Skip to content

[synkronus-cli] Make MIT license compliant #545

New issue
New issue
Open
Open
[synkronus-cli] Make MIT license compliant#545
Labels
enhancementNew feature or requestvNextMinor"vNextMinor" would currently mean for example v1.1.0
@r0ssing

Description

@r0ssing
r0ssing
opened on Mar 20, 2026

FOLLOWUP-custom-qrcode-writer.md

Detailed checklist, acceptance criteria, and file-level scope are in the attached FOLLOWUP-custom-qrcode-writer.md.

Component

  • formulus (React Native mobile app)
  • formulus-formplayer (React web app)
  • synkronus (Go backend server)
  • synkronus-cli (Command-line utility)
  • Documentation
  • Other (please specify)

Feature Description

Replace the yeqown/go-qrcode/writer/standard PNG path (which pulls fogleman/gggolang/freetype, reported as GPL-2.0-or-later) with a small custom implementation of qrcode.Writer that renders the QR matrix and optional center logo using only the Go standard library (image, image/draw, image/png, etc.).

After verifying the module graph and SBOM are clean, re-license synkronus-cli from GPL-2.0-or-later back to MIT and update synkronus-cli/LICENSE, synkronus-cli/README.md, and root THIRD_PARTY_NOTICES.md.

Problem Statement

Today, ** synk qr** builds PNGs via writer/standard, which links a GPL-classified dependency chain. To keep distribution and licensing posture simple (and aligned with the rest of the MIT monorepo), we temporarily marked synkronus-cli as GPL-2.0-or-later. That is a stopgap.

We want prebuilt CLI binaries (and the project’s default license story) to return to permissive terms without giving up PNG QR output or the FRMLS payload format Formulus expects.

Proposed Solution

  1. Keep github.com/yeqown/go-qrcode/v2 for encoding/matrix generation or swap in another permissive QR library—either is acceptable if the final binary does not pull gg / freetype / writer/standard.
  2. Implement qrcode.Writer (Write, Close) that writes a PNG file, draws modules from the matrix, and composites qr_logo.png (centered), matching current behavior closely enough for scanning.
  3. Consider embed for qr_logo.png so go install / released binaries don’t depend on CWD for the logo.
  4. Run go mod tidy, regenerate synkronus-cli.cdx.json (node scripts/sbom/generate-sboms.mjs), and confirm no GPL identifiers for this dependency chain.
  5. Switch synkronus-cli to MIT (license file + docs) once the above is verified.

Alternatives Considered

  • Stay on GPL for the CLI indefinitely — accurate for the current stack, but conflicts with wanting MIT-first monorepo messaging and simpler redistribution expectations.
  • Swap to another QR library entirely (e.g. classic PNG encoders) — valid; slightly more refactor than a custom Writer but same outcome.
  • Non-PNG output (e.g. terminal-only QR) — not a full substitute for “save PNG for Formulus” workflows.
  • Different QR writer from yeqown — e.g. writer/file is text/Unicode, not PNG; not a drop-in replacement.

Additional Context

  • Entry point: synkronus-cli/internal/cmd/qr.go (standard.New, standard.WithLogoImageFilePNG("qr_logo.png")).
  • SBOM: release / local sbom-dist/synkronus-cli.cdx.json (see repo script scripts/sbom/generate-sboms.mjs).

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestvNextMinor"vNextMinor" would currently mean for example v1.1.0

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions