Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove or relicense copyleft dependencies #1625

Open
TheButlah opened this issue Dec 2, 2024 · 1 comment
Open

Remove or relicense copyleft dependencies #1625

TheButlah opened this issue Dec 2, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@TheButlah
Copy link

TheButlah commented Dec 2, 2024
edited
Loading

Describe the bug

the following crates that zenoh depends on are EPL-2.0, and not dual licensed like zenoh is. That means that consumers of zenoh will be forced to comply with the EPL-2.0 license which is copyleft. This is undesirable - many projects combine FOSS code and third party vendor SDKs, which are not FOSS and closed source. This would make it impossible to use zenoh with such third party SDKs, even when first-party code is itself FOSS.

Would zenoh consider either removing these dependencies or asking the authors to relicense under a permissive license?

Dependencies that are EPL-2.0 only:
@TheButlah TheButlah added the bug Something isn't working label Dec 2, 2024
@TheButlah TheButlah changed the title Remove or relicense keyed-set Remove or relicense copyleft dependencies Dec 2, 2024
@TheButlah
Copy link
Author

TheButlah commented Dec 9, 2024
edited
Loading

For some transparency, the licensing did require a conversation with my company's legal team, whereas normally these things are entirely frictionless. However, here is what we determined:

  • We can still talk about how we use zenoh due to zenoh's apache license, we just can't talk about zenoh's EPL-2.0 only transitive dependencies due to the indemnity clause in section 4 of the EPL-2.0. This is fine, for us the important part is that we could for example write a technical blogpost about zenoh.
  • As we understand it, the copyleft provisions in these transitive dependencies would only apply if we modify the software, and EPL-2.0 explicitly says that linking to, binding by name, subclassing, these are not modification. So our first party code and third party vendor sdks don't trigger the copyleft parts of these transitive dependencies.
  • The EPL-2.0 doesn't have much case law and is an uncommon license, so ultimately the legal team could not speak with certainty on any of this - to do that we would have needed external legal counsel to do research which is expensive. Ultimately we decided that we are pretty sure about what the license means when it comes to copyleft, and most of our first party code is FOSS anyway, so the risk is very low. I do think a more risk-adverse company with lots of closed source software might have more reluctance from their legal team though.
  • After the deliberation, we have decided to allowlist EPL-2.0 in our license checks going forward and we can use and talk about zenoh.

I will leave this issue open because I still think it would help zenoh's adoption to remove or relicense these transitive dependencies, but feel free to close it if its not something the zenoh team is willing to do. Thank you for your patience with this issue, and thank you for zenoh! Its a very impressive piece of software.

@TheButlah TheButlah mentioned this issue Dec 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TheButlah