first of all a disclaimer: I am not a lawyer, everything that follows is not legal advice.
XWiki uses the LGPL 2.1 (or any later version) license. What this means in practice is that while modifications to XWiki itself must be published under a license compatible with the conditions in LGPL 2.1 or a later version, there is no such obligation for a greater work like a distribution of XWiki that includes, e.g., non-open source extensions.
Including dependencies in XWiki that are licensed under a copyleft license like GPL (without classpath exception) or AGPL removes this possibility, see, e.g., The Free-Libre / Open Source Software (FLOSS) License Slide. If a module of XWiki has a GPL-licensed dependency, this dependency basically “infects” XWiki with the GPL and thus the conditions of the GPL need to be followed for the whole software that includes this module. For AGPL, this (most likely) includes making source code of the whole XWiki software including all extensions available to everybody who has access to the XWiki installation.
As such obligations seem quite surprising given that XWiki is licensed under LGPL 2.1+, I propose that we ensure that XWiki itself and all recommended extensions don’t have any dependencies that have a copyleft license, so I propose to make this part of the criteria for being a recommended extension. I also propose that we use automated tooling to check this.
There is the LicenseScan Maven Plugin that would allow to deny licenses. To start with, we could ban AGPL and GPL without class path exception. A better approach would actually be to use something like Dependency License Checker that requires to explicitly list all allowed licenses. We could compile a list of all currently used licenses and also ask, e.g., the sponsoring companies to validate this license list. However, this is plugin seems unreleased and the last change was 6 years ago. If there is any other way to enforce this rule I’m open to suggestions.
Impact: The realtime editor in xwiki-platform uses chainpad which is licensed under AGPL. We would either need to move realtime (back) to xwiki-contrib or remove the use of chainpad. I’m not aware of any other dependencies that would fail this check but if we agree on this proposal, we should do a more detailed analysis.