License compliance

[hakostra]

The Pillow wheels pushed to PyPi contain a lot of embedded libraries in the *.so format, like libfreetype, libjpeg, liblcms2, liblzma, libopenjp2 to mention some.

Most or all of these have licensing terms that require you to carry on at least some kind of copyright notice and/or the licensing terms itself. I cannot find this anywhere in the wheels from PyPi.

As far as I see you are non-compliant with more or less every licence of every dependency you ship.

[aclark4life]

Thanks @hakostra, we'll investigate. @tieguy any thoughts?

Also @hakostra can you please provide an example of a wheel "done right" so we can compare? Most likely you are correct, and we can address the issue by doing whatever-it-is-people-do-to-address-this-kind-of-issue (e.g. include "some kind of copyright notice and/or the licensing terms itself" in the wheel I guess?)

Also to fully address, we'll need to list "every licence of every dependency you ship" here. Off the type of my head, we depend on at least:

• zlib
• jpeg
• png

I'll go look up their licenses and report back, along with whatever deps I missed.

[hakostra]

I can of course not guarantee that Numpy do everything right, but the Numpy wheel do include these 3rd party library dependencies:

• libgfortran
• libopenblasp
• libquadmath
• libz

The LICENSE.txt found in the Numpy wheel is attached. Notice the section below on bundled software after the Numpy license. I assume this is one way to do it.

As far as I know, libquadmath is also from the GCC runtime libraries, and covered by the same license as libgfortran. libz do not require a notice at all I think (https://zlib.net/zlib_license.html), so ny assumption is that the Numpy license file is OK.

As a reference, Pillow-7.2.0-cp38-manulinux1_x86_64.whl bundle the following libraries:

• libfreetype
• libjpeg
• liblcms
• liblzma
• libopenjp2
• libpng16
• libtiff
• libwebp
• libwebpdemux
• libXau
• libxcb
• libXdmcp
• libz

So it is a quite comprehensive list.

[tieguy]

Hey! Sorry it took a while to get to this, I’d never actually looked at the wheel documentation before so needed to do a bit of research, and was also moving house last week :)

There’s no perfect way to do this. One way is simply concatenating the upstream licenses into LICENSE.txt, like numpy does. Another common way is to put the main license in LICENSE.txt and the others in LICENSE-3RD-PARTY.txt, which has the benefit of usually being a bit easier to understand for humans (a bit of a wash for tools - some are confused by a second file named LICENSE, and none do a great job of analyzing concatenated license files like these).

If you want to play with a cutting-edge solution, there is https://reuse.software/tutorial/ - Alex, I’d actually be very curious to hear your thoughts/feedback on Reuse and how it works for python generally and wheel specifically.

[radarhere]

I've created python-pillow/pillow-wheels#178 as an implementation of the first option, concatenating the upstream licenses.

[radarhere]

That PR has now been merged.