Dependency on subtle with BSD 3-clause license

[cmcqueen]

I am working on a project that has a policy to avoid BSD 2- and 3-clause licenses due to the complexity of satisfying the attribution clause:

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

The rsa crate directly has great license options, but, it has a dependency on subtle which is licensed under BSD 3-clause license. See dalek-cryptography/subtle#92. But it seems this project is stalled—see subtle-ng.

Is there any possibility of doing a substitution of this dependency with some other crate with different licensing? (subtle-ng also is BSD 3-clause licensed currently.)

[newpavlov]

How is it different from the MIT and Apache requirements?

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

You must give any other recipients of the Work or Derivative Works a copy of this License

Both licenses require attribution for all dependencies used in your project to be included with binaries.

[tarcieri]

subtle is something we used in several places which is also used by some dependencies we don't control (e.g. ff and group). A wholesale migration would be difficult.

That said, we could potentially switch to the cmov crate, which provides a safer abstraction than subtle does.

[cmcqueen]

How is it different from the MIT and Apache requirements?

I'm not 100% sure of the reasoning (I wasn't involved in the decision). If I heard correctly, it is the BSD license that is explicit in saying a compiled binary of a software project that incorporates a BSD-licensed library must include attribution—eg in accompanying docs or in the program itself on an "about" or "licenses" screen. Whereas the MIT and Apache licenses are not explicit about requiring this—although that would depend on interpretation of whether the compiled binary of a software program falls within the definition of "derivative work".

Both licenses require attribution for all dependencies used in your project to be included with binaries.

I guess that might depend on whether legal folks consider a binary "derived work" to mean just a modified version of the library, and/or a distributed pre-compiled object file of a licensed library, or whether the compiled binary of a software project that uses that library also falls under the definition of "derived work". Eg the Apache license has a clause that says:

Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.

[newpavlov]

I am quite certain that you should include attribution of MIT/Apache libraries even when you distribute only binaries. For example, see this SE question. And binaries are certainly considered "derivative work", this is why you have to provide source code on request with GPL-based binaries.

[cmcqueen]

I am quite certain that you should include attribution of MIT/Apache libraries even when you distribute only binaries. For example, see this SE question. And binaries are certainly considered "derivative work", this is why you have to provide source code on request with GPL-based binaries.

The BSD license has a clause that is explicit about binary redistributions:

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

The Apache 2.0 license explicitly defines Derivative Works and says:

Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.

For the MIT license, its terms are very brief, without definitions of terms. It refers to "the Software", talks about "obtaining a copy" of the software, and has this one condition:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

The language sounds like it's referring to the source code as distributed, and not binary compilations. But it's unclear. For my own open source projects, I picked the MIT license assuming that the copyright notice clause applied only to the source code and not binary compilations, so I was surprised when someone asked. If someone wants a license that unambiguously requires the copyright notice to be included on binary distributions, they should really pick the BSD license.

[newpavlov]

The BSD license has a clause that is explicit about binary redistributions:

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

And it explicitly states that you are obliged to attribute BSD-licensed dependencies of your binary. Or do you have a different understanding of the clause?

The Apache 2.0 license explicitly defines Derivative Works and says:

Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.

This clause is about Apache-licensed shared libraries. To simplify: if an application uses such library and does not include it with its distribution (e.g. the library gets installed separately using OS package manager), then the application does not have to attribute the library authors. But distribution of the library itself is obliged to include the attribution.

In the case of Rust crates, dependencies get statically linked into binaries, meaning you are obliged to attribute the library authors by following the clause 4(a).