Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[LEGAL] get rid of (optional/transitive) dependencies licensed under GPL #743

Open
jkowalleck opened this issue Nov 20, 2024 · 2 comments
Open

[LEGAL] get rid of (optional/transitive) dependencies licensed under GPL #743

jkowalleck opened this issue Nov 20, 2024 · 2 comments
Labels
enhancement New feature or request help wanted Extra attention is needed legal related to legal/regulatory foo

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Nov 20, 2024
edited
Loading

there may be use-cases where people want to re-distribute this library with all its dependencies.

some (optional/transitive) dependencies might be licensed under GPL, which prevents an assembled re-distribution.
see

yes, it is not under the control of this very library, how others assemble or redistribute this library, but some community members argue otherwise - or are concerned anyway.
Therefore, this issue exists.

if anybody wants for work on a replacement fir the currently optional dependencies, here is the list of requirements:

  • all current features must be supported, still .
    the dependencies in question are optional already, replacing them with optional dependencies that dont do the required job is a no-go.
  • provide (unit) tests for your change.
    some might already exist, better add additional ones

here is a list of all dependencies' libraries

$ python -m venv lib
$ lib/bin/pip install cyclonedx-python-lib[validation]
$ grep -E '^License: |^License-Expression: |^Classifier: License' lib/lib/python*/site-packages/*.dist-info/METADATA
lib/lib/python3.11/site-packages/arrow-1.3.0.dist-info/METADATA:Classifier: License :: OSI Approved :: Apache Software License
lib/lib/python3.11/site-packages/attrs-24.2.0.dist-info/METADATA:License-Expression: MIT
lib/lib/python3.11/site-packages/attrs-24.2.0.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/boolean.py-4.0.dist-info/METADATA:License: BSD-2-Clause
lib/lib/python3.11/site-packages/cyclonedx_python_lib-8.5.0.dist-info/METADATA:License: Apache-2.0
lib/lib/python3.11/site-packages/cyclonedx_python_lib-8.5.0.dist-info/METADATA:Classifier: License :: OSI Approved :: Apache Software License
lib/lib/python3.11/site-packages/defusedxml-0.7.1.dist-info/METADATA:License: PSFL
lib/lib/python3.11/site-packages/defusedxml-0.7.1.dist-info/METADATA:Classifier: License :: OSI Approved :: Python Software Foundation License
lib/lib/python3.11/site-packages/fqdn-1.5.1.dist-info/METADATA:License: MPL 2.0
lib/lib/python3.11/site-packages/fqdn-1.5.1.dist-info/METADATA:Classifier: License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)
lib/lib/python3.11/site-packages/idna-3.10.dist-info/METADATA:Classifier: License :: OSI Approved :: BSD License
lib/lib/python3.11/site-packages/isoduration-20.11.0.dist-info/METADATA:License: UNKNOWN
lib/lib/python3.11/site-packages/isoduration-20.11.0.dist-info/METADATA:Classifier: License :: OSI Approved :: ISC License (ISCL)
lib/lib/python3.11/site-packages/jsonpointer-3.0.0.dist-info/METADATA:License: Modified BSD License
lib/lib/python3.11/site-packages/jsonpointer-3.0.0.dist-info/METADATA:Classifier: License :: OSI Approved :: BSD License
lib/lib/python3.11/site-packages/jsonschema-4.23.0.dist-info/METADATA:License: MIT
lib/lib/python3.11/site-packages/jsonschema-4.23.0.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/jsonschema_specifications-2024.10.1.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/license_expression-30.4.0.dist-info/METADATA:License: Apache-2.0
lib/lib/python3.11/site-packages/lxml-5.3.0.dist-info/METADATA:License: BSD-3-Clause
lib/lib/python3.11/site-packages/lxml-5.3.0.dist-info/METADATA:Classifier: License :: OSI Approved :: BSD License
lib/lib/python3.11/site-packages/packageurl_python-0.16.0.dist-info/METADATA:License: MIT
lib/lib/python3.11/site-packages/packageurl_python-0.16.0.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/packageurl_python-0.16.0.dist-info/METADATA:License: MIT
lib/lib/python3.11/site-packages/pip-23.0.1.dist-info/METADATA:License: MIT
lib/lib/python3.11/site-packages/pip-23.0.1.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/py_serializable-1.1.2.dist-info/METADATA:License: Apache-2.0
lib/lib/python3.11/site-packages/py_serializable-1.1.2.dist-info/METADATA:Classifier: License :: OSI Approved :: Apache Software License
lib/lib/python3.11/site-packages/python_dateutil-2.9.0.post0.dist-info/METADATA:License: Dual License
lib/lib/python3.11/site-packages/python_dateutil-2.9.0.post0.dist-info/METADATA:Classifier: License :: OSI Approved :: BSD License
lib/lib/python3.11/site-packages/python_dateutil-2.9.0.post0.dist-info/METADATA:Classifier: License :: OSI Approved :: Apache Software License
lib/lib/python3.11/site-packages/referencing-0.35.1.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/rfc3339_validator-0.1.4.dist-info/METADATA:License: MIT license
lib/lib/python3.11/site-packages/rfc3339_validator-0.1.4.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/rfc3987-1.3.8.dist-info/METADATA:License: GNU GPLv3+
lib/lib/python3.11/site-packages/rfc3987-1.3.8.dist-info/METADATA:Classifier: License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)
lib/lib/python3.11/site-packages/rpds_py-0.21.0.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/setuptools-66.1.1.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/six-1.16.0.dist-info/METADATA:License: MIT
lib/lib/python3.11/site-packages/six-1.16.0.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/sortedcontainers-2.4.0.dist-info/METADATA:License: Apache 2.0
lib/lib/python3.11/site-packages/sortedcontainers-2.4.0.dist-info/METADATA:Classifier: License :: OSI Approved :: Apache Software License
lib/lib/python3.11/site-packages/types_python_dateutil-2.9.0.20241003.dist-info/METADATA:License: Apache-2.0
lib/lib/python3.11/site-packages/types_python_dateutil-2.9.0.20241003.dist-info/METADATA:Classifier: License :: OSI Approved :: Apache Software License
lib/lib/python3.11/site-packages/uri_template-1.3.0.dist-info/METADATA:License: MIT License
lib/lib/python3.11/site-packages/uri_template-1.3.0.dist-info/METADATA:Classifier: License :: OSI Approved :: MIT License
lib/lib/python3.11/site-packages/webcolors-24.11.1.dist-info/METADATA:License: BSD-3-Clause
lib/lib/python3.11/site-packages/webcolors-24.11.1.dist-info/METADATA:Classifier: License :: OSI Approved :: BSD License

affected dependencies:
@jkowalleck jkowalleck added the help wanted Extra attention is needed label Nov 20, 2024
@jkowalleck jkowalleck mentioned this issue Nov 20, 2024
Closed
@jkowalleck jkowalleck changed the title [LEGAL] get rid of (optional/transitive) dependencies under GPL [LEGAL] get rid of (optional/transitive) dependencies licensed under GPL Nov 20, 2024
@jkowalleck jkowalleck added the legal related to legal/regulatory foo label Nov 20, 2024
@pombredanne
Copy link

@jkowalleck Thanks. Do you know if there are existing tests specifically for the features that would be uniquely provided by the rfc3987 library?

@jkowalleck
Copy link
Member Author

jkowalleck commented Nov 21, 2024
edited
Loading

CycloneDX JSON schema uses iri-reference for URLs and alike. see https://github.com/CycloneDX/specification/blob/db041a4c5ee2ae74b3a39372b8ab16aa61f420a1/schema/bom-1.6.schema.json#L351-L356

According to https://python-jsonschema.readthedocs.io/en/latest/validate/#validating-formats, the validation of these requires the rfc3987 library.

@jkowalleck jkowalleck added the enhancement New feature or request label Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed legal related to legal/regulatory foo
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pombredanne @jkowalleck