Replace dependency github.com/muhlemmer/gu if it remains unlicensed

[jrschumacher]

Preflight Checklist

• I could not find a solution in the existing issues, docs, nor discussions
• I have joined the ZITADEL chat

Describe your problem

In an upstream project, I found that https://github.com/muhlemmer/gu is unlicensed and used by this project (Apache).

Describe your ideal solution

If the maintainer of gu does not intend to license (muhlemmer/gu#4) then replace it with internal utilities.

The project uses functions a total of 22 times.

AssertInterfaces

// https://github.com/muhlemmer/gu/blob/5ec4b4d1900db390c038b02f92f1eca0c3f2bebd/slice.go#L22-L34
func AssertInterfaces[T any](is []interface{}) ([]T, error) {
	out := make([]T, len(is))

	for i := 0; i < len(is); i++ {
		var ok bool

		if out[i], ok = is[i].(T); !ok {
			return nil, fmt.Errorf("cannot assert %T of value %v to %T at index %d", is[i], is[i], out[i], i)
		}
	}

	return out, nil
}

MapCopy

// https://github.com/muhlemmer/gu/blob/5ec4b4d1900db390c038b02f92f1eca0c3f2bebd/map.go#L33-L45
func MapCopy[K comparable, V any](src map[K]V) map[K]V {
	if src == nil {
		return nil
	}

	dst := make(map[K]V, len(src))

	for k, v := range src {
		dst[k] = v
	}

	return dst
}

MapMerge

// https://github.com/muhlemmer/gu/blob/5ec4b4d1900db390c038b02f92f1eca0c3f2bebd/map.go#L74-L78
func MapMerge[K comparable, V any](src map[K]V, dst map[K]V) {
	for k, v := range src {
		dst[k] = v
	}
}

Ptr

// https://github.com/muhlemmer/gu/blob/5ec4b4d1900db390c038b02f92f1eca0c3f2bebd/pointer.go#L6-L8
func Ptr[T any](value T) (pointer *T) {
	return &value
}

PtrCopy

// https://github.com/muhlemmer/gu/blob/5ec4b4d1900db390c038b02f92f1eca0c3f2bebd/pointer.go#L27-L32
func PtrCopy[T any](pointer *T) *T {
	if pointer == nil {
		return nil
	}
	return Ptr(Value(pointer))
}

func Value[T any](pointer *T) (value T) {
	if pointer != nil {
		value = *pointer
	}

	return value
}

Version

main

Additional Context

Since this is pretty small I'd advise copying the functionality as utils to avoid the node left-pad issue or a supply chain attack.

The final and maybe most important software supply chain risk mitigation in the Go ecosystem is the least technical one: Go has a culture of rejecting large dependency trees, and of preferring a bit of copying to adding a new dependency. It goes all the way back to one of the Go proverbs: “a little copying is better than a little dependency”.
https://go.dev/blog/supply-chain#a-little-copying-is-better-than-a-little-dependency

[fforootd]

Lucky us that @muhlemmer is working for zitadel 😁

I am sure we can resolve that with not too much friction.

Thanks for pointing this out

[muhlemmer]

I replied here: muhlemmer/gu#4 (comment)

TL;DR gu is unlicense / public domain and shouldn't create a licensing issue.

[jrschumacher]

Our license checking system didn't pick up on "Unlicense" as a valid license and upon manual inspection I didn't notice the difference between something being unlicensed and being licensed as "Unlicense" (or public domain). My apologies for the confusion.

I would still encourage pulling it in since that is a valid action of this license and it aligns with the Go proverb, but I'm going to close this issue since the main concern is resolved.