Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nokogiri LGPL-2.1? #1488

Closed
sarahtjones opened this issue Jun 13, 2016 · 17 comments
Closed

Nokogiri LGPL-2.1? #1488

sarahtjones opened this issue Jun 13, 2016 · 17 comments
Assignees
@larskanis
Milestone
1.6.8.1

Comments

@sarahtjones
Copy link

In closing issue #1417, you have added the pkg-config gem which is LGPL-2.1.

Certainly this should be an optional gem for those who cannot have the LGPL license in their projects.
@amilligan
Copy link

This is something of a big deal for anyone who cares about software licensing. Which should be everyone.

Anyone on Team Nokogiri care to comment, please?

@md5
Copy link

md5 commented Jun 20, 2016

I just discovered this today and find it problematic as well.

@flavorjones
Copy link
Member

Sorry for not responding more quickly. Apologies for putting people in a position where this is affecting your license constraints.

The unfortunate fact here is that, because pkg-config is used at gem installation time, unless it's declared as a dependency, there's no way to guarantee that it's already been installed. That is, if it's made optional, then it may get installed after Nokogiri, and in that case wouldn't actually be used.

I think the only alternatives are:

  • remove the gem entirely,
  • or convince the upstream maintainer to change the license.

Neither is great. I beg a bit more of your time to determine whether we can remove the gem without breaking some platforms' installation.

@md5 md5 mentioned this issue Jun 24, 2016
Closed
larskanis added a commit to larskanis/nokogiri that referenced this issue Jun 25, 2016
@larskanis
Make the pkg-config gem optional.
8e7c5f6 
Using the pkg-config gem as a runtime dependency of nokogiri results in a
license conflict. pkg-config is LGPL but nokogiri is MIT.

Making the pkg-config gem optional solves this issue.

Fixes sparklemotion#1488 and sparklemotion#1496 .
@larskanis larskanis mentioned this issue Jun 25, 2016
Closed
@amilligan
Copy link

Could we please have a progress update for this issue, and ideally an ETA? Version 1.6.7 suffers from CVE-2015-8806, and this version suffers from the LGPL license issue. Neither Scylla nor Charybdis appeals to any of the stakeholders I've discussed this with.

@larskanis
Copy link
Member

@flavorjones I opened PR #1498 as a third alternative - what do you think about it?

@md5 md5 mentioned this issue Jun 29, 2016
Merged
@will-dealogic
Copy link

@flavorjones Would you be able to provide an update on this issue? We're starting a new project where nokogiri would be perfect, except for the restrictive license.

@amilligan
Copy link

@flavorjones Bump.

1 similar comment
@amilligan
Copy link

@flavorjones Bump.

@flavorjones
Copy link
Member

I need to understand #1498 better. But if that doesn't work, honestly, ripping it out is probably fine, it was only introduced to handle an edge case on freebsd anyway.

@amilligan
Copy link

@flavorjones How's this coming, Mike?

@flavorjones flavorjones added this to the 1.6.9 milestone Oct 2, 2016
@amilligan
Copy link

@flavorjones Any updates, Mike?

@flavorjones
Copy link
Member

We'll make the package optional and cut 1.6.9 soon. Thanks for your patience -- it's hard to find time to work on OSS these days.

flavorjones pushed a commit that referenced this issue Oct 3, 2016
@larskanis @flavorjones
Make the pkg-config gem optional.
f2dd079 
Using the pkg-config gem as a runtime dependency of nokogiri results in a
license conflict. pkg-config is LGPL but nokogiri is MIT.

Making the pkg-config gem optional solves this issue.

Fixes #1488 and #1496 .
@flavorjones
Copy link
Member

Cutting 1.6.8.1 now ... (version corrected from above comment)

@larskanis larskanis mentioned this issue Nov 30, 2016
Closed
@kou
Copy link
Contributor

kou commented Nov 30, 2016

FYI: There are many people who don't know about LGPL. If Nokogiri uses LGPL software as a library, we doesn't need to change Nokogiri's license. It means that Nokogiri uses MIT license and libraries used by Nokogiri use LGPL are no problem. For example, libxslt can use libgcrypt that uses LGPL but libxslt with libgcrypt can use MIT license not LGPL.

If Nokogiri embeds a LGPL licensed library into Nokogiri itself, Nokogiri must use LGPL, GPL or AGPL. But Nokogiri just uses LGPL licensed software as a library. So there are no problem that Nokogiri uses LGPL licensed software as a library.

@flavorjones
Copy link
Member

@kou this issue is closed, pkg-config is no longer a hard dependency.

@unleashed
Copy link

This is wrong. It makes users explicitly depend on pkg-config even when the two gems are license compatible. :(

@flavorjones
Copy link
Member

@unleashed It's already been fixed in the most recent version of nokogiri. As noted above. Several times.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@larskanis larskanis

Labels
None yet
Projects
None yet
Milestone
1.6.8.1
Development

No branches or pull requests
9 participants
@flavorjones @knu @amilligan @kou @md5 @larskanis @unleashed @sarahtjones @will-dealogic