Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: GPL License Violation? #1588

Closed
philipbjorge opened this issue Dec 6, 2023 · 3 comments
Closed

BUG: GPL License Violation? #1588

philipbjorge opened this issue Dec 6, 2023 · 3 comments
Assignees
@pitercl
Labels
pending Waiting for a response question

Comments

@philipbjorge
Copy link

philipbjorge commented Dec 6, 2023
edited
Loading

Describe the bug

We're trying to bring Neptune into our codebases and it's flagging some license violations for us.

  • Neptune (Apache 2.0)
    • bravado (BSD 3-Clause)
      • bravado-core (BSD 3-Clause)
        • jsonschema[format] (MIT)
          • rfc3987 (GPLv3)

Expected behavior

I would expect all the licenses in neptune's dependencies and transitive dependencies to be in compliance with your package's license.

I am not a lawyer, but I'm pretty sure the copyleft nature of GPL requires this package now to be GPL.

This is a downstream issue in bravado-core, but I wanted to raise awareness in case you had an easy path to exclude the bravado dependency from this package.

Yelp/bravado-core#261
Yelp/bravado-core#405

Workarounds

Untested, but I suspect we can fork bravado-core and remove the format extras in the requirements and use that.

I'm not sure if Neptune depends on any of those functionalities.

Thanks

Appreciate you looking at this issue -- I know licensing and transitive dependencies aren't the most fun :)
@Raalsky
Copy link
Contributor

Raalsky commented Dec 7, 2023
edited
Loading

Hey @philipbjorge!

Thank you so much for raising this topic and I appreciate that you've done some research already 😉

This is a downstream issue in bravado-core, but I wanted to raise awareness in case you had an easy path to exclude the bravado dependency from this package.

That's one of our top priorities as Bravado doesn't look to be maintained regularly for a while. Sadly there is no easy way to go without it and it will take us some time.

I'm not sure if Neptune depends on any of those functionalities.

I've just checked that and it looks like all of our functional tests are passing without rfc* dependencies. We've been there but there are a couple of integrations that are doing deep dependency checks that were failing due to lack of jsonschema[format].

Based on all of the things above my suggestion is that you can uninstall this package on your side and there is probably no easy solution on our side to do that 😞

@SiddhantSadangi
Copy link
Member

Hey @philipbjorge ,
I received the below response from our legal team looking into this:

While the GPLv3 license is in fact a copyleft and requires derivative works to be licensed under the same or compatible license, its impact on Neptune is limited due to this being a license with a classpath exception. This allows commercial use and modification while ensuring the core code remains open source. It permits software to use a GPL library without absorbing the GPL's obligations, and allows commercial use.

Please let me know if this helps, or if you need further clarification 🙏

@SiddhantSadangi SiddhantSadangi added the pending Waiting for a response label Dec 8, 2023
@philipbjorge
Copy link
Author

This is really helpful @SiddhantSadangi -- Thank you 👍
Will close this issue and hopefully it's helpful for someone else in the future 👍

@philipbjorge philipbjorge mentioned this issue Dec 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pitercl pitercl

Labels
pending Waiting for a response question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Raalsky @philipbjorge @pitercl @SiddhantSadangi