License Issue - Polaris has dependency on chardet which is LGPL which makes it difficult to use inside enterprise.

[chandransuraj]

Describe the bug

Getting Polaris inside regulated enterprise is difficult as Polaris has dependency on chardet (encoding detector for Python). Chardet is released under LGPLv2.1 (https://github.com/chardet/chardet/blob/main/LICENSE)
The CLM and other scans inside enterprise block this.

To Reproduce

No response

Actual Behavior

Sub dependencies should not be more restrictive that the main license (which APL2 in this case)

Expected Behavior

All underlying dependencies should also be compliant with Apache License

Additional context

No response

System information

No response

[jbonofre]

Thanks for pointing this. I already know the issue. It's not a blocker for source distribution but problematic for binary distribution (meaning the way it's shipped). I will check to remove this.

[MonkeyCanCode]

So chardet is from tox:

tox 4.23.2 tox is a generic virtualenv management and test command line tool
├── cachetools >=5.5
├── chardet >=5.2
├── colorama >=0.4.6
├── filelock >=3.16.1
├── packaging >=24.1
├── platformdirs >=4.3.6
├── pluggy >=1.5
├── pyproject-api >=1.8
│   ├── packaging >=24.1
│   └── tomli >=2.0.1
├── tomli >=2.0.1
├── typing-extensions >=4.12.2
└── virtualenv >=20.26.6
    ├── distlib >=0.3.7,<1
    ├── filelock >=3.12.2,<4
    └── platformdirs >=3.9.1,<5

Even the latest version still uses it...assuming we can't get tox to use alternative lib such as charset-normalizer, we will need to move away from tox. What do you think @jbonofre

Also, I am not sure if we really used tox to begin with. Maybe I am missing something here? From our github action, we are only using docker to do the test and I don't see we use tox for multi envs testing etc.

[MonkeyCanCode]

Here is a sample PR for this: #867

[jbonofre]

@MonkeyCanCode that's a good proposal. I think we can't remove tox and use alternatives. Let's start by removing tox, I think it's there for "historical" reason (I don't think it's still used).

[snazy]

I'm not sure whether chardet in particular is really a problem. Sure, it's LGPL, but tox is used for tests - it wouldn't be distributed. If I understand the Category X here correctly, the use even of GPL licensed components is okay, as long as it is not distributed in source or binary form.

[jbonofre]

To give more details:

• generally speaking Cat X dependency should be avoided in ASF projects
• however, it's acceptable if the dependency is optional and not distributed
• in these case, it's not distributed and it's a test dependency, it's not a blocker. If possible, it would be better to remove it but not a blocker/issue.

[MonkeyCanCode]

BTW, tox had being removed as part of #867 (we are not currently using it...there are alternative we can do without tox as well for testing different version of python as we are getting close to release CLI module). As #804 is also merged, we are ready to revisit those test cases and how we want to prep CLI for the upcoming release. And yes @jbonofre, as long as we are not distribute it, it will be fine through a test depdency.

As this is removed at the moment, @chandransuraj should we close this issue?

[chandransuraj]

Let me take it through our internal clm scan one more time.

[MonkeyCanCode]

Let me take it through our internal clm scan one more time.

@chandransuraj are we good to close this one?