Is ureq's MIT license legal?

[sycured]

Hello,

I'm actually doing a big check (SBOM, licensing & co) on my different work, and obtain a red line about one dependency used by ureq: chunked_transfer which is Apache-2.0 only, a license that I can't use inside 3 projects.

ureq is dual-licensing Apache-2.0 and MIT, so can you confirm that your MIT isn't violating Apache-2.0?

For example, I can mention:

I want to add code from apache 2.0 to MIT license. How does one do that? request that the copyright owner of the apache 2.0 licensed works also release what they did under MIT license. OTHERWISE, you will have to maintain the apache 2.0 license source: https://law.stackexchange.com/questions/6081/can-i-bundle-mit-licensed-components-in-a-apache-2-0-licensed-project#comment157333_6758

If MIT Licensed code is combined with Apache License 2.0 code, then the derivative code might be Apache License 2.0. source: https://techlib.fr/app/1274/is-apache-2-0-compatible-with-mit

Thanks a lot for your help

[algesten]

Can we solve this with feature flags?

Keep chunked_transfer as a default dependency, but point out in the README that the project can't be MIT licensed if the dependency is enabled?

[sycured]

Yes, it'll work

Is it possible to have ureq working without this dependency?

[algesten]

Well. It won't be as good :)

Chunked transfer is used in HTTP/1.1 when the length of a body is not known. Many requests would work without it, but not all.

Another option is to talk to the upstream maintainer.

A third option is to implement this ourselves – I have done it once before https://github.com/algesten/hreq-h1/blob/master/src/chunked.rs – we could remove async from this code and use that.

[jsha]

Posted on https://github.com/frewsxcv/rust-chunked-transfer/issues/2

[pinkforest]

PR's up at chunked-transfer:

• https://github.com/frewsxcv/rust-chunked-transfer/pull/13