-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency on subtle
with BSD 3-clause license
#235
Comments
How is it different from the MIT and Apache requirements?
Both licenses require attribution for all dependencies used in your project to be included with binaries. |
That said, we could potentially switch to the |
I'm not 100% sure of the reasoning (I wasn't involved in the decision). If I heard correctly, it is the BSD license that is explicit in saying a compiled binary of a software project that incorporates a BSD-licensed library must include attribution—eg in accompanying docs or in the program itself on an "about" or "licenses" screen. Whereas the MIT and Apache licenses are not explicit about requiring this—although that would depend on interpretation of whether the compiled binary of a software program falls within the definition of "derivative work".
I guess that might depend on whether legal folks consider a binary "derived work" to mean just a modified version of the library, and/or a distributed pre-compiled object file of a licensed library, or whether the compiled binary of a software project that uses that library also falls under the definition of "derived work". Eg the Apache license has a clause that says:
|
I am quite certain that you should include attribution of MIT/Apache libraries even when you distribute only binaries. For example, see this SE question. And binaries are certainly considered "derivative work", this is why you have to provide source code on request with GPL-based binaries. |
The BSD license has a clause that is explicit about binary redistributions:
The Apache 2.0 license explicitly defines Derivative Works and says:
For the MIT license, its terms are very brief, without definitions of terms. It refers to "the Software", talks about "obtaining a copy" of the software, and has this one condition:
The language sounds like it's referring to the source code as distributed, and not binary compilations. But it's unclear. For my own open source projects, I picked the MIT license assuming that the copyright notice clause applied only to the source code and not binary compilations, so I was surprised when someone asked. If someone wants a license that unambiguously requires the copyright notice to be included on binary distributions, they should really pick the BSD license. |
And it explicitly states that you are obliged to attribute BSD-licensed dependencies of your binary. Or do you have a different understanding of the clause?
This clause is about Apache-licensed shared libraries. To simplify: if an application uses such library and does not include it with its distribution (e.g. the library gets installed separately using OS package manager), then the application does not have to attribute the library authors. But distribution of the library itself is obliged to include the attribution. In the case of Rust crates, dependencies get statically linked into binaries, meaning you are obliged to attribute the library authors by following the clause 4(a). |
I am working on a project that has a policy to avoid BSD 2- and 3-clause licenses due to the complexity of satisfying the attribution clause:
The
rsa
crate directly has great license options, but, it has a dependency onsubtle
which is licensed under BSD 3-clause license. See dalek-cryptography/subtle#92. But it seems this project is stalled—see subtle-ng.Is there any possibility of doing a substitution of this dependency with some other crate with different licensing? (subtle-ng also is BSD 3-clause licensed currently.)
The text was updated successfully, but these errors were encountered: