I’m trying to use Nix inside a company that is averse to GPL3 (as many companies are). Nix itself is LGPL 2.1, but its standard build environment depends on multiple GPLv3 packages (including bash and coreutils). It’s strictly build-time tooling so there’s a chance of getting it approved, but I imagine this is a point of concern for many larger companies in considering whether to adopt Nix.
Is there any reasonable way to replace the standard environment such that Nix can run with config = { blacklistedLicenses = [ lib.licenses.gpl3Plus ]; }? I define “reasonable” as in “I don’t have to rebuild the entire world myself”. I imagine a sufficiently large company that decides to adopt Nix can also invest in the infrastructure necessary to build and maintain their own complete stdenv fork, but I do not expect to get that level of support, especially as I’m pushing Nix on a single team rather than as part of the company’s broader developer infrastructure.
Are there other (non-Nix) Linux environments that make this possible? I’d imagine that if you use Debian or Ubuntu, there’s lots of GPL3 in there as well.
In my case I’m running this on macOS, which itself avoids GPLv3 like the plague.
That said, I know there’s plenty of Linux use at this company, so it’s likely that the GPLv3 versions of these various utilities are already in use somewhere, but I’m not sure if Legal makes a distinction between “stuff included on a base Linux image” versus “stuff pulled in by a random build tool”, even if it’s the same stuff.
Having said that, assuming I can get Legal to approve the use of Nix, is there any way to tell Nix “under no circumstances are you to ever download the source to a gplv3 package”? Because companies with a GPLv3 aversion are likely to recoil in horror at the idea of GPLv3 source even if they’re willing to give exceptions for prebuilt binaries.
Is there any reasonable way to replace the standard environment such that Nix can run with config = { blacklistedLicenses = [ lib.licenses.gpl3Plus ]; }? I define “reasonable” as in “I don’t have to rebuild the entire world myself”
I would be very surprised…
Bash is in stdenv, you want to change the bash version, so you change stdenv and get everything rebuilt (I am actually not sure whether explicitly-bash parts of stdenv are even compatible with bash old enough to be GPLv2, maybe not…)
Hmm, I guess it might depend on how generalized/POSIX-compliant the scripts and such are. For example, I know both Bash and Zsh are POSIX-compliant, but the latter has an MIT-like license.
Overall, I think it’d be cool if we could supplant/tag builds by their build-chain and tags, as that could definitely improve adoptability for companies, but I’m not sure the amount of effort needed would be justified…
Right now I think the “please let me prevent downloading gplv3 source” is more important than blacklisting gplv3 projects. I’d love to be able to do the latter without rebuilding the world, but the former is really the “this must never happen” scenario.
I suppose it could be an interesting experiment to see how far one gets, replacing bash and coreutils by zsh and uutils. Probably won’t make bootstrapping easier.
You could probably switch bash for oil which is meant for bash compatibility while also offering nicer syntax. It in theory is a drop-in replacement(though I haven’t tested this) the coreutils to uutils or the bsd versions would probably still need to be done. I don’t know the status of uutils, but the BSD utils have been stable for a very long time.