CONTRIBUTING: Make it clear not to copy/reference GPL code

[tertsdiepraam]

I think there should be a section in CONTRIBUTING.md stating that contributors are not allowed to use GPL code (in particular, the GNU coreutils source code) as a reference. That section should probably also give a quick explanation of why this is the case. Stating this policy explicitly is probably also safer for the project in general. It might also be helpful to add licenses which we definitely can reference and licenses which we cannot. Something like:

You are only allowed to reference code which is compatible with the MIT License, examples include:
- MIT
- BSD
- CC0
- Unlicense

You are **not** allowed to reference code with following licenses:
- GPL
- LGPL
- No license specified
- And many more

[sylvestre]

makes sense!

[dhodder]

Apache License, Version 2.0 is popular, so you might want to clarify whether it's accepted or not here too. (See also #2086.) It's compatible with the MIT license (i.e. the licenses don't contradict one another so code can be linked). However it has a patent termination clause and a "modified files to carry prominent notices" clause, neither of which the MIT license has.

If BSD licenses are allowed, you may wish to clarify which, e.g. "BSD (2-clause or 3-clause)".

Thanks. :)

[dhodder]

According to cargo-license, uutils currently includes:

• 108 MIT-licensed packages
• A further 127 packages dual- or tri-licensed under the MIT license and one or two other licences
• 4 packages under the BSD 2-clause license (when including the fuchsia-cprng license)
• 2 packages under the BSD 3-clause license
• 2 packages under the CC0-1.0 license

$ cargo license
Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT (2): wasi, wasi
Apache-2.0 OR MIT (116): arrayvec, autocfg, bit-set, bit-vec, bitflags, block-buffer, bstr, byte-tools, cc, cfg-if, cfg-if, chrono, compare, crossbeam-channel, crossbeam-deque, crossbeam-epoch, crossbeam-utils, ctor, custom_derive, diff, digest, dns-lookup, either, env_logger, fake-simd, filetime, fnv, getopts, getrandom, getrandom, glob, glob, half, heck, hermit-abi, hex, ioctl-sys, itertools, itertools, lazy_static, libc, lock_api, log, lscolors, maybe-uninit, md5, miow, nodrop, ntapi, num-bigint, num-integer, num-traits, num_cpus, numtoa, once_cell, ouroboros, ouroboros_macro, parking_lot, parking_lot_core, paste, paste-impl, pkg-config, ppv-lite86, pretty_assertions, proc-macro-error, proc-macro-error-attr, proc-macro-hack, proc-macro2, quick-error, quick-error, quote, rand, rand, rand, rand_chacha, rand_chacha, rand_core, rand_core, rand_core, rand_core, rand_hc, rand_hc, rand_pcg, rayon, rayon-core, regex, regex-syntax, remove_dir_all, scopeguard, sha2, sha3, signal-hook, signal-hook-registry, smallvec, smallvec, socket2, stable_deref_trait, syn, tempfile, term_size, thiserror, thiserror-impl, time, typenum, unicode-segmentation, unicode-width, unicode-xid, unindent, unix_socket, vec_map, version_check, wild, winapi, winapi-i686-pc-windows-gnu, winapi-x86_64-pc-windows-gnu, xattr
BSD-2-Clause (3): Inflector, arrayref, cloudabi
BSD-3-Clause (2): instant, sha1
CC0-1.0 (2): constant_time_eq, dunce
MIT (108): ansi_term, ansi_term, atty, binary-heap-plus, blake2b_simd, clap, conv, coreutils, crossterm, crossterm_winapi, data-encoding, fs_extra, generic-array, kernel32-sys, locale, memoffset, mio, nix, nix, number_prefix, onig, onig_sys, output_vt100, platform-info, redox_syscall, redox_syscall, redox_termios, retain_mut, rlimit, rust-ini, strsim, strum, strum_macros, term_grid, termion, termsize, textwrap, users, uu_base32, uu_base64, uu_basename, uu_cat, uu_cksum, uu_comm, uu_cp, uu_csplit, uu_cut, uu_date, uu_df, uu_dircolors, uu_dirname, uu_du, uu_echo, uu_env, uu_expand, uu_expr, uu_factor, uu_false, uu_fmt, uu_fold, uu_hashsum, uu_head, uu_join, uu_link, uu_ln, uu_ls, uu_mkdir, uu_mktemp, uu_more, uu_mv, uu_nl, uu_numfmt, uu_od, uu_paste, uu_pr, uu_printenv, uu_printf, uu_ptx, uu_pwd, uu_readlink, uu_realpath, uu_relpath, uu_rm, uu_rmdir, uu_seq, uu_shred, uu_shuf, uu_sleep, uu_sort, uu_split, uu_sum, uu_tac, uu_tail, uu_tee, uu_test, uu_tr, uu_true, uu_truncate, uu_tsort, uu_unexpand, uu_uniq, uu_wc, uu_yes, uucore, uucore_procs, void, winapi, winapi-build
MIT OR Unlicense (9): aho-corasick, byteorder, globset, memchr, quickcheck, regex-automata, same-file, walkdir, winapi-util
N/A (1): fuchsia-cprng

[dhodder]

Based on discussions like #1470, I'd like to propose the following text for inclusion at the bottom of CONTRIBUTING.md:

Licensing

uutils is distributed under the terms of the MIT License; see the LICENSE file for details. This is a permissive license, which allows the software to be used with few restrictions.

Copyrights in the uutils project are retained by their contributors, and no copyright assignment is required to contribute.

If you wish to add or change dependencies as part of a contribution to the project, a tool like cargo-license can be used to show their license details. The following types of license are acceptable:

• MIT License
• Dual- or tri-license with an MIT License option ("Apache-2.0 or MIT" is a popular combination)
• "MIT equivalent" license (2-clause BSD, 3-clause BSD, ISC)
• License less restrictive than the MIT License (CC0 1.0 Universal)

Licenses we will not use:

• An ambiguous license, or no license
• Strongly reciprocal licenses (GNU GPL, GNU LGPL)

If you wish to add a reference but it doesn't meet these requirements, please raise an issue to describe the dependency.

Additionally, at the bottom of the Best practises section, we could add the following paragraph:

Obviously, uutils is based on new code, and cannot contain code from existing GNU or Unix-like utilities.

[tertsdiepraam]

@dhodder I like that! It's a very comprehensive explanation. I would rephrase that last part a bit (removing "Obviously" and change it to something like "uutils is original code") and still add that we should also not link to or reference GNU. Would you mind opening a PR for this?

[dhodder]

Thanks for the feedback, @tertsdiepraam !

I've updated the wording to:

uutils is original code. It cannot contain code from existing GNU or Unix-like utilities, nor should it link to or reference GNU libraries.

Please let me know if you'd like me to update it. :)

[dhodder]

A related question, that we may want to consider, is whether we should add a third license category between "acceptable" and "licenses we will not use":

Licenses accepted in referenced dependencies, on a case-by-case basis, when there is no MIT-licensed alternative:

• Apache License, version 2.0