Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
pip should make the license on packages more transparent #3441
Edit: see #3441 (comment). The intention of this isn't to point out any particularly license.
Another thing that poses incompatibility is BSD/MIT licensed projects that incorporate GPL code as a dependency. Examples:
It may be possible to draw a graph of dependencies to see if a library may be pulling incompatibly licensed code.
Is this in pip's or pypa's territory?
I don't think we want to get into the area of license management, even in the form of a warning. It's up to the developer to check the license conditions on any code he/she uses.
It should be possible to write a 3rd party tool (using the PyPI APIs) to do this sort of check, if it matters to you.
Its great we bring the issue up. If I could do it a second time, I wouldn't single out any particular license.
License preference may be a matter of personal opinion, the compatibility between them and the downstream ramifications are not.
I understand why its a hairy situation. Let's look a bit beyond any one license.
I think caveat emptor has its place when downloading packages. pip may not be in the business getting too involved in the particulars of licenses since its not realistic. No other CLI package systems I know of goes out of their way to audit license compatibility or prompt for licenses.
Consider the following:
A user downloads and installs package via pip and imports it in their software, no where do they ever see the license of the package they're downloading, installing and incorporating into their work.
A user not seeing the licenses of a package they incorporate wouldn't make the ramifications go away.
The more I think about it, I highly disagree with how this is hand waved as if licenses were picking a sport team. I'm bummed, I feel you guys don't care for the people who end up being led astray and unwittingly end up with a derived work
It's a question of due diligence on the developer to begin with
If you feel strongly about helping them to solve these, then please start with creating a tool that can warn them
Pip is a volunteer project, as such it has limited resources, using coercion tactics advocate things you think it should do is one of the more toxic approaches and certainly won't work
Create something that helps people be less sloppy about licences instead
This could be something like the readme checker or a simple website listing perpetrator packages and their victim's/actual licences