Bump dependencies

[kpcyrd]

This updates all dependencies to the latest version. The hex code stopped working with nom 4.0.0 so I've replaced it with the hex crate.

I would recommend to release this as 0.7.0 due to the ring update.

[YetAnotherMinion]

Thanks for the patch. I don't have a CONTRIBUTING.md file up yet, so can I just confirm that you license this patch under the terms of the plain GPL version 2.0 (https://github.com/ThinkAlexandria/BoringAuth/blob/master/LICENSE.md)?

[kpcyrd]

@YetAnotherMinion yes of course :) Consider that GPL 2.0 licensed.

[YetAnotherMinion]

Thank you for your contribution. version 0.7 of BoringAuth will be published on crates.io after CI job finishes.

[kpcyrd]

Awesome, thank you! Out of interest, by "plain GPL version 2.0", does this explicitly exclude GPL 3.0? There is GPLv2+ that can be linked with GPLv3, while GPLv2 itself is incompatible, as far as I understand the licenses (v2 requires no "additional clauses", while v3 has extra clauses).

[YetAnotherMinion]

Explicitly excludes GPLv3. The intention is to allow users to link their proprietary code with this library and run it on a server without being required to release application source code. I personally don't believe that TiVo-ization is a problem, it is my believe that people deserve to be able to charge for their work.

[kpcyrd]

That's a fair point and I respect that, a few things you may want to keep in mind :)

• GPLv2 and GPLv3 don't require you to disclose the source if you run it on your own server, only the AGPL does. The GPL only requires you to disclose the source if you publish binaries.
• GPLv2 doesn't allow usage in proprietary software, only in other GPLv2 licensed projects. If you want to allow usage in proprietary software, you might be interested in the LGPL.
• GPLv2+ has no additional restrictions compared to GPLv2 and still allows TiVo-ization, it only adds an exception to "You may not impose any further restrictions [in derived works]" to allow BoringAuth to be used in GPLv3 projects. You can still ask contributors to license contributions GPLv2+ to avoid restrictions in BoringAuth itself.

See also this compatibility matrix. Based on the concerns you have, both the LGPL licenses and GPLv2+ would not add restrictions to BoringAuth users, while a LGPL license would also allow your proprietary software usecase.

Sorry for nagging you about it and thanks for replying so far! BoringAuth is the best totp library I could find for rust and I'm currently working on code that is both GPLv3 licensed while also depending on BoringAuth. This would violate your copyright and I would rather resolve that. :)

Thanks!

[YetAnotherMinion]

I would be fine dual licensing under user's choice of GPL2 or GPL3. I find the "or any later version" insane, I am not going to license my code before I have reviewed the license. If GPL4 comes out I will make a decision then.

It is in my personal interest that user contributions are licensed under at least GPL2 so that my employer can continue to use BoringAuth in our proprietary monolithic application without the requirement to distribute the complete source code to anyone interacting with it over the network.

Important information: BoringAuth is a fork of LibreAuth. LibreAuth is licensed under CeCILL which also allows licensing the software under your choice of GPL2 or any later version.

5.3.4 COMPATIBILITY WITH OTHER LICENSES

The Licensee can include a code that is subject to the provisions of one of the versions of the GNU GPL, GNU Affero GPL and/or EUPL in the Modified or unmodified Software, and distribute that entire code under the terms of the same version of the GNU GPL, GNU Affero GPL and/or EUPL.

The Licensee can include the Modified or unmodified Software in a code that is subject to the provisions of one of the versions of the GNU GPL, GNU Affero GPL and/or EUPL and distribute that entire code under the terms of the same version of the GNU GPL, GNU Affero GPL and/or EUPL.

90% of this library is unmodified from LibreAuth. The original disagreement over crypto library and password API has been substantially reduced in the last 1.5 years. LibreAuth now uses actively developed crypto libraries (but not ring), and has now adopted most of the password module improvements I made in BoringAuth.

LibreAuth has also since introduced new features including a random key generation API, unicode normalization for passwords, OATH support for sha3-224, sha3-256, sha3-384, sha3-512, Keccak224, Keccak256, Keccak384, Keccak512, sha224, sha384, sha512 trunc 224 and sha512 trunc 256.

Given the improvements it is probably time for me to contribute the marketing copy that let BoringAuth rank higher in search back to LibreAuth, and let the community gather around LibreAuth going forward.

[kpcyrd]

I've had another look at LibreAuth, I somehow missed that. The totp code is compatible with the one I wrote for BoringAuth.

Thanks for pointing that out and all the time you put into writing these replies!