[Bug]: Incompatible licenses

LemmyNet / activitypub-federation-rust

High-level Rust library for the Activitypub protocol

GNU Affero General Public License v3.0

420 stars 45 forks source link

[Bug]: Incompatible licenses #57

Closed CyberTailor closed 1 year ago

CyberTailor commented 1 year ago

Requirements

[X] Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
[X] Did you check to see if this issue already exists?
[X] Is this only a single bug? Do not put multiple bugs in one issue.
[X] Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Summary

http-signature-normalization-0.6.0.crate is licensed under CSL, which is incompatible with GPL licenses.

See: https://lynnesbian.space/csl/

This issue prevents packaging Lemmy.

Steps to Reproduce

None

Technical Details

None

Version

0.18.0

Lemmy Instance URL

No response

CyberTailor commented 1 year ago

If you drop all 0.6.0 dependencies, the issue will be fixed. Version 0.7.0 is licensed under AGPL.

CyberTailor commented 1 year ago

Same with http-signature-normalization-actix-0.6.2.crate

pijuszczyk commented 1 year ago

http-signature-normalization-0.6.0.crate seems to be a dependency of http-signature-normalization-actix-0.6.2.crate so upgrading the latter should suffice.

Regarding license compatibility, what I've discovered when having a look at this issue is that there was a special case for Lemmy documented on the package's page:

Http Signature Normalization Actix is currently licensed under the AGPL to the Lemmy project, found at github.com/LemmyNet/lemmy

(source: https://crates.io/crates/http-signature-normalization-actix/0.6.2)

So actually it's all compatible though I suspect automated tools may generate problems because of that situation. To avoid further confusion regarding the license and to keep up-to-date, I created a pull request with the package upgrade: https://github.com/LemmyNet/lemmy/pull/3458

Nutomic commented 1 year ago

I moved the issue because this library is not required directly by Lemmy anymore. Its still used by the activitypub-federation library which Lemmy uses. However according to the git repo, at least the latest version is licensed under AGPL.

pijuszczyk commented 1 year ago

From the Cargo.toml, activitypub-federation library depends on http-signature-normalization-reqwest 0.8.0 and http-signature-normalization 0.7.0, which are both at the latest available version, licensed under AGPL. So there's nothing to be done except for removing the dependency from lemmy repo.