From: swedebugia <swedebugia@riseup.net>
To: Brett Gilio <brettg@posteo.net>, Mike Gerwitz <mtg@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: NPM importer
Date: Thu, 22 Nov 2018 00:22:54 +0100 [thread overview]
Message-ID: <a8199901-536e-03fd-f3e0-ccda7f539fe9@riseup.net> (raw)
In-Reply-To: <87va4qxf8e.fsf@posteo.net>
[-- Attachment #1: Type: text/plain, Size: 2589 bytes --]
On 2018-11-21 23:01, Brett Gilio wrote:
>
> Mike Gerwitz writes:
>
>> The JavaScript community has poor licensing practices, and the culture
>> is somewhat hostile to the ideals of the free software movement (they
>> focus on permissive licensing to empower non-free software developers
>> using those libraries).
>
> To say the least. It will take a good deal of implementing a license
> checker on the importer, as well as human verification to ensure that we
> are maintaining a high ethical standard.
We might want to use the same approach as licensee:
"The solution
Licensee automates the process of reading LICENSE files and compares
their contents to known licenses using a several strategies (which we
call "Matchers"). It attempts to determine a project's license in the
following order:
If the license file has an explicit copyright notice, and nothing more
(e.g., Copyright (c) 2015 Ben Balter), we'll assume the author intends
to retain all rights, and thus the project isn't licensed.
If the license is an exact match to a known license. If we strip away
whitespace and copyright notice, we might get lucky, and direct string
comparison in Ruby is cheap.
If we still can't match the license, we use a fancy math thing called
the Sørensen–Dice coefficient, which is really good at calculating the
similarity between two strings. By calculating the percent changed from
the known license to the license file, you can tell, e.g., that a given
license is 95% similar to the MIT license, that 5% likely representing
legally insignificant changes to the license text."
https://github.com/benbalter/licensee
We could perhaps also semi-automate the generation of emails to authors
of the offending npm packages with unclear packages.
Say only 1% of 470.000 has unclear license, that equals 4700 emails to
authors. :)
In a hypothetical scenario with import of 20 npm packages a day it will
take us 477.000/20 = 23850 days = 65 years to import them all.
In a hypothetical scenario with import of 500 npm packages a day it will
take us 477.000/500 = 954 days = 2,6 years to import them all.
This is based on the assumption that all are free software, but that is
probably not the case.
BTW
ssb-patchwork had over 400 dependants in 10+ levels and the dotfile is
attached. The rendered png is crazy looking. Reminds me of the holy
spaghetti monster.
A graph of all npm packages and top packages is also available:
https://exploring-data.com/info/npm-packages-dependencies/
--
Cheers
Swedebugia
[-- Attachment #2: ssb-patchwork.dot.bz2 --]
[-- Type: application/x-bzip, Size: 6041 bytes --]
next prev parent reply other threads:[~2018-11-21 23:23 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-11 10:41 NPM importer swedebugia
2018-11-11 15:37 ` Julien Lepiller
2018-11-19 23:29 ` swedebugia
2018-11-20 7:50 ` Julien Lepiller
2018-11-20 19:58 ` swedebugia
2018-11-20 21:12 ` swedebugia
2018-11-20 22:35 ` Julien Lepiller
2018-11-21 15:36 ` swedebugia
2018-11-21 1:41 ` Mike Gerwitz
2018-11-21 22:01 ` Brett Gilio
2018-11-21 23:22 ` swedebugia [this message]
2018-11-22 1:02 ` swedebugia
2018-11-22 5:43 ` Brett Gilio
2018-11-22 11:27 ` import libjs-*.deb from Debian? (was Re: NPM importer) Giovanni Biscuolo
2018-11-30 3:23 ` Ricardo Wurmus
2018-11-22 8:36 ` NPM importer Julien Lepiller
2018-11-24 13:47 ` swedebugia
2018-11-23 19:50 ` swedebugia
2018-11-30 3:17 ` Ricardo Wurmus
2018-11-30 14:17 ` Packaging async and underscore (Was: Re: NPM importer) swedebugia
2018-11-30 16:08 ` Packaging async and underscore Julien Lepiller
2018-11-30 16:44 ` swedebugia
2018-11-24 13:42 ` NPM importer swedebugia
2018-11-30 16:13 ` Improved NPM importer with blacklist (Was: Re: NPM importer) swedebugia
2018-11-30 16:24 ` Improved NPM importer with blacklist Julien Lepiller
2018-11-30 17:20 ` swedebugia
2018-11-30 23:27 ` Improved NPM importer with blacklist (Was: Re: NPM importer) swedebugia
2018-11-11 17:10 ` NPM importer Ludovic Courtès
2018-11-21 16:37 ` Giovanni Biscuolo
2018-11-21 17:15 ` Julien Lepiller
2018-11-22 9:29 ` Giovanni Biscuolo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a8199901-536e-03fd-f3e0-ccda7f539fe9@riseup.net \
--to=swedebugia@riseup.net \
--cc=brettg@posteo.net \
--cc=guix-devel@gnu.org \
--cc=mtg@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).