Caddy binary has LGPLv3 dependency

[tymonx]

Caddy binary is compiled with the ansiterm module that is licensed under LGPLv3 and is not compatible with the Apache 2.0 license.

It looks like a module dependency of dependency. Caddy is not directly using it.

This can be verified with the lichen that extracts module usage information from binaries and analyses their licenses.

This should be added in CI as a final license verification step.

The ansiterm dependency module should be removed.

[francislavoie]

You'll need to reach out to the authors of those upstream dependencies to see if they would handle it:

$ go mod why github.com/juju/ansiterm
# github.com/juju/ansiterm
github.com/caddyserver/caddy/v2/modules/caddypki
github.com/smallstep/certificates/authority
go.step.sm/cli-utils/ui
github.com/manifoldco/promptui
github.com/juju/ansiterm

We don't actually use the CLI/UI that ships with the smallstep libs, and I'm pretty sure it gets optimized out by the compiler anyway (haven't verified though). I don't think it's too much of a concern.

[mholt]

Looks like this is already being discussed upstream: manifoldco/promptui#181

[mholt]

I wonder if we temporarily put a replace in our go.mod file:

replace github.com/manifoldco/promptui => github.com/nguyer/promptui

that might solve the issue until it is fixed upstream.

[hairyhenderson]

@mholt it should work, that's essentially what flux did: https://github.com/fluxcd/flux2/pull/1811/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R42