-
I am relatively new to python so apologies if I have misunderstood anything here. The following captures my understanding of this problem. This project has a dependency on the Would it be possible to add a similar notice to this project? It would be preferable to those who would like to use Azure for authentication etc. that this template is updated such that all transitive dependencies use permissive licenses. I appreciate that is not a small piece of work. This is however a problem many will have to solve if they want to use Azure for authentication in a closed-source application they want to distribute. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
Thanks for bringing this topic to our attention. IANAL, an online search yields some opinions (such as this one and that one) suggesting that "your library (app?) can be available under whatever terms you like, as long as the LGPL library is still available under the same terms determined by its original author". In Python ecosystem, there are tons of apps and libraries depend on |
Beta Was this translation helpful? Give feedback.
-
My interpretation of the LGPL license is that if an application were to use Supposing the build of the application results in a docker container, my interpretation is that you would need to, for example, expose a variable which defines the path to go and look for This would raise a series of security concerns around introducing a vector for a bad actor to exploit allowing them to inject malicious code at runtime. To me, this conclusion means the answer to "figure out whether your app can use a transitive LGPL dependency" is no. This is why we apply this level of scrutiny to all of our direct and transitive dependencies. I expect there are a huge number of other companies who have the simultaneous need of license adherence and protection from bad actors who would similarly be excluded from using this template application in its current form. Given this template is here to facilitate faster and easier adoption of the azure identity api, I believe that removing this dependency on I'd also add that doing this 'homework' for each direct and transitive dependency is quite time consuming. If the way forward the maintainers of this library choose to go is to retain the |
Beta Was this translation helpful? Give feedback.
-
Thanks for your time on providing those details.
|
Beta Was this translation helpful? Give feedback.
Thanks for your time on providing those details.