After some legal consulting with a copyright lawyer, Pulp is good to distribute an Apache2 dependency as long as we also are providing a source rpm. Here are the questions and answers I received:
Is there any issue is building and distributing an Apache licensed
package along with our GPLv2 licensed code?
No.
If we are able to, do we need to do anything special to identify the
license of that dependency as being different from our codebase's
license?
You don't need to do anything beyond what is necessary to comply with
the Apache License 2.0 as to python-debpkgr. That includes:
1. Including the Apache License 2.0 text with the python-debpkgr code
(it is currently contained at:
https://github.com/sassoftware/python-debpkgr/blob/master/LICENSE) So,
if you are distributing a source RPM containing the python-debpkgr
source code, don't remove the LICENSE file, and if there's a
python-debpkgr binary RPM, that also should have the LICENSE file.
2. Don't remove any existing copyright/license notices from individual
source files
3. If you modify any python-debpkgr files, you are supposed to "cause
any modified files to carry prominent notices stating that You changed
the files" (that could be a comment that says 'Modified by the Pulp
project', for example).
Add python-debpkgr as a dependency for pulp_deb
Add python-debpkgr as a dependency for pulp_deb
closes #2803