Found during analysis of our recent “node/npm production dependencies” CQ. See: https://dev.eclipse.org/ipzilla/show_bug.cgi?id=18717#c12
Quick analysis: It looks like there are ~3 GPL-licensed files that are downloaded by the dugite postinstall script (/scripts/download-git.js).
e.g. on Linux this downloads: https://github.com/desktop/dugite-native/releases/download/v2.20.1/dugite-native-v2.20.1-f9ba893-ubuntu.tar.gz
This is the git that dugite bundles. included GPL-licensed files:
If I understand the situation correctly, dugite is a production dependency for the project, that’s needed for our git extension. Whatever it automatically downloads is considered to be “distributed” by the project, since our users have no choice in the matter. We can’t distribute GPL content, even if we do not “link” to it (i.e. does not matter if these files are not called/executed from our code).
I think we need to either:
use something else than dugite
find a way such that dugite does not ever install its bundled git and instead rely on the system’s git
[original thread by Marc Dumais]