Correct and if nobody asks they are fine in doing so. But they must comply if possible. If the code is gone then I am not sure they can be forced to give it.
> Correct and if nobody asks they are fine in doing so. But they must comply if possible. If the code is gone then I am not sure they can be forced to give it.
There must be some kind of remedy available in that event.
This is one reason I hate npm. Who really checks that sprawling byzantine dependency tree to make sure that there isn't some micropackage that has a GPL license that could get included and taint the whole thing?
I just have the horrors when I look at the package.json file after the front-end folks have been allowed to run free...
There's tools [0] to help check the licenses of all your dependencies. I think larger companies build up a whitelist of libraries as they're reviewed and approved.
Yep. When I was at IBM, part of releasing something was a review every of dependency and it's license. The stuff I worked on wasn't allowed to include any GPL code. (Or WTFPL, for that matter, but I think that had more to do with curse words than actual license issues.)
Shouldn't you be more concerned about the quality of the code? If no one has bothered to check the license, I'm sure nobody has studied it for a backdoor.
Most of the time, nobody even is aware that including some new widget code ends up downloading half the internet, making our code size increase, our build times extend, and opening up a huge volume of attack. No one has any idea what dragons might lurk in that mess, or sometimes even that there might be dragons at all.
Correct and if nobody asks they are fine in doing so. But they must comply if possible. If the code is gone then I am not sure they can be forced to give it.
> Correct and if nobody asks they are fine in doing so. But they must comply if possible. If the code is gone then I am not sure they can be forced to give it.
There must be some kind of remedy available in that event.
Money
1 reply →
This is one reason I hate npm. Who really checks that sprawling byzantine dependency tree to make sure that there isn't some micropackage that has a GPL license that could get included and taint the whole thing?
I just have the horrors when I look at the package.json file after the front-end folks have been allowed to run free...
There's tools [0] to help check the licenses of all your dependencies. I think larger companies build up a whitelist of libraries as they're reviewed and approved.
[0] https://github.com/davglass/license-checker
Yep. When I was at IBM, part of releasing something was a review every of dependency and it's license. The stuff I worked on wasn't allowed to include any GPL code. (Or WTFPL, for that matter, but I think that had more to do with curse words than actual license issues.)
2 replies →
Shouldn't you be more concerned about the quality of the code? If no one has bothered to check the license, I'm sure nobody has studied it for a backdoor.
There are many reasons. That is another huge one.
Most of the time, nobody even is aware that including some new widget code ends up downloading half the internet, making our code size increase, our build times extend, and opening up a huge volume of attack. No one has any idea what dragons might lurk in that mess, or sometimes even that there might be dragons at all.
Shouldn't this be something that npm could support checking as a first class feature?
one can hope that front-end and back-end are truly separated
They would have to release the whole thing to come into compliance with the license, but they are not obligated to do so.