For commercial uses of Rust, is there a way to tell Cargo:
- only use BSD/MIT crates
- never use GPL crates
It is easy to check individual crates, but it's not clear what dependencies the crates I use pulls in.
For commercial uses of Rust, is there a way to tell Cargo:
It is easy to check individual crates, but it's not clear what dependencies the crates I use pulls in.
You could use https://github.com/onur/cargo-license, you’d have to wrap it in a small script to check the output though.
Here's a small script:
https://gist.github.com/azriel91/3bc29b4c131e5734652b51ac2f045865
Goes by white list, and reports all crates that don't have a matching white listed license.
@azriel91 , @steveklabnik : Excellent suggestions. Thanks!
Gentoo has an ACCEPT_LICENSE
allow-list (/etc/portage/make.conf - Gentoo Wiki); it'd be neat for cargo to have something similar.
For curiosity sake, would love to know the reason behind this move.
I have a similar policy (although I think I'm currently using an LGPL based crate in one project that I need to replace). I do so because I don't want to have to deal with the additional restrictions GPL adds. I have yet to actually distribute pre-compiled binaries for any project, but if I do then I don't want that to force me to do anything. For libraries I then consider it from the point of view of someone using it in an application, and don't want my choice of dependencies to cause the same issue for them.