search

hyperledger-archives / indy-sdk

indy-sdk
https://wiki.hyperledger.org/display/indy
Apache License 2.0
666 stars 737 forks source link

Please address these license issues #2579

Closed ryjones closed 1 year ago

ryjones commented 1 year ago

Please address these license issues

https://github.com/hyperledger/indy-sdk/blob/ae9f8a252bb99e8b80c6d34c6c985fd95abfadef/vcx/libvcx/build_scripts/android/openssl/make_openssl.sh#L4-L5

https://github.com/hyperledger/indy-sdk/blob/ae9f8a252bb99e8b80c6d34c6c985fd95abfadef/Specs/libzmq/4.2.3/libzmq.podspec.json#L7-L9

https://github.com/hyperledger/indy-sdk/blob/ae9f8a252bb99e8b80c6d34c6c985fd95abfadef/Specs/libzmq-pw/4.2.2/libzmq-pw.podspec.json#L7-L10

jeffcshapiro commented 1 year ago

The main concern here is the LGPLv3 license. The OpenSSL license should not be a concern.

swcurran commented 1 year ago

I can answer the questions posed. I don’t know what is required to “address these license issues”.

AFAIK — libzmq is used within the Indy SDK, and libzmq-pw seems to be a fork of libzmq created by Evernym. From the codebase I found this about libzmq-pw: "ZeroMQ fork with PairwiseCurveCP support”. I don’t see any documentation in the Evernym repo.

I don’t know if it matters, but it looks to me like libzmq is downloaded as binary artifact in builds - e.g. a dll.

ryjones commented 1 year ago

From the linked report:

Priority: High This metadata file indicates it is for components under LGPL-3.0, libzmq / libzmq-pw. Are these two components used by indy, and/or is their code contained anywhere in the repo?

swcurran commented 1 year ago

I saw that. It asks a question and I’ve tried to answer it, but it doesn’t say what to do given the answer I provided.

ryjones commented 1 year ago

Gotcha. @jeffcshapiro ?

jeffcshapiro commented 1 year ago

Sorry, the question should have been worded as a recommendation: If LGPL licensed code is in your repo as source code it can contaminate the codebase. If it is only used as a binary (DLL) then it is OK.

swcurran commented 1 year ago

@brentzundel — can you please confirm that libzmq is only used in binary form in this repo? Same applies for libzmq-pw.

Thanks

brentzundel commented 1 year ago

To my understanding, libzmq and libzmq-pw are only used as binaries.

swcurran commented 1 year ago

Thanks. @jeffcshapiro — now that we know that libzmq and -pw are binary only, what action do we need to take?

ryjones commented 1 year ago

I think @jeffcshapiro makes note of it in his tool and closes the issue

jeffcshapiro commented 1 year ago

Issue resolved, no license conflict - ZeroMQ used as binaries only

jeffcshapiro commented 1 year ago

looks like I can't close the issue, please close

dhh1128 commented 1 year ago

Closing as requested.