Licenses of vendored tools in the rust repo


#1

Hey everyone,

Now that the Makefiles have been removed, we can start using packages from crates.io in the Rust distribution itself. Hooray! :confetti_ball:

There are some details, however. I’ve sent in the first PR to do this; it replaces rustbook with mdBook. However, there’s a small issue: not everything is MIT/Apache2 licensed.

Specifically, there are two issues:

  • The stuff that’s MIT licensed is not also Apache-2 licensed.
  • This introduces MPL’d code.

Historically, first-party code in the repo has been MIT/Apache-2 and third-party code is under some permissive license (including LLVM, hoedown, miniz, compiler-rt). In addition, there are a number of other exceptions; for example, Cargo uses libgit2, which is GPL’d (with a linking exception). We don’t want to dilute the dual licensing to the extent we can avoid it, and we definitely need to be careful about what we do with copyleft code (e.g. all runtime components must remain permissively-licensed). There is some small amount of wiggle room here though, in that mdbook is not a tool that we redistribute, and not code that gets linked into anything. These details have been enough to assuage the fears of some people I’ve talked to, but we also felt it’s better to ask everyone how they feel about this.

So: does the inclusion of an MPL’d tool bother you? Should we require that all code, no matter what, be MIT/Apache-2 licensed in order to be elligible to be used in the Rust distribution?

Thanks :heart:


#2

@steveklabnik I mentioned to you already on IRC that I am ok with mdbook being part of the rust source distribution, at least for now, even though I prefer not to add copyleft code to Rust. The main reason I think it is tolerable is because it is only part of the build process - nobody writing Rust code has to think about MPL implications.

I would prefer to relicense mdBook if the author is amenable. I understand these are opinionful issues though.

The missing Apache-2 license I think is pretty unobjectionable. It’s been the state of things in Rust ever since we added Apache that we mix in generous amounts of permissive, non-Apache code. As long as core Rust tech has the extra Apache protections I’m not much concerned about smaller bits on the periphery being just MIT.

Thanks for dealing with this.


#3

This would involve @Azerupi for mdbook, and @dragostis for pest. I don’t believe that dragostis has an account, as you can see by the lack of the link.

EDIT: I opened an issue on pest so we could make sure that this is known to all parties involved :smile: https://github.com/dragostis/pest/issues/96


#4

I wonder if there is anything we need to be concerned about by just distributing copyleft source with the permissive rust source. I wonder if there is some organization that would object to that. Maybe a BSD.

Probably doesn’t affect my opinion since we are already all in on libgit2.