LGPLv3 dependency
abhay-krishna opened this issue ยท 6 comments
We indirectly consume the bmclib library when we build the Tinkerbell PBNJ binary but one of the transitive dependencies (gebn/bmc) is licensed under LGPLv3.
Output of go mod graph on PBNJ project:
github.com/tinkerbell/pbnj github.com/bmc-toolbox/bmclib@v0.4.14-0.20211027184927-2f9a20e0a479
github.com/bmc-toolbox/bmclib@v0.4.14-0.20211027184927-2f9a20e0a479 github.com/gebn/bmc@v0.0.0-20200904230046-a5643220ab2a
This causes compliance and legal issues and makes it incompatible for our use-case. I believe LGPLv3 also requires that libraries be dynamically linked to applications if the original license of the application is to be preserved (that is, if you statically link against a LGPL library, you must license the entire application code with LGPLv3). Could you consider removing the dependency on the LGPLv3 library, or suggest other options to maintain compatibility with licenses such as Apache-2.0 and MIT License?
I don't have any issues removing github.com/gebn/bmc. How about you @joelrebel?
@jacobweinstock fine with me, this means the goipmi provider would need to be purged https://github.com/bmc-toolbox/bmclib/blob/master/providers/goipmi/goipmi.go
Thank you for the consideration and quick response @jacobweinstock @joelrebel! This would be really helpful ๐ Would you like me to contribute with a PR removing the goipmi provider?
Hey @abhay-krishna. yeah, feel free. thanks!
Opened PR #257 to remove the provider. Please take a look, thanks once again!
Closing this issue since above PR got merged. We shall be consuming the merge commit to build PBNJ. Appreciate the support and reviews ๐