Critical Alert: The Cascading "License Virus" Effect of GPL/AGPL Crates Poses a Silent Threat to the Rust Ecosystem

[DwainOwens]

Current Behavior

Disclaimer: This issue is not intended to diminish the importance or the foundational role of the GPL and AGPL licenses in the open-source community. These licenses are valuable and serve a critical purpose. This issue is about ensuring developers are acutely and immediately aware of the significant legal implications of using such crates in their projects, especially within the context of Rust's powerful and seamless dependency management.

1. The Problem: A Silent Threat in the Dependency Tree

The beauty of Cargo and crates.io is how effortlessly developers can pull in dependencies. A simple cargo add can introduce a powerful new functionality. However, this simplicity masks a significant danger: the "viral" or cascading nature of GPL and AGPL licenses.

A developer working on a proprietary, closed-source project can unknowingly import a crate that, deep within its own dependency tree, relies on a GPL-licensed crate. For example:

Proprietary App -> Crate A -> Crate B -> Crate C (GPL)

When the final binary is compiled and distributed, the GPL's terms from Crate C can be argued to extend to the entire linked work. This would legally obligate the developers of the "Proprietary App" to make their entire source code available under the GPL.

This is an extremely perilous situation for any individual or company developing proprietary software in Rust. The ease of adding dependencies creates a minefield where a single, deeply nested GPL crate can inadvertently force a project to become open-source against the author's will or business model. This poses a substantial and existential threat to the growth of Rust in commercial and enterprise environments.

2. The LGPL can also become a problem:

As Reddit user valarauca14 said:

As rust-modules (can be) subject to link-time-optimizations code from an LGPLv3.0 project can (and maybe) inserted into the non-LGPLv3.0 project it is being statically linked to (via inlining, or cross-module optimizations).

Therefore statically linking an LGPLv3.0 library, and not licensing the resulting code under an LGPLv3.0 compatible license would be a violation.

As Reddit user DataPath said:

Actually, consider the implications of the LGPL with rust - it's all statically linked by default. That extends the LGPL terms to the entire statically linked unit. There are a number of problematic licenses (at least in the eyes of corporate lawyers) - non-commercial requirements, "do no evil", "buy me a beer if you see me".

Making things even more complicated is the dependency chains in crates - a minor bump to the version of a crate could have a ripple effect in dependencies that leads to entirely different licensing obligations. It's not the kind of thing I expect to be a common problem, but with the way things stand it's something that would almost certainly be overlooked.

The Urgency: Why This is Critical for the Rust Ecosystem

For Rust to continue its incredible growth and be a top-tier choice for all types of software development (including commercial, proprietary applications), developers must have absolute clarity and confidence in their dependency choices. The current system on crates.io, while displaying the license, does not adequately warn developers about the profound and cascading legal implications of using a GPL or AGPL-licensed crate. This is not just a matter of metadata; it's a matter of ecosystem safety and stability.

This is not about scaring people away from the GPL. It is about providing informed consent. It is about protecting the Rust ecosystem from unintentional and potentially catastrophic legal issues that could stifle its adoption in the broader software industry. We must act to ensure developers are not caught by surprise.

Expected Behavior

We need to make the implications of using these licenses impossible to ignore. I suggest one or both of the following solutions be implemented on the crates.io website and within the Cargo toolchain:

1. A Prominent, Unmistakable Warning on Crates.io:
   For any crate licensed under GPL or AGPL (or any other strongly copyleft license), a highly visible warning box should be displayed at the top of the crate's page. This should not be subtle. I envision:

   • A bright red or orange background.
   • A large exclamation mark icon (❗).
   • Clear, bold text stating something like:

     Warning: This crate is licensed under the GPL/AGPL. Using this crate as a dependency may legally require you to open-source your entire project. Please ensure you fully understand the terms of this license before including it in your project.

2. A Warning in the Cargo Toolchain:
   An even more direct approach would be to issue a warning directly in the terminal when a developer adds a GPL/AGPL-licensed crate as a dependency:

   $ cargo add gpl_crate
   WARN: crate `gpl_crate` is licensed under `GPL-3.0-or-later`. This is a strong copyleft license.
         Adding it as a dependency may require your final binary to also be licensed under the GPL.
         Please review the license terms carefully before proceeding.
   Updating 'your_project' dependencies
   ...

Steps To Reproduce

No response

Environment

Anything else?

No response

[Turbo87]

you can use e.g. https://github.com/EmbarkStudios/cargo-deny/ to avoid pulling in GPL dependencies