MIT versus LGPL in practice: Dotkernel case
source link: https://www.dotkernel.com/licensing/mit-versus-lgpl-in-practice-dotkernel-case/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
MIT versus LGPL in practice: Dotkernel case
After a recent analysis, we discovered that one of the upstream packages we use is licensed under LGPL v3. Even though we at DotKernel use the MIT license for our open source projects, the more restrictive license must be applied to the whole application. We implemented a workaround detailed below.
Detailing the problem
The package in question is matomo/device-detector which requires the developers to share their derivative code publicly. This goes against our contractual obligations to the client to keep their custom code business and enterprise friendly. The conflict that results in this scenario may cause legal issues in the future.
The solution
Some companies explicitly steer clear of scenarios of this nature and DotKernel has decided to do the same. Our solution for DotKernel applications and libraries is to discard the use of 3rd party packages with LGPL v3. In this particular case we used the matomo/device-detector package in our dotkernel/dot-user-agent-sniffer package for the purpose of identifying the user agent and using the results in internal reports.
ALL of DotKernel’s packages are licensed under MIT which has no restrictions regarding the source code, other than keeping the license and copyright notice in a file within each package. Other non-restrictive licenses include Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0 and OSL-3.0. Some of them are used by the dependencies in DotKernel’s packages instead of MIT, but are still deemed acceptable.
The resolution
The dotkernel/dot-user-agent-sniffer package must follow the LGPL v3 license, beginning with version 3.4.0. Our admin application will not use the features from matomo/device-detector, but will contain instructions on how to add the package, if other developers intend to use it.
Important note
Warning: Any application using dotkernel/dot-user-agent-sniffer with a version lower than 3.4.0 is still a legal liability. We at DotKernel will not abandon the issue as is, but are looking into a solution to bring back the device detector functionality in the future under a less restrictive license. For now we will not include dotkernel/dot-user-agent-sniffer in any of our applications by default.
Rob Allen has created an automation to check the licenses of installed packages. You can follow his article here.
Looking for PHP, Laminas or Mezzio Support?
As part of the Laminas Commercial Vendor Program , Apidemia offers the expert technical support and services for: Modernise Legacy Applications Migrations from any version of Zend Framework to Laminas Mezzio and Laminas Consulting and Technical AuditsLeave a Reply Cancel Reply
Your email address will not be published. Required fields are marked *
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Save my name, email, and website in this browser for the next time I comment.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK