You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@allura.apache.org by Dave Brondsema <da...@brondsema.net> on 2021/09/10 18:41:55 UTC
[allura:tickets] #8386 review licenses of python dependencies
- **labels**: asf --> asf, licensing
---
** [tickets:#8386] review licenses of python dependencies**
**Status:** closed
**Milestone:** v1.13.0
**Labels:** asf licensing
**Created:** Fri Mar 26, 2021 03:45 PM UTC by Dave Brondsema
**Last Updated:** Mon May 17, 2021 03:07 PM UTC
**Owner:** Dave Brondsema
I came across https://pypi.org/project/liccheck/ and thought we should see what it reports for Allura. With a .ini file like
```
[Licenses]
authorized_licenses:
bsd
new bsd
bsd license
new bsd license
simplified bsd
apache
apache 2.0
apache software license
Apache Software
mit
mit license
python software foundation license
```
output is:
```
$ liccheck -r requirements.txt -s lic.ini
gathering licenses...
94 packages and dependencies.
check authorized packages...
81 packages.
check unknown packages...
13 packages.
certifi (2019.6.16): ['MPL-2.0', 'Mozilla Public License 2.0 (MPL 2.0)']
dependencies:
certifi << requests << pysolr
certifi << requests << requests-oauthlib
chardet (3.0.4): ['GNU Library or Lesser General Public License (LGPL)', 'LGPL']
dependencies:
chardet << requests << pysolr
chardet << requests << requests-oauthlib
colander (1.7.0): ['BSD-derived (http://www.repoze.org/LICENSE.txt)']
dependency:
colander
feedparser (5.2.1): UNKNOWN
dependency:
feedparser
ipaddress (1.0.22): ['Python Software Foundation']
dependency:
ipaddress
nose (1.3.7): ['GNU LGPL', 'GNU Library or Lesser General Public License (LGPL)']
dependency:
nose
pexpect (4.7.0): ['ISC', 'ISC License (ISCL)']
dependency:
pexpect << ipython
Pillow (6.2.2): ['Historical Permission Notice and Disclaimer (HPND)', 'HPND']
dependency:
Pillow
ptyprocess (0.6.0): ['ISC License (ISCL)']
dependency:
ptyprocess << pexpect << ipython
repoze.lru (0.7): ['BSD-derived (http://www.repoze.org/LICENSE.txt)']
dependency:
repoze.lru << TurboGears2
simplegeneric (0.8.1): ['ZPL 2.1', 'Zope Public']
dependency:
simplegeneric << ipython
translationstring (1.3): ['BSD-like (http://repoze.org/license.html)']
dependency:
translationstring << colander
waitress (1.4.3): ['ZPL 2.1', 'Zope Public']
dependency:
waitress << WebTest
```
- MPL is ok according to https://apache.org/legal/resolved.html#category-b but should be labelled (in NOTICE or LICENSE)
- `chardet` LGPL is not good.
- we use it directly and requests lib uses it and doesn't intend to change https://github.com/psf/requests/issues/3389
- chardet won't change their license: https://github.com/chardet/chardet/issues/36
- alternatives: https://github.com/Ousret/charset_normalizer or https://github.com/PyYoshi/cChardet (MPL multi licensed? https://github.com/PyYoshi/cChardet/issues/54)
- another ASF project has discussed a bit at https://github.com/apache/airflow/issues/10667
- latest: https://github.com/psf/requests/pull/5797
- `nose` LGPL is not good
- it is mostly a test runner, but we do import 'nose' modules within our tests
- should switch to `pytest` anyway since nose isn't maintained
- BSD-derived, BSD-like, ZPL, ISC, HPND are a like BSD/MIT and should be fine
- `feedparser` is BSD 2-clause https://github.com/kurtmckee/feedparser/blob/develop/LICENSE
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.