Hi,
So recent talk about licenses made me check my side project and I found something that is a bit disturbing to a non-lawyer.
My project is Apache-2.0 / MIT and uses actix-web (also Apache-2.0 / MIT). However, some way down the line there is dependency on actix-rt (Apache-2.0 / MIT) and then copyless. Seems like copyless is under MPL-2.0 (crates.io). According to this article this is not legal. So my questions are:
Is this thinking correct?
Can I just ensure license compatibility within my own Cargo.toml (i.e. my software's license is compatible with my deps' licenses) and ignore my dep's dep's dep's license?
I don't see anything "not legal" about your setup, but it sounds to me like you'd need to provide something to users you distribute to that indicates how to get the source code for any MPL covered code in your application.
Definitely not. The licenses of all source code compiled into your binary are active.
I personally always review the licenses of all of my dependencies to ensure that no copyleft (including MPL) sneaks in. Tools like cargo lichking can help with that.
In general, it's "good practice" for libraries to inform users directly of any license requirements of their transitive dependencies. In practice, compatible-but-with-extra-requirements libraries get used without note, and even sometimes mistakes happen where a OSS-licensed library depends on a non OSS-licensed library. (Sometimes this is actually desired, especially around -sys wrappers.)
Ultimately, when you publish something, it's on you to check the licenses of all code transitively included. We can build tools and automation to make this easier, but it's still on you to make sure your legal footing is sound.
(Just publishing your own code and requiring users to compile it sidesteps the issue as you only distribute your own code and metadata pointing at the other libraries, but it's not good practice to mislead users of your code further. Improve the ecosystem, don't make it worse.)