Define which Licences are okay to depend on

[haerdib]

We should have a list somewhere which licences are okay to depend on and which are not for the worker.
E.g.

• Apache II ✔️
• GPL 2.0 - 3.0 ❌
• GPL with linking exception ✔️
• MIT ?

[haerdib]

@Niederb probably makes sense if you do that. What do you think?

[Niederb]

I think it makes most sense to directly start using a tool to automate the process. I think we could use cargo-about (https://crates.io/crates/cargo-about) as it can check the licenses and also automatically generate a html-site with all the licenses used (which we then could attach to our releases).
Other tools:

• https://crates.io/crates/cargo-deny
• https://crates.io/crates/cargo-license

[haerdib]

I like that! But this does not include non cargo-deps such as Github Actions, correct? E.g.

worker/.github/workflows/delete-release.yml

Line 60 in 43028c6

uses: dev-drprasad/delete-tag-and-release@v0.2.0

[Niederb]

Yeah, this would not be included but I think in this case this is not so bad:

• The build scripts (and similar) are not part of a binary release. As we do not distribute we do not need to include them in the License text.
• ...but you are right for other things. For example if we have C/C++ dependencies (Intel...). Something to keep in mind.
• Depending on the repo the license file is not so important as most users will probably rely on our code directly and not in the form of a binary

[Niederb]

I did a bit of research regarding the classpath exception. It is my understanding that the classpath exception is fine for our use case in that it does not force us to license the rest of the code under GPL. In particular it does not distinguish between static and dynamic linking and does allow for both (seems to be the main difference to the LGPL). Again I'm not a lawyer...

• Text of classpath exception
  • https://www.gnu.org/software/classpath/license.html
• Relevant question
  • https://softwareengineering.stackexchange.com/questions/119436/what-does-gpl-with-classpath-exception-mean-in-practice

[haerdib]

Very cool. Thanks for the link. I think that one matters:

Here is where the Classpath Exception is invaluable. It clearly states that the code under the license is (L)GPL, but anything using that code can follow whatever license they'd like. No ifs, ands, or buts. If you change the core code (e.g. fixing bugs), you do still have to release those changes as part of the GPL. But using does NOT infect you.

[Niederb]

@haerdib Yes, I think so too.
I created now a PR in the pallets as a "demo" that we could then apply to the other repos as well. See integritee-network/pallets#98

• The build fails if there are incompatible licenses
• After the build job finished the generated license fail can be downloaded.
• If there are warnings (due to undefined licenses) the build still passes and the warnings are quite easy to overlook. I think in the long run we want a failure in case of warnings.
  • I created a feature request issue regarding a fail-on-warning option. See Return error code in case of warnings EmbarkStudios/cargo-about#203

[Niederb]

Current status:

• Pallet is done
• There is a PR for parachain
• A recent PR in substrate added more GPL-3.0 dependencies: Use array-bytes for All Array/Bytes/Hex Operations paritytech/substrate#12190
  • This is causing issues in the substrate-api-client
• There are many warnings because crates did not specify their license
• cargo-about does not mention classpath exceptions in the generated license.html
  • See Generated html report does not mention license exceptions EmbarkStudios/cargo-about#204
• The license check is slow for some reason (3 min). I'm looking into it as a "side-project" Speedup licence check pallets#102

[haerdib]

Regarding the array-bytes : Have you notified parity about this? It's still there and actually violating their Apace license.

[haerdib]

Tracking issue: paritytech/substrate#12689

[Niederb]

Yes, we had contacted parity. Anyway it seems the problem will hopefully be solved soon. Nice

[clangenb]

I will close this issue for now, I think have enough consensus about this.