cyclonedx-python-lib icon indicating copy to clipboard operation
cyclonedx-python-lib copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

License issue GPL dependency rfc3987

Open kdekker-kdr4 opened this issue 1 year ago • 5 comments

cyclonedx-python (cyclonedx-bom==4.1.2) depends via cyclonedx-python-lib==6.4.3 on the package jsonschema, but with the special option format (jsonschema[format]). This introduces the GPL dependency of package rfc3987, which I think is not the intention.

How to reproduce:

  1. Install Python 3.10.11
  2. In cmd call: pip install cyclonedx-bom

Prove:

image

Potential solution:

  • Depend on jsonschema[format-nongpl]

Temporary user solution:

  • Downgrade cyclonedx-bom to a version without the dependency such as 3.11.7.

kdekker-kdr4 avatar Mar 14 '24 09:03 kdekker-kdr4

This introduces the GPL dependency of package rfc3987, which I think is not the intention.

some background: we are not shipping any assembly, nor bundle. Therefore, we never mix any licenses. Neither do users of this package generate any bundle/assembly when installing it. All they do is putting certain packages somewhere on their machine, so that python can find and run them. This means, at no point, a mix of licenses exists. This means, no license issues exist.

Is that not true, @kdekker-private ?

Anyway, I will check whether a non-gpl package can do the job.

jkowalleck avatar Mar 14 '24 09:03 jkowalleck

The rfc3987 is used to validate iri-reference in JSON - which is widely used in CycloneDX. Therefore, schema validation would not be complete without it.

jkowalleck avatar Mar 14 '24 10:03 jkowalleck

@kdekker-private could you elaborate how the current situation affects you? What does it prevent you from doing/achieving?

jkowalleck avatar Mar 14 '24 10:03 jkowalleck

At the current stage it does not prevent us anymore from doing/achieving anything. We accidently added your package in distribution. But removed it and are happy to use it outside of that.

However, I think it would be good for transparency to at least notify the user in the readme that a GPL licensed package is used under the hood. The MIT license of your package might mask this a bit. Ideal would be to remove the dependency on the GPL package, if it is possible. Thanks for the quick response.

kdekker-kdr4 avatar Mar 15 '24 15:03 kdekker-kdr4

re: https://github.com/CycloneDX/cyclonedx-python-lib/issues/568#issuecomment-1999856765

sounds reasonable. 👍 Would you open a pull request that improves the documentation in a way that suites your needs? Thank you in advance

jkowalleck avatar Mar 15 '24 18:03 jkowalleck