Ban the use of dependencies with a copyleft license

Hi everybody,

first of all a disclaimer: I am not a lawyer, everything that follows is not legal advice.

XWiki uses the LGPL 2.1 (or any later version) license. What this means in practice is that while modifications to XWiki itself must be published under a license compatible with the conditions in LGPL 2.1 or a later version, there is no such obligation for a greater work like a distribution of XWiki that includes, e.g., non-open source extensions.

Including dependencies in XWiki that are licensed under a copyleft license like GPL (without classpath exception) or AGPL removes this possibility, see, e.g., The Free-Libre / Open Source Software (FLOSS) License Slide. If a module of XWiki has a GPL-licensed dependency, this dependency basically “infects” XWiki with the GPL and thus the conditions of the GPL need to be followed for the whole software that includes this module. For AGPL, this (most likely) includes making source code of the whole XWiki software including all extensions available to everybody who has access to the XWiki installation.

As such obligations seem quite surprising given that XWiki is licensed under LGPL 2.1+, I propose that we ensure that XWiki itself and all recommended extensions don’t have any dependencies that have a copyleft license, so I propose to make this part of the criteria for being a recommended extension. I also propose that we use automated tooling to check this.

There is the LicenseScan Maven Plugin that would allow to deny licenses. To start with, we could ban AGPL and GPL without class path exception. A better approach would actually be to use something like Dependency License Checker that requires to explicitly list all allowed licenses. We could compile a list of all currently used licenses and also ask, e.g., the sponsoring companies to validate this license list. However, this is plugin seems unreleased and the last change was 6 years ago. If there is any other way to enforce this rule I’m open to suggestions.

Impact: The realtime editor in xwiki-platform uses chainpad which is licensed under AGPL. We would either need to move realtime (back) to xwiki-contrib or remove the use of chainpad. I’m not aware of any other dependencies that would fail this check but if we agree on this proposal, we should do a more detailed analysis.

Definitely +1 for XWiki Standard since that’s actually already the case, but indeed cannot find it written explicitly on dev.xwiki.org and without tooling to ensure it. And looks like we were not as careful as for more external dependencies in the case of chainpad (I did not even check the license on my side, assuming it was the same as usual XWiki productions, when the merge was proposed).

For recommended contrib extensions, I don’t really see the urge. Installing a GPL extension at runtime should not be a problem in terms of license from what I understand, so I’m not sure why it should be forbidden.

Well, saying that XWiki is LGPL is enough since that means that incompatible licenses mustn’t be used (or XWiki would be LGPL anymore).

+1 to use tools at build time to verify that we use only compatible licenses.

Thanks

+1 with the same remark as Thomas: I’m not sure that it needs to apply to recommended extensions (from outside xwiki organization, e.g. from xwiki-contrib).

Thanks,
Marius

Indeed, contrib extensions are suggested to use LGPL 2.1 but it’s not mandatory and they can use other licenses (and this is not documented ATM but it’s been discussed in the past).

I don’t know if we want to make LGPL a must for recommended extensions.

+1 for an automatic check on XS