0.14 pulls in CC0 license

[joeroback]

the latest 0.14 pulls in tiny-keccak, which has the CC0 license, which is extremely difficult to use in commercial setting due to its patent clause. i have asked the author why or to consider MIT/Apache, but wondering if there are other ways to work around this, since i am sure config is not really interested in SHA-3 FIPS hashing

tiny-keccak v2.0.2
└── const-random-macro v0.1.16 (proc-macro)
    └── const-random v0.1.17
        └── dlv-list v0.5.2
            └── ordered-multimap v0.6.0
                └── rust-ini v0.19.0
                    └── config v0.14.0

[matthiasbeyer]

Hi.
Thanks for filing this. We should introduce a cargo-deny CI check for things like this.

The simplest thing is to disable the ini backend I guess. This can be done by disabling the feature. If you need that backend, I do not see a way as of today... but this is clearly something we should resolve sooner than later.

The "simplest" solution would be for the author to relicense, actually.

[joeroback]

debris/tiny-keccak#54