[Haskell-cafe] Hackage suggestion: Gather the list of the licenses of all dependencies of a package

Sat Dec 15 17:54:26 CET 2012

On Sat, Dec 15, 2012 at 4:25 PM, Malcolm Wallace <malcolm.wallace at me.com>wrote:

>
> On 13 Dec 2012, at 10:41, Petr P wrote:
>
> > In particular, we can have a BSD package that depends on a LGPL package,
> and this is fine for FOSS developers. But for a commercial developer, this
> can be a serious issue that is not apparent until one examines *every*
> transitive dependency.
>
> This might a good time to remind everyone that every single program
> compiled by a standard GHC is linked against an LGPL library (the Gnu
> multi-precision integer library) - unless you take care first to build your
> own copy of the compiler against the integer-simple package instead of
> integer-gmp.  As far as I know, there are no ready-packaged binary
> installers for GHC that avoid this LGPL'd dependency.
>
> http://hackage.haskell.org/trac/ghc/wiki/ReplacingGMPNotes
>
> Just saying.
>
>
The difference between a library being (L)GPLed and this GMP issue is that,
in the latter case, we have an escape route. I know of at least two
companies which are actively considering switching entirely to
simple-integer because of this issue. If a widely used package (e.g.,
cpphs) is not available under a permissive license, there's not such escape
route available to users. (And note that I'm not actually *happy* about the
GMP situation, but at least we have a possible solution.)

I would strongly recommend reconsidering the licensing decision of cpphs.
Even if the LICENSE-commercial is sufficient for non-source releases of
software to be protected[1], it introduces a very high overhead for
companies to need to analyze a brand new license. Many companies have
already decided BSD3, MIT, and a number of other licenses are acceptable.
It could be very difficult to explain to a company, "Yes, we use this
software which says it's LGPL, but it has this special extra license which,
if I'm reading it correctly, means you can't be sued, but since the author
of the package wrote it himself, I can't really guarantee what its meaning
would be in a court of law."

Looking at the list of reverse dependencies[2], I see some pretty heavy
hitters. Via haskell-src-exts[3] we end up with 75 more reverse
dependencies. I'd also like to point out that cpphs is the only
non-permissively-licensed dependency for a large number of packages.

I can give you more detailed information about my commercial experience
privately. But I can tell you that, in the currently situation, I have
created projects for clients for which Fay[4] would not be an option due to
the cpphs licensing issue.

Michael

[1] I'm not sure of that, since IANAL.
[2] http://packdeps.haskellers.com/reverse/cpphs
 [3] http://packdeps.haskellers.com/reverse/haskell-src-exts
[4] http://packdeps.haskellers.com/licenses/fay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20121215/e7076d1d/attachment.htm>