tl;dr

Pipenv probably violates couple of free software licenses by not shipping their text. It is also probably “infected” by GPL.

Details

Hello, we (@mcyprian, me and the Fedora Python SIG @fedora-python) are trying to finally package pipenv for Fedora, so user can just do sudo dnf install pipenv. The Fedora package review request is in Red Hat Bugzilla 1564500.

While we are trying to unbundle (unvendor?) most of the 3rd party libraries shipped with pipenv, we are in a bit of hurry so we decided to leave the libraries that are

• not yet packaged for Fedora,
• or patched

bundled for now. The first category is a TODO for future, the second will probably remain bundled forever.

As part of the review of the Fedora package, the reviewer is obligated to check whether the package is licensed with approved free software/content license and whether the licensing information for the package is correct.

Missing licenses

This is where I found out that all the vendored 3rd party libraries are shipped without their LICENSE/COPYING/etc. files and the NOTICES file is shipped instead.

The contents of the vendor and patched directories are subject to different licenses than the rest of this project. Their respective licenses can be looked up at pypi.python.org.

This is unacceptable for Fedora* and IMHO should not be acceptable for @pypa either. Most of the libraries are licensed with licenses that require the license text to be shipped. See MIT:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

Or BSD:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

This is similar for most of the permissive licenses. You should not strip the license file, in fact you need to ship it with the code unconditionally. You may put the license text and copyrights inside another file, such as NOTICES, but a link to pypi is IMHO not enough.

* This is currently only my opinion. It has not yet been reviewed by the Fedora legal team.

Copyleft

I also found out that strict_rfc3339 is shipped under the terms of the GNU General Public License version 3 or later. Needless to say that GPL is a copyleft license. By bundling this part of code inside pipenv, pipenv is “infected” with this license and shall be GPLv3 as well (which I think is undesired).

IANAL, however I’m quite confident that pipenv now violates couple of free software licenses including the GPL. This currently blocks us from inclusion into Fedora. Since pipenv is the recommended tool I think this shall be brought to @pypa.

Conclusion

What I believe shall be done:

• The license texts shall be reintroduced, either individually or in one file.
• Pipenv shall loose any copyleft licensed dependencies if it wishes to remain licensed under MIT.

I offer my help with collecting the licenses back, if that’s agreed upon by pipenv maintainers. I can also try to replace strict_rfc3339 with rfc3339, however I haven’t looked into it yet. There might also be other copylefted files (without a header that makes it obvious).