Clarification GPL-3-only license requirement of nullivex/lib-array2xml dependency.

[hyperized]

I'm using Fossa to monitor licenses on my OSS projects and as a long-time user of Psalm I ran into the dependency on nullivex/lib-array2xml, licensed under GPL-3-only.

If I understand correctly, the use of this package requires this project (and thus every project relying on this package) to be licensed under GPL-3 (or compatible)

Psalm is currently licensed under MIT, which does not appear to be a compatible with GPL-3. I'm no expert on the topic, but it seems at least the answers are diverse when asked for different sources. Even if it's compatible, the ambiguity around the subject could use clarification.

My questions are:

• Can you verify if the current licensing setup is compatible?
• If not, can you replace the nullivex/lib-array2xml dependency with a suitable replacement?

Thanks in advance 👋🏻

[orklah]

Hey!

Thanks for the feedback. The licensing of lib-array2xml is very hard to decipher.

• composer.json says it's distributed under Apache-2: https://github.com/nullivex/lib-array2xml/blob/master/composer.json#L5
• They have a GPL 3 license on root folder: https://github.com/nullivex/lib-array2xml/blob/master/COPYING
• They also have a LGPL 3 license on root folder: https://github.com/nullivex/lib-array2xml/blob/master/COPYING%20LESSER
• They have a 2 and half years old PR for changing the license in composer.json to apache 2 to LPGL 3 that has no comment and was never merged: https://github.com/nullivex/lib-array2xml/pull/16/files

It seems we're compatible with Apache 2 license.
LGPL 3 is more blurry but a TL;DR I found says

This license is mainly applied to libraries. You may copy, distribute and modify the software provided that modifications are described and licensed for free under LGPL. Derivatives works (including modifications or anything statically linked to the library) can only be redistributed under LGPL, but applications that use the library don't have to be.

I believe requiring a library through composer would not be qualified as "static link to the library" but rather "[a] use of the library", so I, as a non lawyer, would say we're compatible with that one

GPL3 however is clearly not compatible.

I have no idea what to do with all that, and as a maintainer, I'm not sure I could even change the License of Psalm legally if needed.

I'd suggest trying to clarify the license on their part, but the library itself seems abandoned (no commit since 4 years), critical PR not merged...

[weirdan]

File headers state that the source is licensed under LGPL:

https://github.com/nullivex/lib-array2xml/blob/master/LSS/XML2Array.php#L7-L10
https://github.com/nullivex/lib-array2xml/blob/master/LSS/Array2XML.php#L7-L10

LGPL text is included here: https://github.com/nullivex/lib-array2xml/blob/master/COPYING%20LESSER

Does this resolve your concerns?

[orklah]

File headers state that the source is licensed under LGPL

Oh nice, I didn't think to go look there. We can also find mentions of apache 2 in their headers: https://github.com/nullivex/lib-array2xml/blob/master/LSS/Array2XML.php#L34

Licenses are so fun! /s

[weirdan]

I did consider replacing the library with a MIT-licensed spatie/array-to-xml for maintenance reasons, unrelated to licensing. Their PHP version support is not ideal though, as there's no single version that can support PHP 7.4 through PHP 8.2.

[weirdan]

I believe requiring a library through composer would not be qualified as "static link to the library" but rather "[a] use of the library", so I, as a non lawyer, would say we're compatible with that one

We also build PHARs, where all dependencies are bundled. It could be construed as static linking.

[weirdan]

Their PHP version support is not ideal though, as there's no single version that can support PHP 7.4 through PHP 8.2.

Actually it's ok https://github.com/spatie/array-to-xml/blob/db39308c5236b69b89cadc3f44f191704814eae2/composer.json#L20

[weirdan]

But spatie/array-to-xml#187 will need to be backported

[danog]

At least according to the release changelog for v3 it doesn't look like the API changed between v2 and v3, so I assume using ^2|^3 should work fine

[weirdan]

so I assume using ^2|^3 should work fine

That won't work for PHARs. We build it on 7.4 (so it would include array-to-xml:v2) and expect it to work on all supported PHP versions.

[hyperized]

May I add that PHP7.4 should no longer be a concern as of 8 days ago?

[danog]

I wanted to say that too, I proposed dropping 7.4 support for v5 in #8573 but especially now with sealed by default arrays in v5, the proposed arguments of not wanting to maintain v4 any longer were convincing enough at least for me.

However, now that v5 is released, maybe it's worth dropping PHP 7 and possibly 8.0 support at least in the phar in a minor?

[danog]

Technically one could also go with the trick of building 7.4 and 8+ phars separately and including them indirectly via a fake psalm.phar

[danog]

But that's not even required, just building the phars for 7.4 and 8, and tagging them separately say with 5.x.y.0 and 5.x.y.1 tags should be enough for users not requiring the dev-master tag of psalm/phar

[danog]

Still I would very much prefer to just drop 7.4 and 8.0 support altogether (since 8.0 is already deprecated even if not EOL, and it doesn't have that many breaking changes compared to 7.4 vs 8.0) :)

[weirdan]

Does Phive support separate builds for different PHP versions?

[orklah]

Still I would very much prefer to just drop 7.4 and 8.0 support altogether

https://packagist.org/packages/vimeo/psalm/php-stats#5
Among the people that migrated to V5 already (our most active user you could say), 45% are using either PHP 7.4 or 8.0. I'm not ready to bother half of our userbase...

[hyperized]

Much appreciated!