2

In github I have a software repository which uses libraries at install time. These libraries are not included in the repository itself, but they are downloaded and installed when I install my tool (e.g. defined in setup.py for python projects).

Does the license I choose for my github software repository depend on any license of the dependencies?

And where can I find a webpage that explains exactly that? When I search for "how to choose a license for OS projects" nowhere the licenses of dependencies are mentioned. That might imply that my above question is answered by a clear "YES".

But is the an authoritative source somewhere?

Related question with unclear answer: Do the licenses of dependencies matter if the dependencies are not actually shipped by my software?

Example: I have a github repository with one single file which is python code to create some graphics. This code is using two libraries the user has to install himself.

import external_library_to_compute_something
import external_library_to_plot_something

Read data from a file here, ask user input


Do some calculaions


Maybe do some linear regression. Use a function of the first tool


a,b = external_library_to_compute_something.lin_reg(data)


do some more calculations


Now create the plot; use a function of the second tool


myplot = external_library_to_plot_something.simple_plot(plot_data)
myplot.show()

Do I have to consider the licenses of the two tools

external_library_to_compute_something
external_library_to_plot_something

YES or NO?

Alex
  • 166
  • 6
  • 1
    There might be a case when you use GPL-licensed libraries. Could you please clarify, if the libraries are dependencies or plug-ins to your software? Or is it even independent software (such as Ghostscript) which is used by a frontend (such as many PDF handling apps)? – Martin_in_AUT Sep 14 '22 at 06:49
  • I am not sure what you mean by "dependencies or plug-ins". For example, one tool is downloading and installing a third-party library named "scipy". "scipy" is not part of my repository. It is downloaded and installed when I install my tool. – Alex Sep 14 '22 at 07:47
  • The required clarification relates to this item in the GPL FAQ https://www.gnu.org/licenses/gpl-faq.html#GPLPlugins . After that we can also discuss the opinion of FSF v. what is actually stated in the license language. – Martin_in_AUT Sep 14 '22 at 08:28
  • Thanks @Martin_in_AUT. But in the case I described, is this one program or different programs? That is still not clear to me. Also, what is FSF? – Alex Sep 14 '22 at 11:02
  • Alex, your description does not allow me to determine if in your case it is a single combined program or not. You will have to make your own assessment. FSF is the Free Software Foundation, a nonprofit with a worldwide mission to promote computer user freedom. They maintain gnu.org and the FAQ linked above. – Martin_in_AUT Sep 15 '22 at 06:35
  • So then, HOW can I determine if a github project is a single combined program or not? – Alex Sep 15 '22 at 09:19
  • 2
    @Alex Definitively? Pay a lawyer. – MadHatter Sep 15 '22 at 16:51
  • So every github developer pays a lawyer to find the correct license? I was not aware of this... – Alex Sep 16 '22 at 05:01
  • 1
    @Alex You might want to reconsider your style and tone of communication. We are answering questions here for free in our spare time. You are not in the position to demand things or yell at us by capitalizing your sentences (like in "YES or NO?") – Martin_in_AUT Sep 16 '22 at 07:53
  • 1
    @Alex Please see this FAQ item for more background on the comment about the "single combined program" question. https://www.gnu.org/licenses/gpl-faq.html#GPLPlugins – Brandin Sep 16 '22 at 08:37
  • 1
    To make the analysis easier, it's easier to treat dependencies as if you are including them in your code. In Python environments, often they are downloaded automatically by a package manager, and presumably there is a configuration file or a script file in your code which tells the package manager how to do that. So, if you distribute your Python package, maybe you're technically not distributing the third party code, but you are distributing explicit instructions to automatically download the 3rd-party code. So to be safe, you need to consider the license of the 3rd-party code. – Brandin Sep 16 '22 at 08:46
  • 1
    @Alex scipy and numpy are both permissively licensed, so for those particular examples, this question is a bit moot. The asnwer is "yes" in the sense of "yes, you need to consider the license", but "no" in the sense of "no, you don't need to worry about it" because those two permissive licenses don't restrict you in any real sense -- for example, you could even "freeze" your entire Python program (including those 2 libraries) and distribute that to someone else, and that's allowed by those licenses. Of course, the answer will be different if the libraries are (L)GPL. – Brandin Sep 16 '22 at 08:58
  • Thanks that was a clear answer I was able to understand. – Alex Sep 16 '22 at 10:55

2 Answers2

4

Yes, you have to consider the licenses of your dependencies.

After you modified your question and included the code example it is clear. You are using the "import" function of Python. This is an equivalent of Linking in other programming languages. Therefore your code perfectly matches the definition in GPLv3 "A “covered work” means either the unmodified Program or a work based on the Program."

If one of the imported modules is under GPL license, then you will have to put your own code under the same license. FSF is clear about that.

If the imported libraries have other licenses, then there might be a different impact, or no impact, on your selection of a license for your own code.

IANAL, and there has always been the discussion if the fact that you are not distributing the GPL-ed code yourself, but ask the users of the app to download it themselves, will actually constitute the act of "propagate a work". If you want to be on the save side you can just assume it does, if not you can contact a lawyer experienced in all the jurisdictions where you are distributing your code.

Martin_in_AUT
  • 7,205
  • 10
  • 37
  • In this particular example, the "ask the users of the app to download it themselves" is quite an overstatement. According to the question itself, the code itself includes an actual script file (setup.py) with specific instructions to download the other code. For (L)GPL, distributing such a script might meet the definition of "propagate" but I'd have to read the section again carefully. – Brandin Sep 16 '22 at 09:20
  • Hmm, I'm no lawyer but that seems like a weak argument. Akin to saying that giving someone the URL to a data file is the same as downloading the data file yourself and giving them a copy. – David Z Sep 25 '22 at 06:49
1

Yes. No. It depends.

You need to abide by the license of all libraries you use, including their respective dependencies.

If you look at permissively-licensed libraries (MIT, BSD, Apache,...) or the LGPL (whose copyleft license is limited to the library) this does not limit your choice of license of the main programme as long as you abide by the attribution requirements and possibly the requirement to allow replacement by a ABI-compatible library in case of the LGPL.

If you are linking to GPL-licensed libraries it can be argued that your programme itself is a derivative of these libraries and that you have to choose a GPL license yourself. Even if your legal advise disagrees on this point, and you choose for your source code a different license, you WILL have to distribute your compiled binaries which include the GPL libraries under a GPL license. Essentially this means you can distribute your source code under whatever license you choose AND HAVE TO distribute it also under GPL, at least for those versions you ship compiled binaries.

An authorative source? That is in the end only a court ruling which depends on the jurisdiction you seek advice for. However the FAQ, for instance, of the OSI is a good source, also the GPL FAQ.

planetmaker
  • 11,042
  • 1
  • 28
  • 47
  • Thanks for your answer here. I also did not think about binary packages in that sense. But can you please explain the sentence "...as long as you abide by the attribution requirements and possibly the requirement to allow replacement by a ABI-compatible library in case of the LGPL"? I read it several times but I do not understand that sentence... – Alex Sep 14 '22 at 12:50
  • @Alex that's answered here quite well: https://softwareengineering.stackexchange.com/questions/86142/what-exactly-do-i-need-to-do-if-i-use-a-lgpl-licensed-library – planetmaker Sep 14 '22 at 12:57
  • No I do not see that. In the answer it reads: "...That should allow users to supply their own version of the library instead of the one you've shipped with your software...". In my example, I do not ship any library with my open-source project. (I do not have the source code of numpy, for example, as part of my repository. It is separate. The user downloads and installs it separately). So that answer does not seem to be related to my question. – Alex Sep 14 '22 at 13:04
  • @Alex To make your question more answerable you would be better off to give more details. For example, numpy is permissively licensed, so it does not really matter whether or not you include it in your source code distribution. You could include it for convenience, if you wanted, or you could include a script which automatically downloads it when the user installs it. Either way, numpy will get installed. But regardless, this doesn't matter for the numpy example specifically, because numpy is neither LGPL nor GPL. – Brandin Sep 16 '22 at 08:50
  • 1
    Referring to LGPL as "permissive" is a bit misleading. BSD, MIT, Apache are definitely permissive. GPL is copyleft. LGPL is copyleft but with specific permissions (and requirements, which you allude to) for using it in closed source situations. – Brandin Sep 16 '22 at 09:17
  • @Brandin right, that was probably a bit too simplified. I made an edit to make this distinction more clear – planetmaker Sep 16 '22 at 11:42