copier-org / copier

Library and command-line utility for rendering projects templates.
https://readthedocs.org/projects/copier/
MIT License
2.07k stars 183 forks source link

pyyaml-include is GPL3, doesn't that poison your MIT project? #1398

Open alan-copeland-keysight opened 1 year ago

alan-copeland-keysight commented 1 year ago

Describe the problem

pyyaml-include, one of your dependencies, is GPL3 - doesn't that poison your MIT project?

Template

-

To Reproduce

No response

Logs

No response

Expected behavior

-

Screenshots/screencasts/logs

No response

Operating system

Windows

Operating system distribution and version

-

Copier version

-

Python version

-

Installation method

pipx+pypi

Additional context

No response

pawamoy commented 1 year ago

I am not a lawyer, but license contamination is, I think, only caused in case of static linking (compiling stuff to a single binary, without dynamic linking). Python uses by essence "dynamic linking", so it's not as impacted by license contamination. Copier does not provide or publish pyyaml-include's code in any way: it's users that willingly install the dependency when installing Copier.

Something like this :shrug:

yajo commented 1 year ago

Thanks for this investigation. I've been reading about the subject and it seems that the license violation is real. Also for jinja2-ansible-filters (see https://github.com/orgs/copier-org/discussions/1397#discussioncomment-7603817).

The FSF published https://www.gnu.org/licenses/gpl-faq.en.html#GPLStaticVsDynamic which states clearly that there's no difference between dynamic and static linking.

In https://opensource.stackexchange.com/a/2148/31465 is explained that, although this particular legal case hasn't been enforced by a trial, it's obvious what the author's intention is.

I have no desire to violate any laws, and I do have the desire to respect original authors' intentions, so we have to cure the infection.

We have 2 basic paths for the cure:

  1. Use GPL3 for Copier.
  2. Remove dependencies from those 2 libraries.

I'll open a poll in the forum and we'll see what our users think.

RomainBrault commented 5 months ago

jinja2-ansible-filters is still a dependency, so isn´t the project still poisoned? @yajo

pawamoy commented 5 months ago

Seems like it is 🙈

FeodorFitsner commented 5 months ago

Where did you find jinja2-ansible-filters dependency?

RomainBrault commented 5 months ago

In the pyproject.toml line 35: https://github.com/copier-org/copier/blob/master/pyproject.toml#L35

Found it with the licensecheck tool (https://github.com/google/licensecheck) in my venv after install too.

And https://github.com/copier-org/copier/blob/2f2ac766a9d49e0a3c800b90461570bbfb4a7e43/copier/main.py#L542 copier crash if the dependency is not found

FeodorFitsner commented 5 months ago

Oh, never mind! I though I was commenting in Flet project - my bad. 🫣