[gpl-dependency]Remove GPL dependencies from golangci-lint (6 GPL-licensed linters)

[github-actions]

Summary

The development dependency github.com/golangci/golangci-lint/v2 introduces GPL-licensed transitive dependencies that are incompatible with our MIT license. While golangci-lint itself is open-source, it bundles several linters licensed under GPL-3.0, creating license compliance risks for the project.

Dependency Chain

github.com/golangci/golangci-lint/v2 (tools.go)
  → github.com/OpenPeeDeeP/depguard/v2 (GPL-3.0)
  → github.com/ldez/structtags (GPL-3.0)
  → github.com/firefart/nonamedreturns (GPL-3.0)
  → github.com/xen0n/gosmopolitan (GPL-1.0-or-later AND GPL-3.0)
  → github.com/denis-tingaikin/go-header (GPL-3.0)
  → github.com/leonklingele/grouper (GPL-3.0)

GPL License Details

Primary GPL Dependency: depguard

• Module: github.com/OpenPeeDeeP/depguard/v2
• Version: v2.2.1
• License: GPL-3.0 AND GPL-3.0-only
• Copyright: Copyright (c) 2007 Free Software Foundation, Inc. ((fsf.org/redacted)
• Repository: https://github.com/OpenPeeDeeP/depguard
• pkg.go.dev: https://pkg.go.dev/github.com/OpenPeeDeeP/depguard/v2

Additional GPL Dependencies

1. github.com/ldez/structtags v0.6.1 (GPL-3.0)
2. github.com/firefart/nonamedreturns v1.0.6 (GPL-3.0)
3. github.com/xen0n/gosmopolitan v1.3.0 (GPL-1.0-or-later AND GPL-3.0)
4. github.com/denis-tingaikin/go-header v0.5.0 (GPL-3.0)
5. github.com/leonklingele/grouper v1.1.2 (GPL-3.0)

Current Usage

Where It's Used

The direct dependency github.com/golangci/golangci-lint/v2 is imported in:

• tools.go - Build-time tool dependency tracking (blank import)

Functionality Required

We use golangci-lint for:

• Code linting with multiple linters (misspell, gomoddirectives, unconvert, testifylint)
• Build-time code quality checks
• CI/CD pipeline linting (make lint, make golint)
• Development workflow linting

GPL Linters Usage Analysis

depguard linter: ❌ NOT configured or enabled in .golangci.yml

• Purpose: Checks package imports against allowed/denied lists
• Status: Not used by our project

Other GPL linters: ❌ NOT explicitly configured

• These are bundled with golangci-lint but not actively enabled in our configuration

Direct GPL Usage

Analysis shows the GPL modules:

• ❌ Are NOT directly used by our code
• ❌ Are NOT explicitly enabled in .golangci.yml
• ✅ Are pulled in transitively by golangci-lint
• ⚠️ Create license compliance risk even though not actively used

Legal & Security Implications

GPL-3.0 License Restrictions

1. Copyleft Requirements: GPL-3.0 requires derivative works to be distributed under GPL
2. MIT Incompatibility: GPL's copyleft provisions conflict with MIT's permissive nature
3. Distribution Risk: Binary distributions could trigger GPL obligations
4. Dependency Contamination: GPL dependencies in build tools may affect final artifacts

Risk Assessment

Risk Level: MEDIUM-HIGH

Rationale:

• GPL dependencies are in development toolchain (not runtime)
• Not directly used or enabled in our configuration
• However, bundled in binaries created by go install or go build
• Creates potential licensing ambiguity for downstream users
• May block enterprise adoption if license audits flag GPL in build tools

Removal/Replacement Options

Option 1: Disable GPL Linters in golangci-lint

Approach: Continue using golangci-lint but explicitly disable GPL-licensed linters

Steps:

1. Add depguard and other GPL linters to .golangci.yml disable list
2. Document why these linters are disabled (GPL license incompatibility)
3. Verify GPL dependencies are not pulled into compiled binaries
4. Update CI/CD to run without GPL linters

Complexity: Low

Breaking Changes: No - We're not using these linters currently

Pros:

• Minimal changes to existing workflow
• Keeps golangci-lint ecosystem
• Clear documentation of licensing decisions

Cons:

• Doesn't fully remove GPL from dependency tree
• May still appear in SBOM and license audits
• Requires ongoing vigilance as golangci-lint evolves

Option 2: Migrate to Alternative Linting Tools [RECOMMENDED]

Approach: Replace golangci-lint with MIT/Apache-licensed alternatives

Alternative Packages:

1. staticcheck (MIT)

   • Repository: https://github.com/dominikh/go-tools
   • Stars: 6.1K
   • License: MIT
   • Last Updated: Active (2024)
   • pkg.go.dev: https://pkg.go.dev/honnef.co/go/tools/staticcheck
   • Coverage: Many checks overlap with golangci-lint

2. revive (MIT)

   • Repository: https://github.com/mgechev/revive
   • Stars: 4.8K
   • License: MIT
   • Last Updated: Active (2024)
   • pkg.go.dev: https://pkg.go.dev/github.com/mgechev/revive
   • Coverage: Go linter focused on style and best practices

3. go vet (BSD-3-Clause, part of Go toolchain)

   • Built into Go standard toolchain
   • License: BSD-3-Clause
   • Coverage: Basic correctness checks

Steps:

1. Install alternative linters: staticcheck, revive
2. Create configuration files for each linter
3. Update Makefile to use new linting pipeline
4. Update CI/CD workflows
5. Document linting strategy in CONTRIBUTING.md
6. Remove golangci-lint from tools.go and go.mod

Complexity: Medium

Breaking Changes: No - Internal tooling change only

Pros:

• Complete GPL removal from dependency tree
• Clear MIT/Apache licensing for all dependencies
• Potentially simpler configuration
• Each linter focused on specific checks

Cons:

• More complex linting pipeline (multiple tools)
• Different configuration formats to maintain
• Some linters from golangci-lint won't have direct replacements
• Migration effort for configuration

Option 3: Use golangci-lint Binary Distribution

Approach: Use pre-built golangci-lint binaries instead of go install

Steps:

1. Remove golangci-lint from tools.go
2. Update Makefile to download pre-built binaries
3. Use GitHub releases for versioned binaries
4. Update CI/CD to use binary installation
5. Document binary installation in DEVGUIDE.md

Complexity: Medium

Breaking Changes: No - Transparent to developers

Pros:

• GPL dependencies not in our go.mod
• Clean SBOM without GPL entries
• Faster installation (pre-built binary)
• Same golangci-lint functionality

Cons:

• External binary dependency management
• Platform-specific binary downloads
• Potential security verification overhead
• Less integration with Go module system

Option 4: Fork golangci-lint Without GPL Linters

Approach: Create a custom fork of golangci-lint excluding GPL components

Steps:

1. Fork github.com/golangci/golangci-lint
2. Remove GPL-licensed linter integrations
3. Rebuild without GPL dependencies
4. Maintain fork with upstream updates
5. Update tools.go to use fork

Complexity: High

Breaking Changes: Potential - Fork maintenance required

Pros:

• Complete GPL removal
• Keep golangci-lint integration
• Full control over linter composition

Cons:

• High maintenance burden (fork upkeep)
• Requires tracking upstream changes
• Community support fragmentation
• Not sustainable long-term

Recommended Action

Option 2: Migrate to Alternative Linting Tools (staticcheck + revive + go vet)

Priority: High

Rationale:

1. Complete GPL Removal: Eliminates all GPL dependencies from build toolchain
2. License Clarity: Clean MIT/Apache/BSD licensing for audits
3. Sustainability: No ongoing GPL monitoring needed
4. Quality: staticcheck and revive provide comprehensive coverage
5. Ecosystem Alignment: MIT-licensed tools align with project license

Implementation Plan:

1. Phase 1 (Week 1): Install and configure staticcheck + revive
2. Phase 2 (Week 1): Update Makefile and CI/CD workflows
3. Phase 3 (Week 2): Run parallel linting (golangci-lint + new tools)
4. Phase 4 (Week 2): Verify coverage, adjust configurations
5. Phase 5 (Week 3): Remove golangci-lint, update documentation

Testing Requirements

After implementing the chosen solution:

1. Run new linting pipeline: make lint
2. Verify all enabled linters execute successfully
3. Check for GPL dependencies in SBOM: gh api repos/github/gh-aw/dependency-graph/sbom | jq '.sbom.packages[] | select(.licenseConcluded | contains("GPL"))'
4. Validate go.mod: go mod graph | grep GPL (should be empty)
5. Run full test suite: make test
6. Verify CI/CD pipelines pass

Research Links

• golangci-lint Repository
• depguard Repository
• [staticcheck Documentation]((staticcheck.io/redacted)
• [revive Documentation]((revive.run/redacted)
• [GPL vs MIT License Compatibility]((www.gnu.org/redacted)
• GitHub SBOM Documentation

Additional Notes

• golangci-lint v2.8.0 is being used (check for newer versions with better licensing)
• The GPL linters are not actively used but appear in dependency graph
• Enterprise adoption may be blocked by GPL in build toolchain
• Consider license scanning in CI/CD to prevent future GPL introductions
• Document linting strategy clearly for contributors

---

License Compliance Priority - This issue affects our ability to maintain clear MIT licensing and may impact enterprise adoption.

AI generated by GPL Dependency Cleaner (gpclean)

• expires on Feb 14, 2026, 12:41 AM UTC

[pelikhan]

@copilot do option 3