Open joeroback opened 4 months ago
Hi.
Thanks for filing this. We should introduce a cargo-deny
CI check for things like this.
The simplest thing is to disable the ini
backend I guess. This can be done by disabling the feature. If you need that backend, I do not see a way as of today... but this is clearly something we should resolve sooner than later.
The "simplest" solution would be for the author to relicense, actually.
the latest 0.14 pulls in
tiny-keccak
, which has the CC0 license, which is extremely difficult to use in commercial setting due to its patent clause. i have asked the author why or to consider MIT/Apache, but wondering if there are other ways to work around this, since i am sure config is not really interested in SHA-3 FIPS hashing