OpenBazaar-Server icon indicating copy to clipboard operation
OpenBazaar-Server copied to clipboard
verified publisher icon OpenBazaar

License conflict (GPL 3.0 vs. MIT)

Open Hasimir opened this issue 9 years ago • 2 comments

Brief Description: At least one dependency (imported module) has a licensing conflict with the project license.

Operating System (OS and version): All OSes and versions so far. OpenBazaar version: All versions. Hardware: All hardware (N/A)

Reproducible (Always):

This is less a bug in the conventional sense than it is a misunderstanding of license requirements.

Steps to reproduce:

  1. Inclusion of gnupg 2.0.2 Python wrapper as a required dependency.

Observed Behavior:

The gnupg 2.0.2 package authored by Isis Lovecruft is distributed under the GPL 3.0 or any later version. It does not include any exemptions to the terms of the GPL for use as a library and as a consequence any software relying on it must be distributed under the same terms as it.

Expected Behavior:

Projects are expected to release all code under the GPL or choose an alternative library module as a dependency.

Additional info (links, images, etc go here):

Alternative, currently maintained options include the python-gnupg module, which is released under a BSD license; or PyME 0.9, which is released under the same licenses as GPG itself (dual licensed under the GPL 2.0+ and the LGPL 2.1+, with the latter enabling inclusion in an MIT licensed project). Note that the version of PyME on PyPI works with Python 2.6 and 2.7 only, but a port to Python 3.3 (and above) is included with GPGME source.

DISCLAIMER: I ported the PyME package from Python 2 to 3 last year.

That said, the easiest to convert to will almost certainly be python-gnupg, but it does behave differently and rewriting some code is inevitable. Either that or changing the license for the project to the GPL 3.0 (which might conflict with other modules, I haven't checked).

Details on the GPL and derived works can be found here and here. Additionally this GPL FAQ question specifically addresses the scenario in this project (although the example uses Java rather than Python).

Hasimir avatar May 22 '16 19:05 Hasimir

That's a good point. I might just drop gpg. It's not used for anything important atm.

cpacia avatar May 23 '16 16:05 cpacia

Just a quick FYI: as of GPGME 1.7.0, which was released last month, the included PyME code (usually referred to as pyme3) now works with both Python 2 and 3 (I ported it to 3 and then Justus made it much more Pythonic and back-ported it to run with Python 2 as well). In its current form it is significantly less painful to use than it used to be and won't break (or possibly break in the future) the way wrappers for the GPG executable have the potential to do. Plus the pydoc/help thingy actually produces useful examples with it now. So if you wanted to restore the GPG bits at any point, it'd be your best bet.

Hasimir avatar Oct 11 '16 04:10 Hasimir