License of dependencies

[emmanuelbernard]

Any restriction on dependencies of Cf projects
https://github.com/commonhaus/foundation-draft/blob/main/governance/ip-policy.md

Can it uses a GPL dependency ? How about proprietary, fauxpersource ?

[ebullient]

That's a good question re: required dependencies.

GPL is an OSI-approved license, as long as use of GPL dependency (and implication to consumers) is well-documented, that wouldn't be an issue from my perspective.

Proprietary / fauxpersource would be an issue, as that could hurt the ability of the project to be viable over the long term.

[Sanne]

I believe I understand what you mean by fauxpersource but googled it to confirm.. FYI zero responses so I'm slightly in doubt :)

[emmanuelbernard]

fauxpensource is a term I coined to describe BSL style licenses that are not open source for n years and then fall into the open source licence. The reason is that for me it kill the open and open source ecosystem to use these licenses.

[ebullient]

Guidance in the bylaws + eligibility for project would be OSI-approved licenses.

I do have follow up "technical detail" questions (how to actually do/verify the thing). e.g. license scanning tool to detect this. I can't easily find "the right" one. (IBM had one, I think RH probably has one... out in the great wide world, I can find only one, and it's maintenance/health is dubious... no idea)

[maxandersen]

Eclipse and cncf foundation have some too.

[ebullient]

yep. I just need to get my hands on the ones that are maintained and work. ;) Have pointers?

[kenfinnigan]

One of the popular tools CNCF projects use is: https://github.com/fossas/fossa-cli

[kenfinnigan]

https://github.com/commonhaus/foundation-draft/blob/main/policies/ip-policy.md#license-selection-and-usage covers the licenses that are supported, and how to seek approval for others.

If that doesn't answer the question sufficiently, please open a PR with proposed changes