Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rust-embed is tainted with MPL-2 via option-ext #231

Open
neoeinstein opened this issue Jan 8, 2024 · 1 comment
Open

rust-embed is tainted with MPL-2 via option-ext #231

neoeinstein opened this issue Jan 8, 2024 · 1 comment

Comments

@neoeinstein
Copy link

Hello, I wanted to raise a note that this crate currently has a transitive dependency on option-ext. That library is MPL-2, a copyleft license. The option-ext dependency is brought in via shellexpand's dependency on dirs. The maintainer of dirs has explicitly stated that they added a dependency on option-ext for the express purpose of tainting the use of dirs with MPL-2, which thus taints any use of rust-embed. I have filed a ticket with shellexpand to recommend using an alternate dependency such as etcetera, which does not suffer from this tainting issue.
@neoeinstein neoeinstein mentioned this issue Jan 8, 2024
Closed
@neoeinstein neoeinstein changed the title rust-embed is poisoned with MPL-2 via option-ext rust-embed is tainted with MPL-2 via option-ext Jan 8, 2024
@pyrossh
Copy link
Owner

pyrossh commented Jan 10, 2024

Thanks. Hopefully shellexpand releases a new version soon.
We might need to use alternatives with limitations if needed such as,
https://crates.io/crates/tilde-expand

the-kenny added a commit to the-kenny/pgrx that referenced this issue Jan 24, 2024
@the-kenny
Replace dependency on 'dirs' with 'home'
4d02fd2 
The 'dirs' crate recently started depending on the 'options-ext' crate
which uses copyleft license (MPL). This (unnecessary) dependency causes
licensing issues for various users by possibly poisoning the dependency
tree of their projects[1].

This change replaces the 'dirs' crate with 'home'. The 'home' crate is
maintained by the cargo team and offers the same functionality.

As a bonus, this change also results in a slightly smaller dependency
tree.

[1]:
- artichoke/artichoke#2564
- pyrossh/rust-embed#231
- juhaku/utoipa#834
- harryfei/which-rs#78
the-kenny added a commit to the-kenny/pgrx that referenced this issue Jan 24, 2024
@the-kenny
Replace dependency on dirs with home
a2f5f4f 
The `dirs` crate recently started depending on the `options-ext` crate
which uses copyleft license (MPL). This (unnecessary) dependency causes
licensing issues for various users by possibly poisoning the dependency
tree of their projects[1].

This change replaces the `dirs` crate with `home`. The `home` crate is
maintained by the cargo team and offers the same functionality.

As a bonus, this change also results in a slightly smaller dependency
tree.

[1]:
- artichoke/artichoke#2564
- pyrossh/rust-embed#231
- juhaku/utoipa#834
- harryfei/which-rs#78
@the-kenny the-kenny mentioned this issue Jan 24, 2024
Merged
the-kenny added a commit to the-kenny/pgrx that referenced this issue Apr 20, 2024
@the-kenny
Replace dependency on dirs with home
014554d 
The `dirs` crate recently started depending on the `options-ext` crate
which uses copyleft license (MPL). This (unnecessary) dependency causes
licensing issues for various users by possibly poisoning the dependency
tree of their projects[1].

This change replaces the `dirs` crate with `home`. The `home` crate is
maintained by the cargo team and offers the same functionality.

As a bonus, this change also results in a slightly smaller dependency
tree.

[1]:
- artichoke/artichoke#2564
- pyrossh/rust-embed#231
- juhaku/utoipa#834
- harryfei/which-rs#78
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@neoeinstein @pyrossh