-
Notifications
You must be signed in to change notification settings - Fork 660
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarification GPL-3-only license requirement of nullivex/lib-array2xml dependency. #8852
Comments
Hey! Thanks for the feedback. The licensing of lib-array2xml is very hard to decipher.
It seems we're compatible with Apache 2 license.
I believe requiring a library through composer would not be qualified as "static link to the library" but rather "[a] use of the library", so I, as a non lawyer, would say we're compatible with that one GPL3 however is clearly not compatible. I have no idea what to do with all that, and as a maintainer, I'm not sure I could even change the License of Psalm legally if needed. I'd suggest trying to clarify the license on their part, but the library itself seems abandoned (no commit since 4 years), critical PR not merged... |
File headers state that the source is licensed under LGPL: https://github.com/nullivex/lib-array2xml/blob/master/LSS/XML2Array.php#L7-L10 LGPL text is included here: https://github.com/nullivex/lib-array2xml/blob/master/COPYING%20LESSER Does this resolve your concerns? |
Oh nice, I didn't think to go look there. We can also find mentions of apache 2 in their headers: https://github.com/nullivex/lib-array2xml/blob/master/LSS/Array2XML.php#L34 Licenses are so fun! /s |
I did consider replacing the library with a MIT-licensed |
We also build PHARs, where all dependencies are bundled. It could be construed as static linking. |
Actually it's ok https://github.com/spatie/array-to-xml/blob/db39308c5236b69b89cadc3f44f191704814eae2/composer.json#L20 |
But spatie/array-to-xml#187 will need to be backported |
At least according to the release changelog for v3 it doesn't look like the API changed between v2 and v3, so I assume using |
That won't work for PHARs. We build it on 7.4 (so it would include array-to-xml:v2) and expect it to work on all supported PHP versions. |
May I add that PHP7.4 should no longer be a concern as of 8 days ago? |
I wanted to say that too, I proposed dropping 7.4 support for v5 in #8573 but especially now with sealed by default arrays in v5, the proposed arguments of not wanting to maintain v4 any longer were convincing enough at least for me. However, now that v5 is released, maybe it's worth dropping PHP 7 and possibly 8.0 support at least in the phar in a minor? |
Technically one could also go with the trick of building 7.4 and 8+ phars separately and including them indirectly via a fake psalm.phar |
But that's not even required, just building the phars for 7.4 and 8, and tagging them separately say with 5.x.y.0 and 5.x.y.1 tags should be enough for users not requiring the dev-master tag of psalm/phar |
Still I would very much prefer to just drop 7.4 and 8.0 support altogether (since 8.0 is already deprecated even if not EOL, and it doesn't have that many breaking changes compared to 7.4 vs 8.0) :) |
Does Phive support separate builds for different PHP versions? |
https://packagist.org/packages/vimeo/psalm/php-stats#5 |
Much appreciated! |
I'm using Fossa to monitor licenses on my OSS projects and as a long-time user of Psalm I ran into the dependency on nullivex/lib-array2xml, licensed under GPL-3-only.
If I understand correctly, the use of this package requires this project (and thus every project relying on this package) to be licensed under GPL-3 (or compatible)
Psalm is currently licensed under MIT, which does not appear to be a compatible with GPL-3. I'm no expert on the topic, but it seems at least the answers are diverse when asked for different sources. Even if it's compatible, the ambiguity around the subject could use clarification.
My questions are:
nullivex/lib-array2xml
dependency with a suitable replacement?Thanks in advance 👋🏻
The text was updated successfully, but these errors were encountered: