From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Gerwitz Subject: Re: NPM importer Date: Tue, 20 Nov 2018 20:41:15 -0500 Message-ID: <87zhu3b41w.fsf@gnu.org> References: <70F182DB-C157-4763-A4C6-89985545661C@lepiller.eu> <0e5afb2d-c182-6be4-ba2d-6a6f7dd45ac9@riseup.net> <1150DF84-4952-4401-A8D0-3E05A4D0EB74@lepiller.eu> <23f36a0d-a5ef-5457-1d8e-61fbebda91c4@riseup.net> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41320) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gPHWM-0007rq-Pm for guix-devel@gnu.org; Tue, 20 Nov 2018 20:41:39 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gPHWM-0003C2-0b for guix-devel@gnu.org; Tue, 20 Nov 2018 20:41:38 -0500 In-Reply-To: <23f36a0d-a5ef-5457-1d8e-61fbebda91c4@riseup.net> (swedebugia@riseup.net's message of "Tue, 20 Nov 2018 22:12:18 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: swedebugia Cc: guix-devel@gnu.org =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, Nov 20, 2018 at 22:12:18 +0100, swedebugia wrote: > I wonder how many are free software? 90%? 50%? > > I hope we can automate this some way. The JavaScript community has poor licensing practices, and the culture is somewhat hostile to the ideals of the free software movement (they focus on permissive licensing to empower non-free software developers using those libraries). The package.json has a license field, but package.json is often auto-generated and I think is MIT Expat by default. It is metadata---I can't imagine it carries any legal weight by itself. Consequently, we'd have to fall back on COPYING or LICENSE files (of various sorts) in the projects. Even then, a project may contain things under various licenses. Further, since there tend to be many really small packages, if _any_ one of those is missing proper license information, then anything that depends on it will be non-free. Since npm doesn't ensure that its packages are actually free, the odds of there being some sort of licensing issue---just by sheer number---are probably higher than we would like them to be. I'm not suggesting malice; it may be accidental, or maybe someone knows nothing about licensing and simply never attached a license to begin with (making it non-free by default).[0] There's also the risk of any of these projects using incompatible licenses. Both GitLab and GitHub detect licenses on projects. I forget the name of the software they use to do that (and it may not be the same for both of them), and it's probably not perfect, but something like that may help with automation. [0]: https://blog.github.com/2015-03-09-open-source-license-usage-on-github= -com/ (as of 2015) =2D --=20 Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJb9Le7AAoJEIyRe39dxRuijsQP/19DjT/G4/806rbtECrZAOeB DhsWG6fm4rFkv9VbdVgKFASF2qIYSmq8p3yiVHwaNNoV0HcUurK/Gz44880S9EPO EnHoN7naBYEzv1JRkGFdiHh6eEeUsGPdt4RB1/bunjY4K3EOfeSVQWWeXlDjI4GK KKsLqNto00ESiwkDW2FOvElnUwfkFa1i+mtc48PbNtoy0VPie9kid51NDQLw4fZG 4VTU+kExeBHriq1AsNREWOQB2Ctg09ydkrzTvzlg4kucnFp8S3ohvbLoSoPil0YH 09hihN/sSwtws2BkMjgB2cO/y46MZeRsvazDD6ZZNyz3PqVZYsPa+5F0eFp7MlpV a56lsND20IEtmITUZsaIx+W4F71iLJPIVWMN0NZA/rMgEntWSgexSx3w9RFZNYWH m3UAyACIV9M9WDlTN/OJ/Q98clJ8G3AcZ3M5hKMyvtupctMWxZmDhY3dEGGeavvv AKIXJ0Qau0mi9HFvT4eusfyih01kCFGddMcUCkY7QY6yuDxg1hHglM75t6YHvfwP 4lZlCywwC6UMazpv0QO6KMOhq7pwEVsXvn9agZR9gd5d18H+6EMv0AogNrh2a48u HFtRNSMx4woFxXUGd2P50/Zy8hJFyijMbLyksLkxfr7HcTfJ+hUGb1e94xuEdZzr xR/YjftLIOSzNUV9y20y =3DF0Yh =2D----END PGP SIGNATURE-----