On Sat, Dec 15, 2012 at 4:25 PM, Malcolm Wallace <malcolm.wallace@me.com> wrote:

On 13 Dec 2012, at 10:41, Petr P wrote:

> In particular, we can have a BSD package that depends on a LGPL package, and this is fine for FOSS developers. But for a commercial developer, this can be a serious issue that is not apparent until one examines *every* transitive dependency.

This might a good time to remind everyone that every single program compiled by a standard GHC is linked against an LGPL library (the Gnu multi-precision integer library) - unless you take care first to build your own copy of the compiler against the integer-simple package instead of integer-gmp. As far as I know, there are no ready-packaged binary installers for GHC that avoid this LGPL'd dependency.

http://hackage.haskell.org/trac/ghc/wiki/ReplacingGMPNotes

Just saying.

The difference between a library being (L)GPLed and this GMP issue is that, in the latter case, we have an escape route. I know of at least two companies which are actively considering switching entirely to simple-integer because of this issue. If a widely used package (e.g., cpphs) is not available under a permissive license, there's not such escape route available to users. (And note that I'm not actually *happy* about the GMP situation, but at least we have a possible solution.)

I would strongly recommend reconsidering the licensing decision of cpphs. Even if the LICENSE-commercial is sufficient for non-source releases of software to be protected[1], it introduces a very high overhead for companies to need to analyze a brand new license. Many companies have already decided BSD3, MIT, and a number of other licenses are acceptable. It could be very difficult to explain to a company, "Yes, we use this software which says it's LGPL, but it has this special extra license which, if I'm reading it correctly, means you can't be sued, but since the author of the package wrote it himself, I can't really guarantee what its meaning would be in a court of law."

Looking at the list of reverse dependencies[2], I see some pretty heavy hitters. Via haskell-src-exts[3] we end up with 75 more reverse dependencies. I'd also like to point out that cpphs is the only non-permissively-licensed dependency for a large number of packages.

I can give you more detailed information about my commercial experience privately. But I can tell you that, in the currently situation, I have created projects for clients for which Fay[4] would not be an option due to the cpphs licensing issue.

Michael

[1] I'm not sure of that, since IANAL.

[2] http://packdeps.haskellers.com/reverse/cpphs

[3] http://packdeps.haskellers.com/reverse/haskell-src-exts

[4] http://packdeps.haskellers.com/licenses/fay