Re: AW: [QUESTION] Handling of licensing issues for dependencies of dependencies
Thanks Justin, Chris! I've been experimenting with trying to avoid the installation of the GPL package, and for the main dependency, it seems to not be causing any loss of functionality, though we will have to tweak how we install that dependency. As I understand it, though, it would be acceptable for this GPL package to be installed as an extra that's not required for the core release/functionality? Thanks, Riley On 2024/01/10 07:33:41 Christofer Dutz wrote: > You might be lucky, and this third-party dependency might be pulled in, but > not be required to use the parts of the library you are using in your > project. In that case a simple “exclusion” could solve the problem. > > However, if it’s an essential part of the functionality, I agree with Justin > … you might need to replace that library. > > Also, possibly worth reporting an issue with the library using it to possibly > replace it with something else, because technically licenses such as GPL are > infectious. If I depend on a GPL library, I can call it “Apache” as much as I > like, technically it’s also GPL (I hope that’s correct) > > Chris > > > Von: Justin Mclean > Datum: Mittwoch, 10. Januar 2024 um 01:26 > An: incubator general apache > Betreff: Re: [QUESTION] Handling of licensing issues for dependencies of > dependencies > HI, > > > I was performing a more thorough check of our dependencies in preparation > > of opening graduation discussions with the Incubator PMC and found at least > > one package that, while not directly used in the code, is installed as a > > dependency of multiple top-level dependencies that is LGPL licensed. The > > dependencies that rely on this are themselves not a license issue (BSD-3 & > > MIT licenses). How is this situation usually handled? > > You will need to remove or replace that dependency. > > > I also found a package that has a license that isn't listed on the 3rd > > party licenses page: HPND [1][2] which, from what I can tell, is similar to > > the BSD-3 or MIT licenses, though I just wanted to double-check on that... > > HPND looks fine to me, as it could be treated as a BSD-like or MIT-like > license, depending on what parts you include. > > Kind Regards, > Justin > - > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
AW: [QUESTION] Handling of licensing issues for dependencies of dependencies
You might be lucky, and this third-party dependency might be pulled in, but not be required to use the parts of the library you are using in your project. In that case a simple “exclusion” could solve the problem. However, if it’s an essential part of the functionality, I agree with Justin … you might need to replace that library. Also, possibly worth reporting an issue with the library using it to possibly replace it with something else, because technically licenses such as GPL are infectious. If I depend on a GPL library, I can call it “Apache” as much as I like, technically it’s also GPL (I hope that’s correct) Chris Von: Justin Mclean Datum: Mittwoch, 10. Januar 2024 um 01:26 An: incubator general apache Betreff: Re: [QUESTION] Handling of licensing issues for dependencies of dependencies HI, > I was performing a more thorough check of our dependencies in preparation of > opening graduation discussions with the Incubator PMC and found at least one > package that, while not directly used in the code, is installed as a > dependency of multiple top-level dependencies that is LGPL licensed. The > dependencies that rely on this are themselves not a license issue (BSD-3 & > MIT licenses). How is this situation usually handled? You will need to remove or replace that dependency. > I also found a package that has a license that isn't listed on the 3rd party > licenses page: HPND [1][2] which, from what I can tell, is similar to the > BSD-3 or MIT licenses, though I just wanted to double-check on that... HPND looks fine to me, as it could be treated as a BSD-like or MIT-like license, depending on what parts you include. Kind Regards, Justin - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
Re: [QUESTION] Handling of licensing issues for dependencies of dependencies
HI, > I was performing a more thorough check of our dependencies in preparation of > opening graduation discussions with the Incubator PMC and found at least one > package that, while not directly used in the code, is installed as a > dependency of multiple top-level dependencies that is LGPL licensed. The > dependencies that rely on this are themselves not a license issue (BSD-3 & > MIT licenses). How is this situation usually handled? You will need to remove or replace that dependency. > I also found a package that has a license that isn't listed on the 3rd party > licenses page: HPND [1][2] which, from what I can tell, is similar to the > BSD-3 or MIT licenses, though I just wanted to double-check on that... HPND looks fine to me, as it could be treated as a BSD-like or MIT-like license, depending on what parts you include. Kind Regards, Justin - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
[QUESTION] Handling of licensing issues for dependencies of dependencies
I was performing a more thorough check of our dependencies in preparation of opening graduation discussions with the Incubator PMC and found at least one package that, while not directly used in the code, is installed as a dependency of multiple top-level dependencies that is LGPL licensed. The dependencies that rely on this are themselves not a license issue (BSD-3 & MIT licenses). How is this situation usually handled? I also found a package that has a license that isn't listed on the 3rd party licenses page: HPND [1][2] which, from what I can tell, is similar to the BSD-3 or MIT licenses, though I just wanted to double-check on that... [1] https://github.com/python-pillow/Pillow/blob/main/LICENSE [2] https://en.wikipedia.org/wiki/Historical_Permission_Notice_and_Disclaimer - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
