[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NPM importer
|
From: |
Mike Gerwitz |
|
Subject: |
Re: NPM importer |
|
Date: |
Tue, 20 Nov 2018 20:41:15 -0500 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Tue, Nov 20, 2018 at 22:12:18 +0100, swedebugia wrote:
> I wonder how many are free software? 90%? 50%?
>
> I hope we can automate this some way.
The JavaScript community has poor licensing practices, and the culture
is somewhat hostile to the ideals of the free software movement (they
focus on permissive licensing to empower non-free software developers
using those libraries).
The package.json has a license field, but package.json is often
auto-generated and I think is MIT Expat by default. It is metadata---I
can't imagine it carries any legal weight by itself. Consequently, we'd
have to fall back on COPYING or LICENSE files (of various sorts) in the
projects. Even then, a project may contain things under various licenses.
Further, since there tend to be many really small packages, if _any_ one
of those is missing proper license information, then anything that
depends on it will be non-free. Since npm doesn't ensure that its
packages are actually free, the odds of there being some sort of
licensing issue---just by sheer number---are probably higher than we
would like them to be. I'm not suggesting malice; it may be
accidental, or maybe someone knows nothing about licensing and simply
never attached a license to begin with (making it non-free by default).[0]
There's also the risk of any of these projects using incompatible
licenses.
Both GitLab and GitHub detect licenses on projects. I forget the name
of the software they use to do that (and it may not be the same for both
of them), and it's probably not perfect, but something like that may
help with automation.
[0]: https://blog.github.com/2015-03-09-open-source-license-usage-on-github-com/
(as of 2015)
- --
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJb9Le7AAoJEIyRe39dxRuijsQP/19DjT/G4/806rbtECrZAOeB
DhsWG6fm4rFkv9VbdVgKFASF2qIYSmq8p3yiVHwaNNoV0HcUurK/Gz44880S9EPO
EnHoN7naBYEzv1JRkGFdiHh6eEeUsGPdt4RB1/bunjY4K3EOfeSVQWWeXlDjI4GK
KKsLqNto00ESiwkDW2FOvElnUwfkFa1i+mtc48PbNtoy0VPie9kid51NDQLw4fZG
4VTU+kExeBHriq1AsNREWOQB2Ctg09ydkrzTvzlg4kucnFp8S3ohvbLoSoPil0YH
09hihN/sSwtws2BkMjgB2cO/y46MZeRsvazDD6ZZNyz3PqVZYsPa+5F0eFp7MlpV
a56lsND20IEtmITUZsaIx+W4F71iLJPIVWMN0NZA/rMgEntWSgexSx3w9RFZNYWH
m3UAyACIV9M9WDlTN/OJ/Q98clJ8G3AcZ3M5hKMyvtupctMWxZmDhY3dEGGeavvv
AKIXJ0Qau0mi9HFvT4eusfyih01kCFGddMcUCkY7QY6yuDxg1hHglM75t6YHvfwP
4lZlCywwC6UMazpv0QO6KMOhq7pwEVsXvn9agZR9gd5d18H+6EMv0AogNrh2a48u
HFtRNSMx4woFxXUGd2P50/Zy8hJFyijMbLyksLkxfr7HcTfJ+hUGb1e94xuEdZzr
xR/YjftLIOSzNUV9y20y
=F0Yh
-----END PGP SIGNATURE-----
- NPM importer, swedebugia, 2018/11/11
- Re: NPM importer, Julien Lepiller, 2018/11/11
- Re: NPM importer, swedebugia, 2018/11/19
- Re: NPM importer, Julien Lepiller, 2018/11/20
- Re: NPM importer, swedebugia, 2018/11/20
- Re: NPM importer, swedebugia, 2018/11/20
- Re: NPM importer, Julien Lepiller, 2018/11/20
- Re: NPM importer, swedebugia, 2018/11/21
- Re: NPM importer,
Mike Gerwitz <=
- Re: NPM importer, Brett Gilio, 2018/11/21
- Re: NPM importer, swedebugia, 2018/11/21
- Re: NPM importer, swedebugia, 2018/11/21
- Re: NPM importer, Brett Gilio, 2018/11/22
- import libjs-*.deb from Debian? (was Re: NPM importer), Giovanni Biscuolo, 2018/11/22
- Re: import libjs-*.deb from Debian? (was Re: NPM importer), Ricardo Wurmus, 2018/11/30
- Re: NPM importer, Julien Lepiller, 2018/11/22
- Re: NPM importer, swedebugia, 2018/11/24
- Re: NPM importer, swedebugia, 2018/11/23
- Re: NPM importer, Ricardo Wurmus, 2018/11/30