Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Possible legal problems with vendor/patched libraries

See original GitHub issue


Pipenv probably violates couple of free software licenses by not shipping their text. It is also probably “infected” by GPL.


Hello, we (@mcyprian, me and the Fedora Python SIG @fedora-python) are trying to finally package pipenv for Fedora, so user can just do sudo dnf install pipenv. The Fedora package review request is in Red Hat Bugzilla 1564500.

While we are trying to unbundle (unvendor?) most of the 3rd party libraries shipped with pipenv, we are in a bit of hurry so we decided to leave the libraries that are

  • not yet packaged for Fedora,
  • or patched

bundled for now. The first category is a TODO for future, the second will probably remain bundled forever.

As part of the review of the Fedora package, the reviewer is obligated to check whether the package is licensed with approved free software/content license and whether the licensing information for the package is correct.

Missing licenses

This is where I found out that all the vendored 3rd party libraries are shipped without their LICENSE/COPYING/etc. files and the NOTICES file is shipped instead.

The contents of the vendor and patched directories are subject to different licenses than the rest of this project. Their respective licenses can be looked up at

This is unacceptable for Fedora* and IMHO should not be acceptable for @pypa either. Most of the libraries are licensed with licenses that require the license text to be shipped. See MIT:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.


Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

This is similar for most of the permissive licenses. You should not strip the license file, in fact you need to ship it with the code unconditionally. You may put the license text and copyrights inside another file, such as NOTICES, but a link to pypi is IMHO not enough.

* This is currently only my opinion. It has not yet been reviewed by the Fedora legal team.


I also found out that strict_rfc3339 is shipped under the terms of the GNU General Public License version 3 or later. Needless to say that GPL is a copyleft license. By bundling this part of code inside pipenv, pipenv is “infected” with this license and shall be GPLv3 as well (which I think is undesired).

IANAL, however I’m quite confident that pipenv now violates couple of free software licenses including the GPL. This currently blocks us from inclusion into Fedora. Since pipenv is the recommended tool I think this shall be brought to @pypa.


What I believe shall be done:

  • The license texts shall be reintroduced, either individually or in one file.
  • Pipenv shall loose any copyleft licensed dependencies if it wishes to remain licensed under MIT.

I offer my help with collecting the licenses back, if that’s agreed upon by pipenv maintainers. I can also try to replace strict_rfc3339 with rfc3339, however I haven’t looked into it yet. There might also be other copylefted files (without a header that makes it obvious).

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:5
  • Comments:44 (44 by maintainers)

github_iconTop GitHub Comments

hroncokcommented, Apr 13, 2018

(I’d rather write code, but well, I want pipenv in Fedora.)

techalchemycommented, May 2, 2018

Yes we have 11.10.2 planned so we have a few things left

Read more comments on GitHub >

github_iconTop Results From Across the Web

Library Bill of Rights | Advocacy, Legislation & Issues
A person's right to use a library should not be denied or abridged because of origin, age, background, or views. VI. Libraries which...
Read more >
Law on the Frontlines: Legal Reference for Public Libraries
Law and legal reference constitute a specialized area of knowledge and resources. The best way to be comfortable with a specialized area is...
Read more >
Law Library Journal - AALL
Since 1908, Law Library Journal (LLJ) has been the official journal of the American Association of Law Libraries. Scholarly articles on law, legal...
Read more >
Law Libraries FAQs - Connecticut Judicial Branch -
Answers to questions regarding services and resources offered by the ... Our Law Libraries' website offers links to many legal resources available on...
Read more >
Find More Information - Divorce - Texas State Law Library
FAQs and Research Guides — Find information on common legal questions. Frequently Asked Legal Questions. Available to everyone. The Library ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found