Question regarding Apache 2 license

intel / pailliercryptolib_python

Intel Paillier Cryptosystem Library is an open-source library which provides accelerated performance of a partial homomorphic encryption (HE), named Paillier cryptosystem, by utilizing Intel® IPP-Crypto technologies on Intel CPUs supporting the AVX512IFMA instructions. The library is written in modern standard C++ and provides the essential API for the Paillier cryptosystem scheme. Intel Paillier Cryptosystem Library - Python is a Python extension package intended for Python based privacy preserving machine learning solutions which utilizes the partial HE scheme for increased data and model protection.

Apache License 2.0

55 stars 12 forks source link

Question regarding Apache 2 license #49

Closed YuanTingHsieh closed 4 months ago

YuanTingHsieh commented 5 months ago

I am a developer of NVFlare.

We were looking for HE libraries that uses Apache 2 license.

While in the process of installation, we discovered that the files located at https://github.com/intel/pailliercryptolib_python/blob/development/src/ipcl_python/ipcl_python.py#L15 and https://github.com/intel/pailliercryptolib_python/blob/development/requirements.txt#L7 are utilizing the gmpy2 library, which is licensed under GPL-3.0 (https://github.com/aleaxit/gmpy/tree/master).

We are concerned that integrating a library under GPL-3.0 might conflict with the Apache 2 license.

Therefore, we kindly request if it would be possible to provide an alternative version that does not incorporate any GPL-licensed libraries. This could entail either removing gmpy2 entirely or substituting it with an alternative library to perform the inversion.

Thank you for your attention.

fangxiaoran commented 5 months ago

@YuanTingHsieh Thanks for asking! We'll investigate it and get back to you asap.

justalittlenoob commented 5 months ago

Hi @YuanTingHsieh thank you very much for your advice.

gmpy2 is LGPL-3.0+ instead of GPL-3.0 https://pypi.org/project/gmpy2/
In IPCL-Python, gmpy2 is used as a dynamic library. If I remember correctly, LGPL-3.0+ has a linking exception, which means that if we use gmpy2 as a dynamic library, there is no problem using it in the Apache 2 project.

Of course, your suggestion is very helpful, and we will consider it.

YuanTingHsieh commented 4 months ago

@fangxiaoran @justalittlenoob thanks for the response!

Note that if users do not install gmpy2 then they won't be able to use this python binding directly.

No problem!

justalittlenoob commented 4 months ago

Note that if users do not install gmpy2 then they won't be able to use this python binding directly.

Absolutely correct. We will fully consider your suggestion.

chesterxgchen commented 4 months ago

if the gmpy2 is required to make the library work, I think Yuan-Ting's comment means that this is not optional dynamic linked library, this is almost like a statically linked library as it is always required. In such as case, the LGPL v3 exception is still apply or not ?

On top of that. even exception is allowed, any commercial software or closed software with your library, that intend to be distributed to their customers, will require the source code per LGPL v3 license. So the question is: If the Intel's library is using LGPL v3, can it still claims to be Apache 2 license ? or it should be LGPL v3 license ?

chesterxgchen commented 4 months ago

Answer my own question, seems Apache 2 with LGPL v3 is allowed ( after discussion with several other people). We are ok now. thank you