Surfaced while preparing the Dart binding for pub.dev publication.
The workspace declares three different licenses, with a likely-incorrect
Apache-2.0 grant on payjoin-ffi:
| Crate |
Cargo.toml license |
LICENSE files committed |
payjoin |
MITNFA |
none |
payjoin-cli |
MITNFA |
none |
payjoin-mailroom |
MITNFA |
none |
payjoin-test-utils |
MIT |
none |
payjoin-ffi |
MIT OR Apache-2.0 |
LICENSE.md, LICENSE-APACHE, LICENSE-MIT |
payjoin-ffi/dart/native |
MIT OR Apache-2.0 |
(inherits parent) |
Issues
-
payjoin-ffi cannot relicense upstream as Apache-2.0. It depends on
payjoin, which is MITNFA. The compiled libpayjoin_ffi statically
embeds payjoin source. Apache-2.0 introduces grants and obligations
(notably the patent grant and stricter notice requirements) that downstream
consumers cannot rely on, because the embedded MITNFA portions don't carry
those grants. The "OR Apache-2.0" promise is misleading.
-
payjoin-test-utils is plain MIT rather than MITNFA, dropping the
no-false-attribs clause that the rest of the workspace carries. Probably an oversight.
-
The MITNFA crates ship no LICENSE text. Only the SPDX identifier is
declared in Cargo.toml. crates.io accepts this, but consumers outside
crates.io (e.g. distros, SBOM scanners) get no canonical text.
Suggested resolution path
- Relicense
payjoin-ffi to MITNFA and remove LICENSE-APACHE. This is fine because the "OR Apache-2.0" part is being overriden by the compiled payjoin's more restrictive MITNFA already.
- Relicense
payjoin-test-utils to MITNFA.
- Add canonical MITNFA text to a LICENSE file in the top-level repo (and/or individual crates?).
Disclaimer: IANAL and Claude surfaced and wrote this. It all seems reasonable to me though.
Surfaced while preparing the Dart binding for pub.dev publication.
The workspace declares three different licenses, with a likely-incorrect
Apache-2.0 grant on
payjoin-ffi:Cargo.tomllicensepayjoinMITNFApayjoin-cliMITNFApayjoin-mailroomMITNFApayjoin-test-utilsMITpayjoin-ffiMIT OR Apache-2.0LICENSE.md,LICENSE-APACHE,LICENSE-MITpayjoin-ffi/dart/nativeMIT OR Apache-2.0Issues
payjoin-fficannot relicense upstream as Apache-2.0. It depends onpayjoin, which isMITNFA. The compiledlibpayjoin_ffistaticallyembeds
payjoinsource. Apache-2.0 introduces grants and obligations(notably the patent grant and stricter notice requirements) that downstream
consumers cannot rely on, because the embedded MITNFA portions don't carry
those grants. The "OR Apache-2.0" promise is misleading.
payjoin-test-utilsis plainMITrather thanMITNFA, dropping theno-false-attribs clause that the rest of the workspace carries. Probably an oversight.
The MITNFA crates ship no LICENSE text. Only the SPDX identifier is
declared in
Cargo.toml. crates.io accepts this, but consumers outsidecrates.io (e.g. distros, SBOM scanners) get no canonical text.
Suggested resolution path
payjoin-ffitoMITNFAand removeLICENSE-APACHE. This is fine because the "OR Apache-2.0" part is being overriden by the compiledpayjoin's more restrictive MITNFA already.payjoin-test-utilstoMITNFA.Disclaimer: IANAL and Claude surfaced and wrote this. It all seems reasonable to me though.