You might be lucky, and this third-party dependency might be pulled in, but not be required to use the parts of the library you are using in your project. In that case a simple “exclusion” could solve the problem.
However, if it’s an essential part of the functionality, I agree with Justin … you might need to replace that library. Also, possibly worth reporting an issue with the library using it to possibly replace it with something else, because technically licenses such as GPL are infectious. If I depend on a GPL library, I can call it “Apache” as much as I like, technically it’s also GPL (I hope that’s correct) Chris Von: Justin Mclean <jus...@classsoftware.com> Datum: Mittwoch, 10. Januar 2024 um 01:26 An: incubator general apache <general@incubator.apache.org> Betreff: Re: [QUESTION] Handling of licensing issues for dependencies of dependencies HI, > I was performing a more thorough check of our dependencies in preparation of > opening graduation discussions with the Incubator PMC and found at least one > package that, while not directly used in the code, is installed as a > dependency of multiple top-level dependencies that is LGPL licensed. The > dependencies that rely on this are themselves not a license issue (BSD-3 & > MIT licenses). How is this situation usually handled? You will need to remove or replace that dependency. > I also found a package that has a license that isn't listed on the 3rd party > licenses page: HPND [1][2] which, from what I can tell, is similar to the > BSD-3 or MIT licenses, though I just wanted to double-check on that... HPND looks fine to me, as it could be treated as a BSD-like or MIT-like license, depending on what parts you include. Kind Regards, Justin --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
