GPLv3 incompatible with OSVDB license

[antoncohen]

The Open Sourced Vulnerability Database (OSVDB) License has commercial restrictions and an advertising clause. That means the OSVDB license restricts "freedoms" the GPL provides.

These licenses are not compatible.

Further, the argument made in #9 that bundler-audit is not linked software is not true. The README has an example of require 'bundler/audit/task', which is the equivalent of "linking" in Ruby. That would make any software that requires any portion of bundler-audit derivative work of bundler-audit.

As an example of this, codeclimate-bundler-audit links bundler-audit, which would require that codeclimate-bundler-audit be released under the GPLv3 (or a license with the same or more "freedoms" (freedoms in GPL terms)). In turn, any released code the links codeclimate-bundler-audit would need to be licensed under the GPLv3.

[reedloden]

Why is OSVDB coming up here? bundler-audit doesn't use OSVDB anything at all. You might make the argument that https://github.com/rubysec/ruby-advisory-db is using OSVDB IP, but not this particular tool.

[postmodern]

OSVDB shutdown their service and bundler-audit nor ruby-advisory-db ever used their API.