search

guillermo-navas-palencia / optbinning

Optimal binning: monotonic binning with constraints. Support batch & stream optimal binning. Scorecard modelling and counterfactual explanations.
http://gnpalencia.org/optbinning/
Apache License 2.0
435 stars 98 forks source link

Incompatible GPL-licensed dependency `ecos` #242

Closed zhcxww closed 9 months ago

zhcxww commented 1 year ago

Hello,

We are a group of researchers developing tools to monitor and remediate open-source license incompatibilities in the PyPI ecosystem.

We find that your optbinning package has a GPL-3.0-or-later licensed transitive dependency ecos (introduced by rowpr through the path rowpr -> cvxpy -> ecos). This could be problematic because GPL-licensed software requires any of its derivative work to be also licensed under GPL, but optbinning is licensed under Apache 2.0.

The dependency tree of optbinning 0.17.3 returned by pipdeptree as follows:

optbinning==0.17.3
  - matplotlib [required: Any, installed: 3.7.1]
    - contourpy [required: >=1.0.1, installed: 1.0.7]
      - numpy [required: >=1.16, installed: 1.24.3]
    - cycler [required: >=0.10, installed: 0.11.0]
    - fonttools [required: >=4.22.0, installed: 4.39.3]
    - importlib-resources [required: >=3.2.0, installed: 5.12.0]
      - zipp [required: >=3.1.0, installed: 3.15.0]
    - kiwisolver [required: >=1.0.1, installed: 1.4.4]
    - numpy [required: >=1.20, installed: 1.24.3]
    - packaging [required: >=20.0, installed: 23.1]
    - pillow [required: >=6.2.0, installed: 9.5.0]
    - pyparsing [required: >=2.3.1, installed: 3.0.9]
    - python-dateutil [required: >=2.7, installed: 2.8.2]
      - six [required: >=1.5, installed: 1.16.0]
  - numpy [required: >=1.16.1, installed: 1.24.3]
  - ortools [required: >=9.4, installed: 9.6.2534]
    - absl-py [required: >=0.13, installed: 1.4.0]
    - numpy [required: >=1.13.3, installed: 1.24.3]
    - protobuf [required: >=4.21.12, installed: 4.22.3]
    - scipy [required: >=1.10.0, installed: 1.10.1]
      - numpy [required: >=1.19.5,<1.27.0, installed: 1.24.3]
  - pandas [required: Any, installed: 2.0.1]
    - numpy [required: >=1.20.3, installed: 1.24.3]
    - python-dateutil [required: >=2.8.2, installed: 2.8.2]
      - six [required: >=1.5, installed: 1.16.0]
    - pytz [required: >=2020.1, installed: 2023.3]
    - tzdata [required: >=2022.1, installed: 2023.3]
  - ropwr [required: >=1.0.0, installed: 1.0.0]
    - cvxpy [required: >=1.1.14, installed: 1.3.1]
      - **ecos** [required: >=2, installed: 2.0.12]
        - numpy [required: >=1.6, installed: 1.24.3]
        - scipy [required: >=0.9, installed: 1.10.1]
          - numpy [required: >=1.19.5,<1.27.0, installed: 1.24.3]
      - numpy [required: >=1.15, installed: 1.24.3]
      - osqp [required: >=0.4.1, installed: 0.6.2.post9]
        - numpy [required: >=1.7, installed: 1.24.3]
        - qdldl [required: Any, installed: 0.1.7]
          - numpy [required: >=1.7, installed: 1.24.3]
          - scipy [required: >=0.13.2, installed: 1.10.1]
            - numpy [required: >=1.19.5,<1.27.0, installed: 1.24.3]
        - scipy [required: >=0.13.2, installed: 1.10.1]
          - numpy [required: >=1.19.5,<1.27.0, installed: 1.24.3]
      - scipy [required: >=1.1.0, installed: 1.10.1]
        - numpy [required: >=1.19.5,<1.27.0, installed: 1.24.3]
      - scs [required: >=1.1.6, installed: 3.2.3]
        - numpy [required: >=1.7, installed: 1.24.3]
        - scipy [required: >=0.13.2, installed: 1.10.1]
          - numpy [required: >=1.19.5,<1.27.0, installed: 1.24.3]
      - setuptools [required: >65.5.1, installed: 66.0.0]
    - numpy [required: >=1.16, installed: 1.24.3]
    - scikit-learn [required: >=0.22, installed: 1.2.2]
      - joblib [required: >=1.1.1, installed: 1.2.0]
      - numpy [required: >=1.17.3, installed: 1.24.3]
      - scipy [required: >=1.3.2, installed: 1.10.1]
        - numpy [required: >=1.19.5,<1.27.0, installed: 1.24.3]
      - threadpoolctl [required: >=2.0.0, installed: 3.1.0]
    - scipy [required: >=1.6.1, installed: 1.10.1]
      - numpy [required: >=1.19.5,<1.27.0, installed: 1.24.3]
  - scikit-learn [required: >=1.0.2, installed: 1.2.2]
    - joblib [required: >=1.1.1, installed: 1.2.0]
    - numpy [required: >=1.17.3, installed: 1.24.3]
    - scipy [required: >=1.3.2, installed: 1.10.1]
      - numpy [required: >=1.19.5,<1.27.0, installed: 1.24.3]
    - threadpoolctl [required: >=2.0.0, installed: 3.1.0]
  - scipy [required: >=1.6.0, installed: 1.10.1]
    - numpy [required: >=1.19.5,<1.27.0, installed: 1.24.3]

To remove this license incompatibility, the following possible remediations can be considered:

Note that the above remediations are generated by an automated tool that is still under test, may be incorrect, and does not represent legal advice. We welcome any suggestions and feedback!

Thank you!

zhcxww commented 1 year ago

@guillermo-navas-palencia Hi~~ Do you have any insights or questions on whether this license compatibility issue exists ?

Thank you again for your time and consideration!