LGPL Compliance for Wheels

[MarkKoz]

opencv-python redistributes LGPL-licensed libraries with its wheels. I'm in a similar situation for one of my own projects, and I've been looking at opencv-python to get an idea of how to comply with the licences. One thing that struck me is the lack of distributed source code.

LGPLv2.1 §4:

You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.

If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.

(L)GPLv3 §6(d) (there are other options in §6 but §6(d) seems to be the easiest):

Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.

How is opencv-python complying with these sections of the licences? The wheels do not include the source code for the libraries under these licences, nor instructions for obtaining the source for the libraries under LGPLv3. If PyPI is the "designated place" from which object code is offered, then there's currently no offering of all the libraries' sources from PyPI.

Also, for LGPLv3, I think you need to include the GPLv3 licence text along with the LGPLv3 licence.

[skvark]

IANAL, but you are correct that we are missing proper download links for the source tarballs. For Qt and FFmpeg they can be found from the Dockerfiles (e.g. https://github.com/opencv/opencv-python/tree/master/docker/manylinux2014), but they should be probably listed in the README. Imho PyPI is not really suitable for redistributing the third party sources.

[asmorkalov]

I think we need to add the information with links to description of the package and m.b. update readme every time, when release is published.

[MarkKoz]

LGPLv2.1 is unfortunately a bit vague. I'm not sure if it allows linking to the source on an external server. I'm not qualified to offer legal advice so I don't know how to interpret it. The safest option would be to include the source in the wheels, but that would have unfortunate consequences on the file size.

And yeah, I think download links would constantly need to be updated to point to the exact sources (i.e. matching commit/tag/version). Furthermore, I believe the licenses require build instructions and scripts to be included too (IIRC v3 goes into more detail).