Dependency license compatibility audit

[rsanchez-wsu]

It is necessary to ensure that the licenses of all project dependencies are compatible with the license of the project itself (i.e., GPLv3). The work required by this issue is to inventory the project dependencies, identify the license of each (including the source of authority for that license applying to the dependency), and then assess its compatibility with the project's GPLv3 license.

[randymusser]

I'll start working on this issue.

[rsanchez-wsu]

@randymusser I think that the best way to capture this information would be to place it in a wiki page. A tabular format is what immediately springs to mind as a way to organize the information, but feel free to propose something else as you begin your research. Also, make sure that you evaluate the versions of the dependencies that we currently have in the project (as opposed to whatever happens to be the latest on the project website), as projects do change licenses from time to time.

You can find some information on what licenses are GPL compatible from the FSF: https://www.gnu.org/licenses/license-list.html

[rsanchez-wsu]

Here is the wiki page: https://github.com/rsanchez-wsu/RaiderPlanner/wiki/Dependency-license-compatibility-audit

@randymusser You should have linked the wiki page here so that we don't lose track.

As far as the libraries with incompatible licenses, those are not used in the manner of creating a derived work, but that of an aggregate work, which is different. We should talk about this so that we can dig a little deeper and confirm that. JUnit is very popular and is very commonly used in Java projects under the GPL, so there is much precedent for not considering the use of JUnit something that makes the using project a derivative work of JUnit.

[rsanchez-wsu]

@randymusser I did a bit of additional digging on this.

First, the testfx-* components, which are under the EUPL, include an "any later version clause": https://github.com/TestFX/TestFX/blob/master/LICENSE.txt

According to the Wikipedia article on the EUPL (https://en.wikipedia.org/wiki/European_Union_Public_Licence) version 1.2 of the EUPL (https://joinup.ec.europa.eu/sites/default/files/ckeditor_files/files/EUPL%20v1_2%20EN(1).txt) declares the GPL version 3 to be a compatible license. That means we should be OK by adopting the testfx-* libraries under the terms of the EUPL version 1.2.

As far as JUnit goes, I think we just need to add an exception to the test classes: https://www.gnu.org/licenses/gpl-faq.html#GPLIncompatibleLibs

The original team will need to add the recommended exception to the Java source files under the Test directory. Here is the text I recommend:

Additional permission under GNU GPL version 3 section 7

If you modify this Program, or any covered work, by linking or combining it with JUnit, JUnit's dependencies, or a modified version of JUnit or its dependencies, containing parts covered by the terms of Eclipse Public License version 1.0 (or any later version), the licensors of this Program grant you additional permission to convey the resulting work.

Please connect with @Alienturnedhuman and see if he would coordinate with the original team to get their approval for this change. Once we receive approval, I can add the exception text, since I added the original license headers.

[rsanchez-wsu]

@Alienturnedhuman , would you be willing to coordinate with your original team to allow us to add the above-referenced JUnit exception to the Java source files under the Test directory?

[Alienturnedhuman]

I have added a License.md to that folder with the text above - does that remedy the situation?

[rsanchez-wsu]

@Alienturnedhuman Yes, that is splendid. Thanks for taking care of it. I have merged it in a few weeks ago and now I think that this issue can be considered resolved.