[Hackage] #481: License compatibility check

Hackage trac at galois.com
Sat Jan 31 12:23:52 EST 2009

#481: License compatibility check
  Reporter:  guest          |        Owner:         
      Type:  enhancement    |       Status:  new    
  Priority:  normal         |    Milestone:  _|_    
 Component:  Cabal library  |      Version:         
  Severity:  normal         |   Resolution:         
  Keywords:                 |   Difficulty:  unknown
Ghcversion:                 |     Platform:         
Changes (by duncan):

  * version: =>
  * milestone:  => _|_


 This is not as simple or easy as it looks. Firstly, there is nothing wrong
 with a BSD package depending on a GPL package. The BSD package really can
 have that license. Of course anyone using the combination of packages is
 bound by the GPL but that does not mean the BSD package is wrong in any

 It would be useful to notify users of a package of the set of licenses
 that a package must follow if it depends on a package and all its deps
 transitively. That could be done on hackage. However actually notifying
 accurately is not easy because deciding what the dependencies of a package
 are is hard (NP-hard). The dependencies are also potentially very
 flexible, so in some configurations we might want to complain and in
 others not. For example a package that depends on either readline or
 editline bindings. Or more tricky, suppose you depend on a package and a
 later version of that package gains a dependency on readline. You could
 still construct a configuration that avoids readline so do we warn or not?

 It's also necessarily incomplete because it does not take into account
 dependencies on foreign libraries.

 As for proprietary packages, they're not allowed on hackage anyway. People
 producing proprietary software already need to do a more thorough check
 than this simple one would be. So how useful is it?

 At least doing the check at build time makes it a bit easier because it
 removes all the questions about potential configurations, we're picking a
 specific configuration and linking everything together. However we're not
 distributing anything at that point. We do not want to warn about every
 single utility that people write in-house (which will naturally be
 `AllRightsReserved`), we would only want to warn at distribution time but
 we have no way of identifying distribution time for proprietary apps.
 People running `sdist` may just be distributing internally within a

Ticket URL: <http://hackage.haskell.org/trac/hackage/ticket/481#comment:1>
Hackage <http://haskell.org/cabal/>
Hackage: Cabal and related projects

More information about the cabal-devel mailing list