Hey Justin, Ash, I see the point of X-rated software, but I concur with Ash on that one, especially that LGPL licence specifically allows to use the library without modifications and not be bound by the copy-left clauses of GPL.
Shall we raise this point to [email protected] ? J, On Wed, Apr 21, 2021 at 12:40 PM Ash Berlin-Taylor <[email protected]> wrote: > Hmmm, curious. > > The dep in question is chardet, which is being pulled in from the > "requests" direct dependency. > > However the LGPL dep is not new, and has been in requests since 2017 > https://github.com/psf/requests/commit/1ea27b35649571abb796f7cffbab83938d882a8d > -- released mid 20187 > > Airflow graduated in Jan 2019 -- I don't recall us discussing this issue > at graduation, nor in any of the previous incubator releases, so I guess > this got missed then, as we have depended upon "requests" for a while. The > view of the requests team is this > > https://github.com/psf/requests/issues/3389#issuecomment-396642172 > > As stated above, none of the maintainers are lawyers, but our usages have > been approved by legal teams well-versed in software licensing. I > *believe* the specific clause that is worth noting is LGPL2.1 ยง 5 > <https://opensource.org/licenses/LGPL-2.1>: > > A program that contains no derivative of any portion of the Library, but > is designed to work with the Library by being compiled or linked with it, > is called a "work that uses the Library". Such a work, in isolation, is not > a derivative work of the Library, and therefore falls outside the scope of > this License. > > > *@Justin* Does the ASF disagree with this statement? > > And for us it's even worse. Here is everything that depends on chardet. > (Many of these deps are already optional extras in Airflow) > > The tricky one here is connexion which powers our API, and that depends > upon requests -- that is not going to be an easy dep to replace, so we'll > have to ask connexion to make that dep optional. (However there hasn't been > any commits to that project since Aug 2020, so I'm not all that hopeful > about getting a PR accepted). > > (And none of this helps Liminal while they are pinned to Airflow 1.10.12) > > Our reverse deptree of chardet. > > chardet==3.0.4 > - requests==2.23.0 [requires: chardet>=3.0.2,<4] > - apache-airflow==2.1.0.dev0 [requires: requests>=2.20.0] > - apache-airflow-providers-ftp==1.0.0 [requires: > apache-airflow>=2.0.0a0] > - apache-airflow-providers-google==2.0.0 [requires: > apache-airflow>=2.0.0] > - apache-airflow-providers-http==1.0.0 [requires: > apache-airflow>=2.0.0a0] > - apache-airflow-providers-imap==1.0.0 [requires: > apache-airflow>=2.0.0a0] > - apache-airflow-providers-sqlite==1.0.0 [requires: > apache-airflow>=2.0.0a0] > - connexion==2.7.0 [requires: requests>=2.9.1] > - apache-airflow==2.1.0.dev0 [requires: connexion>=2.6.0,<3] > - apache-airflow-providers-ftp==1.0.0 [requires: > apache-airflow>=2.0.0a0] > - apache-airflow-providers-google==2.0.0 [requires: > apache-airflow>=2.0.0] > - apache-airflow-providers-http==1.0.0 [requires: > apache-airflow>=2.0.0a0] > - apache-airflow-providers-imap==1.0.0 [requires: > apache-airflow>=2.0.0a0] > - apache-airflow-providers-sqlite==1.0.0 [requires: > apache-airflow>=2.0.0a0] > - docker==4.1.0 [requires: requests>=2.14.2,!=2.18.0] > - moto==1.3.14 [requires: docker>=2.5.1] > - github3.py==1.3.0 [requires: requests>=2.18] > - google-api-core==1.26.0 [requires: requests>=2.18.0,<3.0.0dev] > ... lots of sub-modules trimmed here > - hvac==0.10.0 [requires: requests>=2.21.0] > - jira==2.0.0 [requires: requests>=2.10.0] > - kubernetes==11.0.0 [requires: requests] > - moto==1.3.14 [requires: requests>=2.5] > - PyGithub==1.53 [requires: requests>=2.14.0] > - pywinrm==0.4.1 [requires: requests>=2.9.1] > - qds-sdk==1.13.2 [requires: requests>=1.0.3] > - requests-kerberos==0.12.0 [requires: requests>=1.1.0] > - requests-mock==1.7.0 [requires: requests>=2.3,<3] > - requests-ntlm==1.1.0 [requires: requests>=2.0.0] > - pywinrm==0.4.1 [requires: requests-ntlm>=0.3.0] > - requests-oauthlib==1.1.0 [requires: requests>=2.0.0] > - google-auth-oauthlib==0.4.1 [requires: requests-oauthlib>=0.7.0] > - google-ads==7.0.0 [requires: google-auth-oauthlib>=0.3.0,<1.0.0] > - apache-airflow-providers-google==2.0.0 [requires: > google-ads>=4.0.0,<8.0.0] > - pandas-gbq==0.13.1 [requires: google-auth-oauthlib] > - apache-airflow-providers-google==2.0.0 [requires: pandas-gbq] > - pydata-google-auth==0.3.0 [requires: google-auth-oauthlib] > - pandas-gbq==0.13.1 [requires: pydata-google-auth] > - apache-airflow-providers-google==2.0.0 [requires: pandas-gbq] > - jira==2.0.0 [requires: requests-oauthlib>=0.6.1] > - kubernetes==11.0.0 [requires: requests-oauthlib] > - requests-toolbelt==0.9.1 [requires: requests>=2.0.1,<3.0.0] > - jira==2.0.0 [requires: requests-toolbelt] > - twine==3.1.1 [requires: requests-toolbelt>=0.8.0,!=0.9.0] > - responses==0.10.9 [requires: requests>=2.0] > - moto==1.3.14 [requires: responses>=0.9.0] > - snooty-lextudio==1.8.7.dev0 [requires: requests~=2.24.0] > - Sphinx==3.5.4 [requires: requests>=2.5.0] > - sphinx-airflow-theme==0.0.4 [requires: sphinx] > - sphinx-argparse==0.2.5 [requires: sphinx>=1.2.0] > - sphinx-autoapi==1.0.0 [requires: sphinx>=1.6] > - sphinx-copybutton==0.3.1 [requires: sphinx>=1.8] > - sphinx-rtd-theme==0.4.3 [requires: sphinx] > - sphinxcontrib-dotnetdomain==0.4 [requires: Sphinx>=0.6] > - sphinx-autoapi==1.0.0 [requires: sphinxcontrib-dotnetdomain] > - sphinxcontrib-golangdomain==0.2.0.dev0 [requires: Sphinx>=1.0] > - sphinx-autoapi==1.0.0 [requires: sphinxcontrib-golangdomain] > - sphinxcontrib-httpdomain==1.8.0 [requires: Sphinx>=1.6] > - sphinxcontrib-redoc==1.6.0 [requires: sphinx>=1.5] > - sphinxcontrib-spelling==5.2.1 [requires: Sphinx>=3.0.0] > - twine==3.1.1 [requires: requests>=2.20] > - zdesk==2.7.1 [requires: requests] > > -ash > > > > On Wed, 21 Apr, 2021 at 09:38, Justin Mclean <[email protected]> wrote: > > Hi, It been noticed in the Incubator that this project may include a > Category X licensed dependancy. [1] Do you have any advice to solve or > correct this situation? Thanks, Justin 1. > https://lists.apache.org/thread.html/rf278b1e3c813b74d156f30570c897a6792e817e3eeb7eeb8522acf6d%40%3Cgeneral.incubator.apache.org%3E > > -- +48 660 796 129
