Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update-informer is tainted with MPL-2 via option-ext #138

Open
neoeinstein opened this issue Apr 24, 2024 · 1 comment
Open

update-informer is tainted with MPL-2 via option-ext #138

neoeinstein opened this issue Apr 24, 2024 · 1 comment
Labels
good first issue Good for newcomers help wanted Extra attention is needed

Comments

@neoeinstein
Copy link

Hello, I wanted to raise a note that this crate currently has a transitive dependency on option-ext. That library is MPL-2, a copyleft license. The option-ext dependency is brought in via the dependency on directories. The maintainer of the underlying dirs-sys crate has indicated that they added a dependency on option-ext for the express purpose of tainting the use of dirs-sys with MPL-2, which thus taints any use of update-informer. I'd recommend using an alternate dependency such as etcetera, which does not suffer from this tainting issue.

I'll note that the default ureq dependency also pulls in webpki-roots, which is also MPL-2, but that is an optional dependency that can be side-stepped by using native-tls (though I would overall prefer to use rustls-tls, but with native-roots), so it's not a particular concern for me.

As an alternative, the caching functionality could be optional behind a feature, so that the MPL-2 dependency isn't required if we don't need the caching check.

@mgrachev
Copy link
Owner

@neoeinstein Hi! Thanks for the information. Indeed, we need to move from directories to etcetera.

@mgrachev mgrachev added help wanted Extra attention is needed good first issue Good for newcomers labels Apr 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

2 participants