search

nissl-lab / npoi

a .NET library that can read/write Office formats without Microsoft Office installed. No COM+, no interop.
Apache License 2.0
5.73k stars 1.43k forks source link

Incompatible license in file #1415

Closed rahulmohang closed 2 weeks ago

rahulmohang commented 1 month ago

NPOI Version

master

Issue Description

The file, https://github.com/nissl-lab/npoi/blob/master/main/Util/Collections/StringTokenizer.cs, is licensed under either the MPL v1.1 or the LGPL v2.0 or later. The license of the file is incompatible with the license of the rest of the source code.

As per the Apache Foundation, the MPL v1.1 license may not be included, in source code form, in a project licensed under the Apache v2.0 license. Please check https://www.apache.org/legal/resolved.html#category-b. The LGPL v2.0 or any later versions may not be included in a project licensed under the Apache v2.0 license. Please check https://www.apache.org/legal/resolved.html#category-x.

Can you please check this?

tonyqus commented 1 month ago

But this file has been there for a long time. Why do you care this? Are you a lawyer?

And this project is not really a Apche foundation project. NPOI never joins Apache Foundation. It's just licensed under Apache 2.0 license.

rahulmohang commented 1 month ago

We, at the Eclipse Foundation, are using this component in one of our projects. I was checking the license compatibility in that context. We have checked the compatibility based on the compatibility matrix from the OSADL community. The matrix too lists the licenses as not compatible. I confirmed it by checking the Apache Foundation's webpage regarding third party licenses. Anyway, I am not a lawyer. So, the issue has been raised based on information that I got from the websites.

I understand that the compatibility information could have been created by not considering all the scenarios. As per my understanding of the licenses, in this case, if an user choose LGPL v2.0 license out of MPL v1.1 and LGPL v2.0, the files licensed under LGPL v2.0 may be compiled in to the same executable that is licensed under the Apache v2.0 license, and this creates a copyleft effect or an incompatibility. However, the incompatibility between Apache v2.0 and MPL 1.1 will be a problem only when source code from one of the licenses is copied to files licensed under the other license. My assumption is that OSADL community and the Apache Foundation have listed the licenses as incompatible, only out of abundant caution, to cover such copying of code as well. In the case of npoi, I understand that code from both licenses are not copied in to the same file.