Bundling + licensing question regarding Apache-2.0 & LGPL

[tristan957]

This may not be the right forum, but my project is Apache-2.0 and we use two LGPL dependencies. I am having a hard time understanding if I will be in breach of the LGPL if I were to use this to distribute my project through PyPI.

[pombredanne]

In general Apache-licensed code dynamically linking with LGPL-licensed is OK in the sense that the LGPL would not extend to the Apache-licensed code.

But the thing is that when you redistribute the wheel you want to be able to meet license requirements for the LGPL deps: e.g., attribution/license text and source code redistribution. This is usually easy and straightforward, but I am not sure this is made easy by cibuildwheel... I started this related discussion as I want to automate the parts that can be automated . See #1006

[pombredanne]

I am having a hard time understanding if I will be in breach of the LGPL if I were to use this to distribute my project through PyPI.

Just to clarify, my take --being somewhat well trained in open source licensing -- is that to have a compliant inclusion of these LGPL libraries you would need to:

• include some attribution notice stated that this wheel include this and that packages (name, urls, etc) and possibly some minimal build instructions or pointer to how this was built and could be rebuilt
• make the exact and complete corresponding source code available (not in the wheel but at the minimum linked from the wheel)
• include the LGPL text (and possibly the GPL text for an LGPL3)

This assume that the LGPL code is reused as-is and unmodified which is likely since it was vendored by cibuildwheel, right?

This may not be exactly the bare minimum required by the LGPL, but this would be what I would like to see if I were a user of your wheel.

With these I could:

• find and tinker with the source code if I like to
• rebuild as needed
• be properly informed of my LGPL rights
• see nice credits to the authors of this fine code