Licensing for stdlib dependencies

[straight-shoota]

Crystal's standard library has some dependencies on C libraries, and so do programs which use the standard library. Some dependencies apply to all programs (used by core lib from the prelude), some only if you require specific parts of stdlib (like YAML -> libyaml, or Big* -> libgmp).

When these dependencies are used, their licenses apply to the compiled programs as well. This has implications for users building and distributing programs with these libraries.

This has been originally brought up in #11480 (comment) with the observation that libraries licensed with LGPL are problematic for static linking (http://www.gnu.org/licenses/gpl-faq.html#LGPLStaticVsDynamic).

Here is a list of libraries and their licenses:

• GNU libiconv (used on win32): LGPL
• MPIR (used on win32): LGPL
• libgmp (used on unix-like systems): LGPL
• libpcre: BSD
• libgc: X11-compatible
• libxml2: MIT
• libevent: BSD
• zlib: zlib-license (GPL-compatible, no copyleft)
• libssl/libcrypto: OpenSSL License, SSLeay License, Apache 2 (since 3.0)
• libyaml: MIT
• libc: LGPL, MIT, or other depending on system
• libllvm: Apache 2 (with exceptions; LLVM >= 9), UIUC (LLVM < 9)
• compiler-rt: MIT/UIUC

We should discuss whether we see any necessary action about this.

Making the licensing situation clear in documentation could be a first step (see #11480 (comment)). This might not be our responsibility in general (we just provide bindings for the libraries, not the libraries themselves), but it would be a service to users. However, we're also shipping some libraries in our distribution packages (custom build of libgc in most packages, more in the bundled package).

Additionally, we could consider actions to improve the overall licensing issue. For example, we could try to move to more freely licensed libraries to make distribution of Crystal software easier. That's probably not going to be easy, though.

[HertzDevil]

LLVM uses Apache 2 with LLVM exceptions since 9.0, UIUC before that. compiler-rt is dual-licensed under MIT and UIUC.

Apart from the public documentation, I think the share/licenses subfolder in our distribution packages should also include all license files of those libraries (or only those that we do distribute, e.g. the GC).

[yxhuvud]

It may be worth having a separate warning about it on any page that instructs about how to do static compilation too.

[BrucePerens]

I do a lot of Open Source license compliance consulting for law firms and their customers, and corporations directly. Licensing issues are a deterrent to commercial use of the language. The problem also exists in shards, not all of which carefully document their library dependencies and the licenses on those libraries because the authors haven't been trained to do so.

The dynamic library dependencies should be carefully documented in the top directory LICENSE, because right now it's just the Apache license, and that's not the whole story. There should be a recommendation that programs with anything other than an Open Source license not be static linked, for reasons of compliance with LGPL.

Redistribution of a compiled Crystal program would currently require distribution of a number of license files with the binary, certainly all of the LGPL ones and no doubt others. The entire set should be in a directory pointed to by LICENSE, including licenses that do not have an explicit requirement to distribute their own text with a binary. Compliance folks generally distribute every license, and they should be able to just copy that directory and be done.

[HertzDevil]

Apparently NOTICE.md also contains license information, including Readline which we no longer use.