An idea was triggered for me in the discussion of cargo audit and verifying your dependencies (also, in terms of Mongodb's recent license kerfluffle): increasing concern about linking software that utilizes viral licenses.
I was wondering if there was some way to increase the safety of utilizing rust and crates, which may lead to increasing adoption and contribution by some larger entities that may have become gun-shy about relying on open source. The vast majority of crates I've seen are released under things that won't give corporate lawyers pause (i.e. mit, apache, and related such licenses).
While obviously, for convenience, I'd prefer to see the community just embrace non-license-virality as the expected default, and expect/require people to declare in crates when they are breaking that pact, for the sake of peace, my thought is that you could declare your crate's non-virality, and peer-pressure (i.e. making it a very simple change to the cargo.toml which anybody could pull-request the author about) might take care of the rest.
For those things that are derived, or knowingly link to virally licensed crates or libraries, my thought process would be something like tying a feature to its virality, so the same crate could be used without virality, or with it for the many people who don't care.
I think you can only provide a suitable guarantee about your own crate (i.e. my crate does not statically link gnu libc). I suppose one could provide assertions about particular versions of your dependencies, but I don't think those are necessary: if the cargo version checker had the notion of allowed virality, then it could do it at runtime.
That all said, I'm not entirely sure how to go about representing this in cargo.toml, I have some thoughts:
Identifying a viral feature and declaring the rest okay would be nice:
[features] default=["notviral1", "notviral2", "viral3", "viral4"] viral=[{name: "viral3', virality:"staticlink", {name: "viral4", virality: "gpl"}] nonviral=["notviral1", "notviral2"]
My self-declared safe package could maybe can just have
[features] default=["notviral1", "notviral2"] nonviral=*
The last is the one-line change that would be needed to declare my package doesn't break known virality issues
The user of that crate may like to say:
[dependencies.othercrate] version="1.1.1" allow-viral-features = false
or
[dependencies.othercrate] virality_allowed=[{virality: "gpl"}, {virality: "lgpl"]
So, basically, don't allow declare static links of it or any crate it depends on, but I'm okay with lgpl and gpl usage.
There could be a couple of different different levels of the type of virality people might concern themselves about: static linkage to a library is a critical one I am aware of that is unaddressed. GPL/GPLv3 type virality is second of concern. I don't know if dynamic linkage is ever a problem, and there may be others I am unaware of - wasn't there something with APIs, maybe? Was there something special about deriving source from a GPL'd header - so, if you read a C++ .h file and generate and link a rust file from that, that would be considered 'derived' and have a virality problem? Etc.