3

I would like make use of the certifi library in my project, but I am not allowed to use any copy-left libraries, and certifi is MPL. Really the certifi library just provides a pem file of a bunch of root CA certificates and dumps it to disk for other programs to use.

So instead I started looking at using a pem file directly that wasn't subject to the same copy-left restrictions. It seems like just about everything comes back to the list curated by Mozilla or by cURL (which really is just wrapping the Mozilla one I believe). Both of these to no surprise are covered by MPL.

However - at this point the pem file is now a data file, and not a library. Can I create a closed source commercial project at this point that uses one of these files as a data file?

The closest I've found on the topic is this: Can I use cacert.pem file (MPL 2.0) as part of my proprietary program But the only answer on that question discusses pulling the certificate into a final bundled distribution file. If I instead write my code in such a way that it pulls the pem file from some location, e.g.:

  • Directly from the Mozilla or cURL links above
  • An S3 bucket hosted by me and publicly available
  • A configurable location specified in a config file

and then stores that file on disk for other applications to use... Does my application or any other application using that pem file need to be MPL as well? Or have I effectively broken the copy left chain?

DrTeeth
  • 133
  • 3

1 Answers1

2

If your application just wants to read a file called cacert.pem that can be interpreted as having the format of a pem file, then the contents of the file are just data to the program and under copyright law the two are considered independent works whose copyright licenses don't affect each other.

This means that the cacert.pem file provided by Mozilla under the MPL license can be used by a completely closed-source application without any issue.

As the MPL is actually a fairly weak copyleft license (files under the MPL must remain under that license, but there are no requirements at all for other files), you could even include the cacert.pem file in your distribution without it affecting your application.

Other options are to let the end-user make sure the file is present on their system or to download it from a reputable source.

Bart van Ingen Schenau
  • 29,549
  • 3
  • 46
  • 83
  • That's great, thanks. It's a little rough reading exactly what a "data file" is, but so long as we go out and grab it at run time (as opposed to compiling it in at build time), it feels like we're OK - someone could use their own pem file instead of the one we recommend. – DrTeeth Sep 17 '20 at 19:54