[Merged by Bors] - enable cargo deny

[mockersf]

https://github.com/EmbarkStudios/cargo-deny
cargo-deny is a tool that can issue errors for dependency issues, among other:

• security issues in a crate
• duplicated dependencies with different versions
• unauthorised license

Added cargo-deny with an opinionated configuration:

• No middle ground with warnings, either allow or deny
• Not added to Bors, we probably don't want to block a PR on something that may happen from outside
• Different github workflow than CI to run only when Cargo.toml files are changed, or on a schedule
• Each check in its own job to help readability
• Initial config makes Bevy pass all check

Pushing a first commit with commented config to show errors

[NathanSWard]

Are we sure we want to allow copyleft licenses?
IIUC

1. this prevents using bevy in closed source projects
2. if we use a crate which has a copyleft license, bevy must also adopt that copyleft license (e.g. GPL)

I might have misread the legalese with copyleft, so please correct me if I'm wrong 😄

[mockersf]

The config used is not "do we want to or not", it's what needed for the check to pass, so it's the current status.

wgpu is licensed under MPL-2.0 which is considered copyleft. I could allow this license and deny copyleft.

from https://www.mozilla.org/en-US/MPL/2.0/FAQ/#distribute-my-binaries we don't have to use the same license, but people distributing Bevy game will need to include a link to wgpu license and source

[mockersf]

yeah we don't want GPL or LGPL, so allowing only MPL seems right

[cart]

Yeah MPL isn't problematic in the same way as GPL because it isn't "viral". It can be used in a wider context without the need to release that context under the same license. It does require that the license be included with binaries, which isn't great, but its also worth pointing out that this is also (generally considered to be) true for MIT. There isn't a practical way to avoid open source software that has this requirement because almost all popular licenses have this requirement.

In most cases, people shouldn't need to care. Teenagers publishing their Godot games on itch.io aren't getting sued for damages by FreeType or ENet. To my knowledge, even professionals aren't. However professionals have more to lose and generally choose to err on the side of caution and comply by either embedding licenses in their game credits or including them in installations. Like Godot, we should provide a license compliance guide for people who want to be 100% safe. Ideally we have an auto-generated uber-license file that people can drop somewhere / embed / link to.

We could also consider getting "cute" here by doing something like include_bytes!("uber_license_file") by default (with a way to opt out for people who want slimmer binaries and have other compliance plans), but thats not really in the spirit of these licenses and might not even hold up in court.

It would be nice to also get a verbal assurance that @kvark won't litigate teenagers publishing their Bevy games on itch.io without the wgpu license file. Of course ideally they add a provision that binaries don't need to include the license. We should consider doing the same for Bevy as I have no interest in forcing that on anyone. But again, theres no practical way of avoiding this problem entirely for something as big as an engine. Eventually we will hit something foundational that we can't reasonably build in house (ex: something like openssl).

[kvark]

I have better things to do in life than chasing them teenagers :) Please count it as my verbal assurance.

[cart]

bors r+

[bors]

Pull request successfully merged into main.

Build succeeded:

• build-android
• build (nightly, ubuntu-latest)
• build (stable, macos-latest)
• build (stable, ubuntu-latest)
• build (stable, windows-latest)
• build-wasm (nightly, ubuntu-latest)
• build-wasm (stable, ubuntu-latest)
• check-doc
• check-markdown-links
• markdownlint
• run-examples