search

mehcode / config-rs

⚙️ Layered configuration system for Rust applications (with strong support for 12-factor applications).
Apache License 2.0
2.43k stars 206 forks source link

0.14 pulls in CC0 license #523

Open joeroback opened 4 months ago

joeroback commented 4 months ago

the latest 0.14 pulls in tiny-keccak, which has the CC0 license, which is extremely difficult to use in commercial setting due to its patent clause. i have asked the author why or to consider MIT/Apache, but wondering if there are other ways to work around this, since i am sure config is not really interested in SHA-3 FIPS hashing

tiny-keccak v2.0.2
└── const-random-macro v0.1.16 (proc-macro)
    └── const-random v0.1.17
        └── dlv-list v0.5.2
            └── ordered-multimap v0.6.0
                └── rust-ini v0.19.0
                    └── config v0.14.0
matthiasbeyer commented 4 months ago

Hi. Thanks for filing this. We should introduce a cargo-deny CI check for things like this.

The simplest thing is to disable the ini backend I guess. This can be done by disabling the feature. If you need that backend, I do not see a way as of today... but this is clearly something we should resolve sooner than later.

The "simplest" solution would be for the author to relicense, actually.

joeroback commented 4 months ago

https://github.com/debris/tiny-keccak/issues/54