked
with it, is called a "work that uses the Library". Such a work, in
isolation, is not a derivative work of the Library, and therefore
falls outside the scope of this License.
*@Justin* Does the ASF disagree with this statement?
And for us it's even worse. Here is everything that depends on chardet.
(Many of these deps are already optional extras in Airflow)
The tricky one here is connexion which powers our API, and that depends
upon requests -- that is not going to be an easy dep to replace, so
we'll have to ask connexion to make that dep optional. (However there
hasn't been any commits to that project since Aug 2020, so I'm not all
that hopeful about getting a PR accepted).
(And none of this helps Liminal while they are pinned to Airflow
1.10.12)
Our reverse deptree of chardet.
chardet==3.0.4
- requests==2.23.0 [requires: chardet>=3.0.2,<4]
- apache-airflow==2.1.0.dev0 [requires: requests>=2.20.0]
- apache-airflow-providers-ftp==1.0.0 [requires:
apache-airflow>=2.0.0a0]
- apache-airflow-providers-google==2.0.0 [requires:
apache-airflow>=2.0.0]
- apache-airflow-providers-http==1.0.0 [requires:
apache-airflow>=2.0.0a0]
- apache-airflow-providers-imap==1.0.0 [requires:
apache-airflow>=2.0.0a0]
- apache-airflow-providers-sqlite==1.0.0 [requires:
apache-airflow>=2.0.0a0]
- connexion==2.7.0 [requires: requests>=2.9.1]
- apache-airflow==2.1.0.dev0 [requires: connexion>=2.6.0,<3]
- apache-airflow-providers-ftp==1.0.0 [requires:
apache-airflow>=2.0.0a0]
- apache-airflow-providers-google==2.0.0 [requires:
apache-airflow>=2.0.0]
- apache-airflow-providers-http==1.0.0 [requires:
apache-airflow>=2.0.0a0]
- apache-airflow-providers-imap==1.0.0 [requires:
apache-airflow>=2.0.0a0]
- apache-airflow-providers-sqlite==1.0.0 [requires:
apache-airflow>=2.0.0a0]
- docker==4.1.0 [requires: requests>=2.14.2,!=2.18.0]
- moto==1.3.14 [requires: docker>=2.5.1]
- github3.py==1.3.0 [requires: requests>=2.18]
- google-api-core==1.26.0 [requires: requests>=2.18.0,<3.0.0dev]
... lots of sub-modules trimmed here
- hvac==0.10.0 [requires: requests>=2.21.0]
- jira==2.0.0 [requires: requests>=2.10.0]
- kubernetes==11.0.0 [requires: requests]
- moto==1.3.14 [requires: requests>=2.5]
- PyGithub==1.53 [requires: requests>=2.14.0]
- pywinrm==0.4.1 [requires: requests>=2.9.1]
- qds-sdk==1.13.2 [requires: requests>=1.0.3]
- requests-kerberos==0.12.0 [requires: requests>=1.1.0]
- requests-mock==1.7.0 [requires: requests>=2.3,<3]
- requests-ntlm==1.1.0 [requires: requests>=2.0.0]
- pywinrm==0.4.1 [requires: requests-ntlm>=0.3.0]
- requests-oauthlib==1.1.0 [requires: requests>=2.0.0]
- google-auth-oauthlib==0.4.1 [requires: requests-oauthlib>=0.7.0]
- google-ads==7.0.0 [requires:
google-auth-oauthlib>=0.3.0,<1.0.0]
- apache-airflow-providers-google==2.0.0 [requires:
google-ads>=4.0.0,<8.0.0]
- pandas-gbq==0.13.1 [requires: google-auth-oauthlib]
- apache-airflow-providers-google==2.0.0 [requires:
pandas-gbq]
- pydata-google-auth==0.3.0 [requires: google-auth-oauthlib]
- pandas-gbq==0.13.1 [requires: pydata-google-auth]
- apache-airflow-providers-google==2.0.0 [requires:
pandas-gbq]
- jira==2.0.0 [requires: requests-oauthlib>=0.6.1]
- kubernetes==11.0.0 [requires: requests-oauthlib]
- requests-toolbelt==0.9.1 [requires: requests>=2.0.1,<3.0.0]
- jira==2.0.0 [requires: requests-toolbelt]
- twine==3.1.1 [requires: requests-toolbelt>=0.8.0,!=0.9.0]
- responses==0.10.9 [requires: requests>=2.0]
- moto==1.3.14 [requires: responses>=0.9.0]
- snooty-lextudio==1.8.7.dev0 [requires: requests~=2.24.0]
- Sphinx==3.5.4 [requires: requests>=2.5.0]
- sphinx-airflow-theme==0.0.4 [requires: sphinx]
- sphinx-argparse==0.2.5 [requires: sphinx>=1.2.0]
- sphinx-autoapi==1.0.0 [requires: sphinx>=1.6]
- sphinx-copybutton==0.3.1 [requires: sphinx>=1.8]
- sphinx-rtd-theme==0.4.3 [requires: sphinx]
- sphinxcontrib-dotnetdomain==0.4 [requires: Sphinx>=0.6]
- sphinx-autoapi==1.0.0 [requires: sphinxcontrib-dotnetdomain]
- sphinxcontrib-golangdomain==0.2.0.dev0 [requires: Sphinx>=1.0]
- sphinx-autoapi==1.0.0 [requires: sphinxcontrib-golangdomain]
- sphinxcontrib-httpdomain==1.8.0 [requires: Sphinx>=1.6]
- sphinxcontrib-redoc==1.6.0 [requires: sphinx>=1.5]
- sphinxcontrib-spelling==5.2.1 [requires: Sphinx>=3.0.0]
- twine==3.1.1 [requires: requests>=2.20]
- zdesk==2.7.1 [requires: requests]
-ash
On Wed, 21 Apr, 2021 at 09:38, Justin Mclean <[email protected]> wrote:
Hi,
It been noticed in the Incubator that this project may include a
Category X licensed dependancy. [1] Do you have any advice to solve
or correct this situation?
Thanks,
Justin
1.
<https://lists.apache.org/thread.html/rf278b1e3c813b74d156f30570c897a6792e817e3eeb7eeb8522acf6d%40%3Cgeneral.incubator.apache.org%3E>
