GV001: LicenseCompatibility

Overview

Property	Value
ID	GV001
Name	LicenseCompatibility
Group	governance
Severity	WARNING

Description

Verifies that your project’s license is compatible with the licenses of all declared dependencies. Incompatible licenses can create legal issues when distributing your software.

License incompatibilities can lead to:

• Legal liability for license violations
• Inability to distribute your software commercially
• Forced relicensing of your project
• Exclusion from certain ecosystems or app stores

What it checks

The check reads your project’s license from [project].license in pyproject.toml, then uses importlib.metadata to retrieve the licenses of all installed dependencies. It applies a compatibility matrix based on license families:

License Families

Family	Licenses	Description
Permissive	MIT, BSD, Apache-2.0, ISC, Unlicense	Can be used in almost any project
Weak Copyleft	LGPL, MPL, EPL	Must share modifications to the library itself
Strong Copyleft	GPL, AGPL	Requires derived works to use same license
Proprietary	Commercial, All Rights Reserved	Restrictive, may conflict with open-source

Compatibility Rules

1. Permissive projects (MIT, BSD, Apache-2.0):
   • Can use permissive and weak copyleft dependencies
   • Cannot use strong copyleft (GPL) dependencies without relicensing
   • Cannot use proprietary dependencies in open-source distribution
2. Weak copyleft projects (LGPL, MPL):
   • Can use permissive and other weak copyleft dependencies
   • Cannot use strong copyleft dependencies
   • Cannot use proprietary dependencies
3. Strong copyleft projects (GPL, AGPL):
   • Can use permissive, weak copyleft, and strong copyleft dependencies
   • Cannot use proprietary dependencies
4. Proprietary projects:
   • Can use permissive and weak copyleft dependencies (check terms)
   • Cannot use strong copyleft (GPL) dependencies

Result states

• PASSED: All dependencies have compatible licenses
• FAILED (WARNING): Incompatible licenses found
• FAILED (NOTE): Unknown licenses requiring manual review
• NOT_APPLICABLE: No license defined in pyproject.toml

How to fix

Review the flagged dependencies

Check each flagged dependency to understand the actual license requirements:

# View a package's license
pip show <package-name>

# Or check the package's repository/PyPI page

Option 1: Use alternative packages

Find alternative packages with compatible licenses:

# Instead of GPL-licensed dependency
# dependencies = ["gpl-package>=1.0"]

# Use a permissive alternative
dependencies = ["permissive-alternative>=1.0"]

Option 2: Change your project license

If GPL dependencies are essential, consider using a GPL-compatible license:

[project]
license = "GPL-3.0-only"  # Now GPL dependencies are allowed

Option 3: Request dual-licensing

Some projects offer dual licensing. Contact the maintainers to request a commercial or permissive license option.

Option 4: Exclude from distribution

If the dependency is only used for development:

[project]
dependencies = []  # Core dependencies only

[project.optional-dependencies]
dev = ["gpl-dev-tool>=1.0"]  # Development only

Add to ignore list

For false positives or intentionally allowed exceptions:

[tool.pycmdcheck.checks.GV001]
ignore_packages = ["package-with-known-compatible-license"]

Examples

Compatible setup (MIT project with permissive deps)

[project]
name = "my-package"
license = "MIT"
dependencies = [
    "requests>=2.28.0",    # Apache-2.0 - compatible
    "click>=8.0",          # BSD-3-Clause - compatible
    "pydantic>=2.0",       # MIT - compatible
]

Incompatible setup (MIT project with GPL dep)

[project]
name = "my-package"
license = "MIT"
dependencies = [
    "requests>=2.28.0",    # Apache-2.0 - compatible
    "gpl-library>=1.0",    # GPL-3.0 - INCOMPATIBLE!
]

This would fail with:

GV001 FAILED: Found 1 license compatibility issue(s)
  - gpl-library (GPL-3.0): GPL-family license may require your project to be GPL-licensed

Configuration

Ignore specific packages

[tool.pycmdcheck.checks.GV001]
ignore_packages = [
    "internal-package",
    "known-compatible-package",
]

Skip this check

[tool.pycmdcheck]
skip = ["GV001"]

CLI

pycmdcheck --skip GV001

Limitations

1. Requires installed packages: The check only works for dependencies that are currently installed in the environment
2. License detection: Some packages have unclear or missing license metadata
3. Complex licensing: Dual-licensed packages or custom licenses may need manual review
4. Transitive dependencies: Only direct dependencies are checked (not their dependencies)

Related checks

• MT009 - ValidLicenseIdentifier: Validates SPDX license identifier format
• MT010 - LicenseCompatibilityCheck: Alternative license compatibility check
• MT011 - OSIApprovedLicense: Checks for OSI-approved licenses
• ST002 - HasLicense: Checks for LICENSE file

Further reading

• SPDX License List
• Choose a License
• OSI Approved Licenses
• GNU License Compatibility