Add license check with cargo-about#145
Conversation
| "ISC", | ||
| "OpenSSL", | ||
| "Unicode-DFS-2016", | ||
| "GPL-3.0 WITH Classpath-exception-2.0", |
There was a problem hiding this comment.
For the future generation using these libraries, I think it would be very helpful to document somewhere why some libraries are okay and some not. E.g. in the parachain it's because everything is GPL3.0 licensed. But for example, here in the node here GPL-3.0 WITH Classpath-exception-2.0 is accepted, whereas it is not in the pallets (https://github.com/integritee-network/pallets/blob/master/about.toml). Why?
There was a problem hiding this comment.
I only added the licenses that are currently needed. The GPL-3.0 WITH Classpath-exception-2.0 is not needed for the pallets. So if a license is not listed it is does not mean that it is not allowed. I think it makes sense to list only the ones we need, otherwise the list can grow very long and I'm not sure we gain much by keeping the list "synchronized" between repos.
There was a problem hiding this comment.
@clangenb With public docs you mean the book? I think it makes sense to talk about licensing there, but I'm not quite sure how exhaustive it should be. Probably the license we defined for each of the relevant repos (parachain, pallets, worker) that we "guarantee" so that customers can rely on that?
There was a problem hiding this comment.
Yes, exactly this is what I mean. I think it suffices to only briefly mention the licence for each of the repos. Or actually, we might just want to add it to the README of the respective repo? This is probably how it is usually done.
There was a problem hiding this comment.
I think it should also be in the repo for sure. Usually it is in the LICENSE file that Github (and other tools) pick up for displaying on the right. I think we already have that in place.
A section in the book would IMHO more be for convenience/overview for customers
There was a problem hiding this comment.
I don't mean we should synchronize them, but it will confuse and lead to insecurities. Like, maybe there was a special reason why GPL-with-classpath exception is not allowed in the pallets? I'd not be able to answer that question. So having a place where it is documented what theoretically is acceptable, would probably save time in the future.
There was a problem hiding this comment.
I see what you mean and I think we could add some statement that we consider it acceptable to link against GPL-3.0 WITH Classpath-exception-2.0 in an Apache-2.0 project but I have some caveats:
- Licensing is complicated and I think it makes most sense to decide on a case-by-case basis. It is really difficult to make general statements. For example copying code under
GPL-3.0 WITH Classpath-exception-2.0and pasting it again into our repo is again not ok. At least to my understanding. - There are so many open-source licenses that it is not really possible to make an exhaustive list
- I'm not a lawyer and I'm not really comfortable to make statements about what is legal.
There was a problem hiding this comment.
I believe @clangenb should decide what do to here, as it's very future related
There was a problem hiding this comment.
To sum up, I also think it is acceptable to link against GPL-3.0 WITH Classpath-exception-2.0, but I don't think we need to do any statement about it. We could add it in the pallets IMO, but I don't have a strong opinion here.
3 participants
Uh oh!
There was an error while loading. Please reload this page.