mgrachev / update-informer

Update informer for CLI/GUI applications written in Rust 🦀
MIT License
210 stars 8 forks source link

update-informer is tainted with MPL-2 via option-ext #138

Open neoeinstein opened 6 months ago

neoeinstein commented 6 months ago

Hello, I wanted to raise a note that this crate currently has a transitive dependency on option-ext. That library is MPL-2, a copyleft license. The option-ext dependency is brought in via the dependency on directories. The maintainer of the underlying dirs-sys crate has indicated that they added a dependency on option-ext for the express purpose of tainting the use of dirs-sys with MPL-2, which thus taints any use of update-informer. I'd recommend using an alternate dependency such as etcetera, which does not suffer from this tainting issue.

I'll note that the default ureq dependency also pulls in webpki-roots, which is also MPL-2, but that is an optional dependency that can be side-stepped by using native-tls (though I would overall prefer to use rustls-tls, but with native-roots), so it's not a particular concern for me.

As an alternative, the caching functionality could be optional behind a feature, so that the MPL-2 dependency isn't required if we don't need the caching check.

mgrachev commented 6 months ago

@neoeinstein Hi! Thanks for the information. Indeed, we need to move from directories to etcetera.