dvc: check licenses of dependencies

Output from pip-licenses after:

python -m venv .venv \
    && source .venv/bin/activate \
    && pip install -r requirements \
    && pip install pip-licenses \
    && pip-licenses --format-markdown

| Name | Version | License |
|--------------------------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------|
| GitPython | 2.1.11 | BSD License |
| PyInstaller | 3.3.1 | GPL license with a special exception which allows to use PyInstaller to build and distribute non-free programs (including commercial ones) |
| PyNaCl | 1.3.0 | Apache License 2.0 |
| PyYAML | 3.13 | MIT |
| altgraph | 0.16.1 | MIT |
| asn1crypto | 0.24.0 | MIT |
| azure-common | 1.1.16 | MIT License |
| azure-nspkg | 3.0.2 | MIT License |
| azure-storage-blob | 1.3.0 | MIT License |
| azure-storage-common | 1.3.0 | MIT License |
| azure-storage-nspkg | 3.0.0 | MIT License |
| bcrypt | 3.1.4 | Apache License, Version 2.0 |
| boto3 | 1.7.4 | Apache License 2.0 |
| botocore | 1.10.84 | Apache License 2.0 |
| cachetools | 2.1.0 | MIT |
| certifi | 2018.8.24 | MPL-2.0 |
| cffi | 1.11.5 | MIT |
| chardet | 3.0.4 | LGPL |
| colorama | 0.3.9 | BSD |
| configobj | 5.0.6 | UNKNOWN |
| configparser | 3.5.0 | MIT |
| cryptography | 2.3.1 | BSD or Apache License, Version 2.0 |
| decorator | 4.3.0 | new BSD License |
| docutils | 0.14 | public domain, Python, 2-Clause BSD, GPL 3 (see COPYING.txt) |
| future | 0.16.0 | MIT |
| gitdb2 | 2.0.4 | BSD License |
| google-api-core | 1.4.1 | Apache 2.0 |
| google-auth | 1.5.1 | Apache 2.0 |
| google-cloud-core | 0.28.1 | Apache 2.0 |
| google-cloud-storage | 1.12.0 | Apache 2.0 |
| google-resumable-media | 0.3.1 | Apache 2.0 |
| googleapis-common-protos | 1.5.3 | Apache-2.0 |
| grandalf | 0.6 | GPLv2 | EPLv1 |
| idna | 2.7 | BSD-like |
| jmespath | 0.9.3 | MIT |
| jsonpath-rw | 1.4.0 | Apache 2.0 |
| macholib | 1.11 | MIT |
| nanotime | 0.5.2 | MIT License |
| networkx | 2.2 | BSD |
| ntfsutils | 0.1.4 | BSD |
| paramiko | 2.4.2 | LGPL |
| pefile | 2018.8.8 | UNKNOWN |
| ply | 3.11 | BSD |
| protobuf | 3.6.1 | 3-Clause BSD License |
| pyasn1 | 0.4.4 | BSD |
| pyasn1-modules | 0.2.2 | BSD |
| pycparser | 2.19 | BSD |
| pydot | 1.2.4 | MIT |
| pyparsing | 2.2.2 | MIT License |
| python-dateutil | 2.7.3 | Dual License |
| pytz | 2018.5 | MIT |
| requests | 2.19.1 | Apache 2.0 |
| rsa | 4.0 | ASL 2 |
| s3transfer | 0.1.13 | Apache License 2.0 |
| schema | 0.6.8 | MIT |
| six | 1.11.0 | MIT |
| smmap2 | 2.0.4 | BSD |
| urllib3 | 1.23 | MIT |
| zc.lockfile | 1.3.0 | ZPL 2.1 |

Hi @mroutis ! Thanks for providing this table! Will need to check if everything is compatible with our Apache licence later.

pefile is MIT.

Most licenses are compatible. The only two at question are LGPL and docutils's GPL part.

LGPL is permissive to link with. Python import is considered as a dynamic linking. Looks like it's permissive enough to redistribute it even with PyInstaller, especially considering that DVC is open-source itself. Discussions (and in some cases permissions to distribute):

• paramiko - https://github.com/paramiko/paramiko/issues/540, specifically https://github.com/paramiko/paramiko/issues/540#issuecomment-369425973
• chardet (comes from requests) - https://github.com/requests/requests/issues/4417 and https://github.com/requests/requests/issues/3389 . It's not 100% clear with chardet, but should be ok for open-source DVC.

@efiop what do we use docutils for?

@shcheklein We don't use docutils. It is a dependency for some other dependency.

it comes from boto, it's actually used only for boto development - https://github.com/boto/botocore/issues/900 I think we should be safe here, since we don't use and don't even install it by default (correct me if I'm wrong, @efiop )

closing the issue, thank @efiop and @mroutis

Grandalf came up in a license scan through our dvc dependency; GPL2.0 is Copy-Left and could cause issues.

@TJEvans , indeed, it looks like GPL2.0 is incompatible with Apache License.

Despite our best efforts, the FSF has never considered the Apache License to be compatible with GPL version 2, citing the patent termination and indemnification provisions as restrictions not present in the older GPL license. The Apache Software Foundation believes that you should always try to obey the constraints expressed by the copyright holder when redistributing their work.

https://www.apache.org/licenses/GPL-compatibility.html

Although, I don't understand how is it incompatible :sweat_smile:

What should we do with this one @iterative/engineering ?

@TJEvans grandalf is dual-licensed GPL or EPL. EPL is permissive I believe. Please, check this link: https://github.com/bdcht/grandalf/blob/master/LICENSE .

@TJEvans btw, what tools were you using to check licenses? I wonder if we should try to make a PR to them to detect this edge case? Just to avoid any questions and concerns from people trying to use DVC.

The scan was executed by WhiteSource. They are usually pretty good about identifying dual licenses. Unfortunately, earlier this year they close sourced their tools. Legacy Scanner