License Guidance

# License Guidance We are going through projects to establish baseline for potential license issues. During this period, the expectation of project teams is not immediate remediation, but rather inspection through the pipeline steps Leo is coordinating for FOSSA and Snyk. Once we have a handle on the true license outputs, we will flip any issues raised from red to green through one of a few possible actions: * Marking the issue raised by the license checking services as "acceptable" through its configuration or per-case ignores. * Limiting the exported scope of the dependency. For instance, tooling we use for the build do not need to leak to runtime dependency for consumers. * Asking the project team to remove the dependency in question * Noting that this dependency is acceptable for consumption (for instance in an SDK project), and we'll have additional obligations if we come to bundle this software for redistribution. This is the case for builds like iOS and Android packages, and we will have to provide mechanisms to give attribution. This is likely to be the case where consuming MPL or EPL is acceptable for our SDKs, and when our mobile projects (or any downstream consumers) consume the SDKs, they carry the responsibility of these extra attribution steps. ## Project Review ### Aggregate * MPL-2.0 * MPL-1.1 * EPL-1.0 * LGPL-2.1 ### `web5-kt` #### FOSSA Report * MPL-1.1 Kotlin Compiler Embeddable (1.9.21) - Transitive * MPL-1.1 Kotlin Compiler Embeddable (1.9.22) - Direct * EPL-1.0 SnakeYAML (2.0) - Transitive * LGPL-2.1-only Trove4J (1.0.20200330) - Transitive #### Snyk SARIF Report * LGPL-2.1 org.jetbrains.intellij.deps:trove4j * MPL-2.0 com.goterl:lazysodium-java ### `tbdex-kt` #### FOSSA Report * MPL-2.0 java-json-canonicalization (1.1) - Direct * MPL-1.1 Kotlin Compiler Embeddable (1.9.0) - Direct * MPL-2.0 lazysodium-java (5.1.4) - Transitive * MPL-2.0 resource-loader (2.0.2) - Transitive * EPL-1.0 SnakeYAML (2.2) - Transitive * LGPL-2.1 Trove4J (1.0.20200330) - Transitive * [Transitive tree](https://app.fossa.com/projects/custom%2B588%2Fgithub.com%2FTBD54566975%2Ftbdex-kt/refs/branch/main/3fba18526062c8c1517ded8e51602a5208e14168/issues/licensing?page=1&count=20&sort=issue_count_desc&grouping=revision&status=active&filter%5Btype%5D%5B0%5D=policy_flag&revisionScanId=53225480) #### Snyk SARIF Report * LGPL-2.1 org.jetbrains.intellij.deps:trove4j * MPL-2.0 com.goterl:lazysodium-java * EPL-1.0 junit:junit