Dependency package license issue

[shivacharanms]

Currently, iris is under the BSD 3-Clause license but one of the packages "github.com/flosch/pongo2" is pulling another dependency package "https://github.com/juju/errors" which is under LGPL3 license which is causing a ripple effect to force iris into LGPL3 license.
Can we avoid using "https://github.com/juju/errors" package to maintain the open-sourcing license?

[kataras]

Hello @shivacharanms,

First of all, we don't use juju/errors at our code base directly.

The _examples, which is not part of the LICENSE, contains some examples which are meant to be used with third-party packages, those third-party changes may require this dependency, neither Iris or its modules.

About the pongo2, the NOTICE file contains declares that kataras/iris/view depends on pongo2 for django view engine. If we need to add more things there tell us.

However let's discuss about the LICENSE. I was though to use MIT but if you have further knowledge about the subject please recommend a License suitable for Iris. If you think LGPL3 is the best one, let's choose that and replace the LICENSE on the upcoming version that I am coding the last weeks.

Sincerely,
Gerasimos Maropoulos. Author of Iris

[shivacharanms]

Hi @kataras ,
I understand that "https://github.com/juju/errors" is not being used directly in iris but I see that the "github.com/flosch/pongo2" package is being imported under "https://github.com/kataras/iris/blob/master/view/django.go#L16" which has a dependency on juju.
I suggest instead of changing the LICENSE for iris the pongo2 package can be replaced with any other alternative.

[kataras]

If that's the only dep requires a different LICENSE you are right, We can just do modifications to the pongo2 package to remove this liability. And set a replace go module directive from iris-contrib/pongo2 to flosch/pongo2 , for example, so users will not have to change their import paths if they are using pongo2 extensions directly (which is possible with Iris Django engine)

[shivacharanms]

Hi @kataras so you will be replacing flosch/pongo2 with iris-contrib/pongo2 ? If yes can I expect this change in the next release that you were talking about and when is this release date?

[kataras]

Hi @shivacharanms, I don't want to change anything, you posted about it and if we must proceed that way then let's do it, however, If go mod replace does its job you don't have to change anything in your source code as the import path for flosch/pongo2 should remain the same. A new release is expecting a week before 25 Dec.

[kataras]

Fixed, read more at: https://github.com/kataras/iris/blob/master/HISTORY.md#fr-13-december-2019--v1210

[kataras]

After some months, this is finally fixed on the upstream repository, as described at: flosch/pongo2#236. So we can get back on using the pongo2 package directly instead of the iris-contrib fork one.