#8386 review licenses of python dependencies
closed
General
nobody
2021-09-10
2021-03-26
No
I came across https://pypi.org/project/liccheck/ and thought we should see what it reports for Allura. With a .ini file like
[Licenses] authorized_licenses: bsd new bsd bsd license new bsd license simplified bsd apache apache 2.0 apache software license Apache Software mit mit license python software foundation license
output is:
$ liccheck -r requirements.txt -s lic.ini gathering licenses... 94 packages and dependencies. check authorized packages... 81 packages. check unknown packages... 13 packages. certifi (2019.6.16): ['MPL-2.0', 'Mozilla Public License 2.0 (MPL 2.0)'] dependencies: certifi << requests << pysolr certifi << requests << requests-oauthlib chardet (3.0.4): ['GNU Library or Lesser General Public License (LGPL)', 'LGPL'] dependencies: chardet << requests << pysolr chardet << requests << requests-oauthlib colander (1.7.0): ['BSD-derived (http://www.repoze.org/LICENSE.txt)'] dependency: colander feedparser (5.2.1): UNKNOWN dependency: feedparser ipaddress (1.0.22): ['Python Software Foundation'] dependency: ipaddress nose (1.3.7): ['GNU LGPL', 'GNU Library or Lesser General Public License (LGPL)'] dependency: nose pexpect (4.7.0): ['ISC', 'ISC License (ISCL)'] dependency: pexpect << ipython Pillow (6.2.2): ['Historical Permission Notice and Disclaimer (HPND)', 'HPND'] dependency: Pillow ptyprocess (0.6.0): ['ISC License (ISCL)'] dependency: ptyprocess << pexpect << ipython repoze.lru (0.7): ['BSD-derived (http://www.repoze.org/LICENSE.txt)'] dependency: repoze.lru << TurboGears2 simplegeneric (0.8.1): ['ZPL 2.1', 'Zope Public'] dependency: simplegeneric << ipython translationstring (1.3): ['BSD-like (http://repoze.org/license.html)'] dependency: translationstring << colander waitress (1.4.3): ['ZPL 2.1', 'Zope Public'] dependency: waitress << WebTest
- MPL is ok according to https://apache.org/legal/resolved.html#category-b but should be labelled (in NOTICE or LICENSE)
chardetLGPL is not good.- we use it directly and requests lib uses it and doesn't intend to change https://github.com/psf/requests/issues/3389
- chardet won't change their license: https://github.com/chardet/chardet/issues/36
- alternatives: https://github.com/Ousret/charset_normalizer or https://github.com/PyYoshi/cChardet (MPL multi licensed? https://github.com/PyYoshi/cChardet/issues/54)
- another ASF project has discussed a bit at https://github.com/apache/airflow/issues/10667
- latest: https://github.com/psf/requests/pull/5797
noseLGPL is not good- it is mostly a test runner, but we do import 'nose' modules within our tests
- should switch to
pytestanyway since nose isn't maintained
- BSD-derived, BSD-like, ZPL, ISC, HPND are a like BSD/MIT and should be fine
feedparseris BSD 2-clause https://github.com/kurtmckee/feedparser/blob/develop/LICENSE
allura,forgehg,forgepastebin:db/8386
chardetuninstalled you should still be able to run Allura, paster commands, tests, etc.noseuninstalled you should still be able to run Allura (but not run tests of course - later we can switch to pytest [#8387])Related
Tickets:
#8387Diff:
ASF-specific discussion about
requestsandchardethappening at https://issues.apache.org/jira/browse/LEGAL-572