Hacker News new | past | comments | ask | show | jobs | submit login
Feluda – A CLI tool to detect restrictive licenses in dependencies (crates.io)
42 points by anistark 15 days ago | hide | past | favorite | 17 comments



Hey folks,

I built Feluda, a Rust-based CLI tool that scans your project's dependencies and flags restrictive licenses before they become a problem.

It currently supports Rust, Node.js, and Go projects. It checks for GPL, AGPL, SSPL, and other restrictive licenses that may limit how you use your project commercially.

Try it out:

``` cargo install feluda feluda ```

I’d love feedback! Are there specific license edge cases you'd like covered? Features you'd want in a CI/CD setup? Happy to discuss and iterate!


The GPL and AGPL are not restrictive: they ensure that you do not restrict your users.

Freedom looks like tyranny, to a tyrant.


"Restrictive" in the context of licenses has a specific meaning: it's the opposite of "permissive" e.g. MIT and Apache. You can't ensure your licensees don't restrict their users without placing restrictions on what they can do with their work. The users aren't the ones agreeing to the license, after all; it's the people using GPL code to whom it's restrictive.


GPL and AGPL libraries are impossible to use in vast chunks of the free software ecosystem.

I think you're looking for MPL 2.0, which is copyleft while also permitting use by the entire free software ecosystem.


It’s completely possible to combine GPL and AGPL software with, e.g., BSD- or MIT-licensed software. The resulting software is GPL- or AGP-licensed, and the users are not restricted from doing anything.

I honestly thought that this was a license scanner for actually restrictive — i.e. non-free-software — licenses until I visited the repo. It would be good to know if I accidentally use some piece of software with some source-available license.


Combine if they are independent pieces of software, yes. Whether linking (hard or soft/plugin) counts is a matter of legal uncertainty. The FSF has consistently said that a single function call into a GPL library constitutes a derivative work, but other legal experts disagree [1].

Certainly, if I maintain a repo which calls a function in a GPL library, it would be misleading for me to say that my repo is MIT-licensed. I could potentially say that my specific code bits are MIT-licensed but that (per the FSF's interpretation) if you import my library, your resulting artifacts are GPL.

That is quite hard to communicate, and it also rests on a particular interpretation of the license that is the most common one but isn't universally accepted. It also becomes tricky with distributed copyright ownership without a CLA, the way most open source projects are run. I think that this rises to the level of "impossible to use".

But I guess one specific point here is that if you download my MIT-licensed-but-links-to-GPL repo, and rip out all of the bits that link to GPL libraries, you can use my code under MIT.

Compare this to MPL 2 which has none of these issues, and very little legal uncertainty in general. There is still some uncertainty regarding what constitutes a copyrightable work, though.

[1] https://tech.popdata.org/the-gpl-license-and-linking-still-u...


As a critic of such licenses (https://medium.com/@henvic/opensource-and-go-what-license-f6...), I love it!


GPL/AGPL don't limit commercial use.


Shout out to my dawg Satyajit Ray


Would you be open to a PR adding support for installing from npm? Not sure if you guys are willing/ comfortable to publish there as well, but did notice you already have Node support for scanning


Any reason the repo license is MIT but the crate is CC-BY-NC-ND-4.0? The latter is ironic, given this project's scope :)


The MIT with Commons Clause license is pretty restrictive, does this crate flag itself?


Additional context: The name(probably) comes from https://en.wikipedia.org/wiki/Feluda


I think you have some bugs. I ran it on my project which has 60 direct dependencies in my "go.mod" file, and feluda's output says `Total dependencies scanned: 2`

EDIT: there was a package.json in the same folder, that's what caused the "bug"


Amazing project! Any reason why the path is -p and not just the first argument after like most cli tools?


Amazing work. Does something similar exist for Python? Would love to have something similar integrated for Python dependencies from pypi as well.


Seems like Python support is up next for this project: https://github.com/anistark/feluda/pull/18




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: