Closed illfang closed 5 years ago
Hi @illfang, thanks for reaching out!
I see that chardet
is indeed an indirect dependency of our SDK, through the requests
package, which is probably one of the most popular python libraries.
Please forgive my lack of knowledge about LGPL, but one description of the license says:
This license mainly applies to libraries. You may copy, distribute and modify the software provided that you state modifications and license them under LGPL-2.1. Anything statically linked to the library can only be redistributed under LGPL, but applications that use the library don't have to be. You must allow reverse engineering of your application as necessary to debug and relink the library.
I do not see a problem since technically we are not distributing nor modifying the chardet
package; the users of our SDK are installing that dependency directly from Pypi. In addition, if you are writing an application, this license also doesn't seem to affect you.
This is really outside my area of expertise, so if you are sure that there is a problem, I can definitely escalate this issue to our legal department to double-check. Would you like me to do that?
@zezha-msft thank you for your fast response.
I believe, you are correct when saying that there is no problem for the SDK itself as the SDK is not distributing nor modifying chardet. The same arguments are used by the requests library maintainers to explain why their usage of chardet in the Apache licensed requests library is allowed. https://github.com/requests/requests/issues/3389#issuecomment-396642172
I'm not a lwayer but in my understanding, the problem starts for users of the Azure SDK (or requests library in general).
Imagine a company includes the SDK in their software which is then redistributed to their clients as a bundled application. This means they are also redistributing chardet in this case which would then fall under the LGPL license. (e.g. https://github.com/requests/requests/issues/3389#issuecomment-279252910 )
As said previously, I'm not a lawyer. This is just my understanding of the LGPL.
Hi @illfang, I understand your concern.
I will raise your issue with our legal team and get back to you as soon as possible.
We're still investigating. However looking at the terms at https://github.com/chardet/chardet/blob/master/LICENSE, I see that redistribution is possible as long as you keep your source open and do not make any modifications and disclose chardet's license with your application. If you make modifications, you MUST also license your application under LGPL. I think this is good for most scenarios.
Could you tell a little about your scenario ? Do you have a need where you need to make your application closed source and redistribute including the chardet dependency files in your application ?
Thank you for your investigation. In our scenario we are thinking of a closed source client application distributed in a bundle to customers which allows the interaction with the Azure Blob Storage.
Hi @illfang, here is an update:
Our legal team has asserted that the Python Storage SDK is compliant with its own MIT license and the LGPL license of chardet
, since we do not modify nor distribute the package chardet
, which is an indirect dependency.
Unfortunately we cannot provide legal advise on such usage by you. You need to consult your own attorneys. You'll need to decide if you want to use chardet
or not based on the licensing model and distribution method that you are using.
@zezha-msft I can understand your point of view on this issue. However, to be fair to the users of the storage library you should consider adding a NOTICE file pointing out, that this MIT licensed library will introduce LGPL licensed libraries as well.
@illfang thanks for your understanding! And thanks for your advice. I'll sync up with our legal team to see if it's appropriate to put a notice file in the repo. 👍
Which service(blob, file, queue) does this issue concern?
blob
Which version of the SDK was used? Please provide the output of
pip freeze
.What problem was encountered?
Installing azure-storage-blob library introduces a dependency to a LGPL library which infects any solution using the Azure Storage Library for Python. Furthermore, there is no documentation whatsoever in the Azure Storage Library, that it relies on LGPL licensed software which is an important aspect that should not be hidden.
Details:
https://github.com/Azure/azure-storage-python/blob/master/requirements.txt#L3
https://github.com/requests/requests/blob/master/setup.py#L51
To summarize this dependency chain:
Azure Storage Python
->Requests >= 2.9.2
->chardet>=3.0.2,<3.1.0
Chardet License: https://github.com/chardet/chardet/blob/master/LICENSE
Have you found a mitigation/solution?
Mocking away chardet installing azure blob without dependencies and manually add required dependencies by hand. Not a good solution.