pyzstd wheels on PyPI are missing license information for zstd

[markdryan]

As far as I can tell the pyzstd wheels available on PyPI (at least the manylinux ones anyway) statically link to, and hence distribute, zstd. The wheels do not however include copies of zstd's copyright notices and licenses, which they should really do. Zstd seems to be dual licensed so I guess both licenses should really be included in the pyzstd wheels.

For example, if we look in ztd's BSD license file we see the following text.

Copyright (c) Meta Platforms, Inc. and affiliates. All rights reserved.

Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this
  list of conditions and the following disclaimer.

• Redistributions in binary form must reproduce the above copyright notice,
  this list of conditions and the following disclaimer in the documentation
  and/or other materials provided with the distribution.

The pyzstd wheels are redistributing zstd in binary form but do not seem to be honouring the terms of its licenses.

[Rogdham]

Thank you for the notice. It seems that the license is not included in the sdist either, so this should be changed as well.

As far as I can tell, only one of the two licenses of zstd should be included, as they mentioned “BSD OR GPLv2”.

[markdryan]

As far as I can tell, only one of the two licenses of zstd should be included, as they mentioned “BSD OR GPLv2”.

I've done a bit of googling and I can't really find a good reference to indicate what the best thing to do in this situation would be. The Google AI overview recommends including both licenses, but then there's a disclaimer at the bottom of its advice saying that the AI might be wrong. I guess if both licenses were to be included, users of pyzstd could easily decide for themselves which license they'd prefer to use for the embedded ztsd code. Also, the comments at the top of the zstd source files in the pyzstd sdist mention both licenses so that might be another reason to favour the inclusion of both licenses.

[Rogdham]

I have looked into implementing this. I have no clue what is the proper way to include the license of zstd lib. The sdist is trivial, but where in the wheel file should I put it?

I looked into other packages such as python-zstandard, pynacl, ijson, etc. (none of those do anything), and the only one I found is python-flint, which is basically appending the license of their bundled dependency at the end of their own LICENSE file. This is not trivial to setup, and I am not even sure it is the right way to proceed.

All in all, I also believe I spent too much time on the topic already. I think that anyone willing to proceed with legal actions on the matter would have more impact on the topic by improving the tooling and documentation for maintainers so that doing the right thing would be trivial.

With that being said, I'm happy to take your feedback on how and where to include the zstd lib license in wheels.

[markdryan]

There is some guidance in the Python packaging documentation on how to handle these sort of issues. If you follow this approach you should just need to add a project section to your pyproject.toml that points to all three licenses.

Alternatively, you could just add (or copy at build time) the zstd licenses into the pyzstd directory where they'll be picked up, renaming them to avoid a clash, e.g., to LICENSE.zstd and COPYING.zstd. However, I think the first approach is probably a little cleaner, assuming it works.

[markdryan]

There is some guidance in the Python packaging documentation on how to handle these sort of issues. If you follow this approach you should just need to add a project section to your pyproject.toml that points to all three licenses.

Just an update. I did try this approach this morning but it does not work as the version of setuptools used by pyzstd is too old.

Alternatively, you could just add (or copy at build time) the zstd licenses into the pyzstd directory where they'll be picked up, renaming them to avoid a clash, e.g., to LICENSE.zstd and COPYING.zstd.

This does work however. I end up with

COPYING.zstd
LICENSE
LICENSE.zstd
METADATA
RECORD
WHEEL
top_level.txt

in pyzstd-0.17.0.dist-info.

[Rogdham]

Alternatively, you could just add (or copy at build time) the zstd licenses into the pyzstd directory where they'll be picked up

I ended up doing this in #43. This feels like a hack but if it works, it works!

What do you think?