We noticed in our vendor_bundled/composer.lock that some packages slipped in which are GPL or Apache licensed only (not compatible with LGPL). We have different cases:
- The packages we are not sure with
- The packages we should be able to have the right to use (even with a derogation)
- The packages that are not used or deprecated.
- https://github.com/h5p/h5p-editor-php-library (Although it claims MIT the https://github.com/h5p/h5p-editor-php-library/blob/master/composer.json says GPL only)
- https://github.com/BafS/Testify.php (license mentioned in https://github.com/BafS/Testify.php/blob/master/composer.json)
- https://github.com/farbelous/bootstrap-colorpicker (Apache 2.0)
- https://github.com/apereo/phpCAS (Apache 2.0)
https://github.com/zetacomponents/Webdav (Apache 2.0)Removed from Tiki
https://github.com/zetacomponents/Base (Apache 2.0)Removed from Tiki
- https://github.com/ahand/mobileesp (Apache 2.0)
The incompatibility of Apache-2 and GPL-2 is well documented. If your software is a combined/derivate work with/of Apache-2 software, you cannot license that software under the GPL-2 and therefore cannot license it under the LGPL-2.1 either.
- https://github.com/conversejs/converse.js (MPL 2.0) (not quite sure about this one but the diagram does not indicate it is compatible with LGPL 2.1)
- https://github.com/kaltura/KalturaGeneratedAPIClientsPHP53 (AGPL 3.0)
- https://github.com/PHPCompatibility/PHPCompatibility (LGPL 3.0+ - not sure it can be included in LGPL 2.1)