Concerns about Hera dependency's licensing terms

[gspr]

It is my understanding that GUDHI 3.8.0 requires Hera 2.0 (please correct me if this is not the case). I have some concerns about Hera 2.0's licensing terms, and these concerns therefore transitively apply to GUDHI 3.8.0 as well. Hera is released under a BSD-type license, yet from version 2.0 on, it bundles its own (modified) copy of PHAT. Since PHAT is under the GPL, this seems like a clear license violation in the sense of deriving a work from (and redistributing) GPL'ed code under a more permissive license (in the absence of special permissions from PHAT's copyright holders, of course). I have tried to raise the issue on Hera's issue tracker, but have not heard back for months.

That Hera has this problem is perhaps not the end of the world, but I do believe it does transitively pose a problem for GUDHI that needs to be rectified. (Sidenote: The dependence on Hera 2.0 is also what's currently blocking GUDHI 3.8.0 from going into Debian, because from my understanding Hera 2.0 is un-distributable in its current form).

[mglisse]

Thanks for letting us know, I had not noticed. As far as I understand, PHAT is only used in the "matching" part of hera, but in Gudhi we only use the "wasserstein" and "bottleneck" parts, so we shouldn't be affected (you can try removing PHAT to check that Gudhi still compiles). I don't think (?) we ever install our copy of hera, just use it to compile stuff at build time.
If we ended up depending on PHAT for some parts of Gudhi, the situation would be similar to what we currently have with other dependencies like CGAL (https://gudhi.inria.fr/licensing/), it would just need some documentation tweaks.
I don't think PHAT (and the rest of the extern/ subdirectory) should be considered part of Hera but (forked?) external dependencies, which I guess is why the stated license ignores them. There was also some discussion of packaging in anigmetov/hera#11. So Hera's code is BSD, but if you compile something using "matching" which brings in PHAT, the resulting binary is covered by GPL.

[mglisse]

It is my understanding that GUDHI 3.8.0 requires Hera 2.0 (please correct me if this is not the case).

Gudhi is only tested with the exact commit referenced in the submodule setup. It should be close to version 2.0, but it may differ by a few commits (see also #881). If it doesn't work with 2.0, let us know so we can prioritize #881.

[gspr]

On August 30, 2023 9:46:17 PM GMT+02:00, Marc Glisse ***@***.***> wrote: Thanks for letting us know, I had not noticed. As far as I understand, PHAT is only used in the "matching" part of hera, but in Gudhi we only use the "wasserstein" and "bottleneck" parts, so we shouldn't be affected (you can try removing PHAT to check that Gudhi still compiles).

Thanks for clarifying.

If we ended up depending on PHAT for some parts of Gudhi, the situation would be similar to what we currently have with other dependencies like CGAL (https://gudhi.inria.fr/licensing/), it would just need some documentation tweaks.

Indeed. That situation wouldn't worry me, since GUDHI is good and clear about labeling what functionality triggers the GPL.

I don't think PHAT (and the rest of the extern/ subdirectory) should be considered part of Hera but (forked?) external dependencies, which I guess is why the stated license ignores them.

IANAL, but it seems like a stretch to call something an external dependency if it is modified for use in (or maybe "with") the "depending" software.

There was also some discussion of packaging in anigmetov/hera#11. So Hera's code is BSD, but if you compile something using "matching" which brings in PHAT, the resulting binary is covered by GPL.

Indeed. The root of my problem is that Hera needs to he upfront about this. I don't think one can go about saying "this software is licensed under license X" and then leave it up to the user (or, in the case of open source stuff like this - a redistributor of a derived product!) to realize that if a specific piece of functionality is used, then it's all under license Y. GUDHI handles this nicely by clearly labelling which parts of the code cause the GPL to come into effect. Hera just throws out BSD blurb and leaves it at that.

[mglisse]

The root of my problem is that Hera needs to he upfront about this.

100% agreed here.

[mglisse]

I am going to close this issue because there doesn't seem to be anything to do on the gudhi side, except being careful if we ever decide to use the "matching" part of Hera in the future.