webpki-roots is copy-left

[emilk]

Thanks for a great library!

https://github.com/rustls/webpki-roots has a copy-left license (MPL-2.0) making it unsuitable for any closed-source use.

webpki-roots is enabled by the tls feature in `ureq (a default feature).

I suggest we make rustls-native-certs the default, and webpki-roots opt-in so that ureq does not create copy-left problems for its users unless they actively opt-in to using webpki-roots.

I can make a PR for this change.

---

PS: this was discovered using cargo-deny

[jsha]

Thanks for spotting this!

I'm a little reluctant to change the default, in part because rustls/rustls-native-certs#25 means that the platform verifier trusts some untrusted roots, which creates risk of accepting an inappropriate certificate.

Also, this would definitely merit a major version bump, because it could break connecting to some sites that would otherwise work. Still, overall the native-certs approach is the one we'd like to take long-term, assuming rustls adds the necessary extension points.

What do you think of waiting on this change until rustls has the necessary extension points to use the platform verifier and platform roots, then doing it as a major version bump?

[algesten]

I agree, @emilk we agree in principle to switch to rustls-native-certs, however now is not the time.

Would a way forward, for now, be to make a PR that documents the copyleft concerns?

[emilk]

I understand this is a big change not to be taken lightly, and I trust your judgement on this.

I really enjoy the minimal dependencies of ureq (and not having to pull in an async executor), so I hope this can be resolved in the near future!

Until then I'll be putting this in my Cargo.toml:

[patch.crates-io]
ureq = { git = "https://github.com/emilk/ureq/", branch = "opt-in-webpki-roots" }

Thanks for your attention and responses, and for a great crate!

[emilk]

How about adding a new features to ureq in the meantime:

tls_native_certs = ["webpki", "native-certs", "rustls"]

This would allow users to use tls without any copy-left code being pulled in, by using

ureq = { version = "2.4", default-features = false, features = ["gzip", "tls_native_certs"] }

No major version bump required!

[dralley]

https://github.com/rustls/webpki-roots has a copy-left license (MPL-2.0) making it unsuitable for any closed-source use.

This is not true. MPLv2 is a "weak copyleft" license and it can be used in closed-source codebases without issue. It will not "infect" any larger work which includes MPLv2 licensed code, which is different from GPL / LGPL style copyleft licenses.

See "Q1" and "Q11" from the FAQ here

Q1: What is the Mozilla Public License?

The MPL is a simple copyleft license. The MPL's "file-level" copyleft is designed to encourage contributors to share modifications they make to your code, while still allowing them to combine your code with code under other licenses (open or proprietary) with minimal restrictions.

Q11: How 'viral' is the MPL? If I use MPL-licensed code in my proprietary application, will I have to give all the source code away?

No. The license requires that Modifications (as defined in Section 1.10 of the license) must be licensed under the MPL and made available to anyone to whom you distribute the Source Code. However, new files containing no MPL-licensed code are not Modifications, and therefore do not need to be distributed under the terms of the MPL, even if you create a Larger Work (as defined in Section 1.7) by using, compiling, or distributing the non-MPL files together with MPL-licensed files. This allows, for example, programs using MPL-licensed code to be statically linked to and distributed as part of a larger proprietary piece of software, which would not generally be possible under the terms of stronger copyleft licenses.

So: is MPLv2 copyleft? Yes. Is that actually a problem? No, because of how permissive the MPLv2's copyleft triggers are - it is not comparable to (L)GPL-style copyleft. Unfortunately (but understandably) it's difficult to capture that nuance in the output of a tool like cargo-deny.

(I don't object to making native-certs the default, that probably makes sense. I just don't want it to happen for the wrong reason)

[emilk]

Thanks for that clarification @dralley - that really makes this a non-issue as far as I can tell.

[emilk]

Closed, because MPL-2.0 is not really copy-left not viral copy-left (see #478 (comment))

[dralley]

It definitely is copyleft, but copyleft is unfairly associated with a couple of restrictions that are specific to the GNU licenses and don't apply to all copyleft licenses.