From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Gerwitz Subject: Re: npm (mitigation) Date: Mon, 17 Jul 2017 22:12:41 -0400 Message-ID: <87379uv6g6.fsf@gnu.org> References: <871spi5q5g.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:47998) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dXI0W-00022Y-Ou for guix-devel@gnu.org; Mon, 17 Jul 2017 22:13:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dXI0V-0000Mo-PN for guix-devel@gnu.org; Mon, 17 Jul 2017 22:13:04 -0400 In-Reply-To: (catonano@gmail.com's message of "Mon, 17 Jul 2017 11:45:29 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Catonano Cc: guix-devel --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Mon, Jul 17, 2017 at 11:45:29 +0200, Catonano wrote: > in my idea I would have build a database withh conditions for being non > free forr every npm package. > > So we could have queried the database for questions like: is there any non > free or non buildable package in the dependency tree of, say, the current > Jquery ? Being able to query the graph for non-free dependencies is good, yes. My concern is developing a (reasonably) fool-proof system for detecting those packages that doesn't require manual verification, which would be extremely costly, outside of a reasonable randomly-chosen set. I'm not saying it's impossible; it's just difficult with such wildly varying standards and carelessness with regards to licensing that is prominent in the JS community. But we have to start somewhere, so anything you can come up with would be good. :) > You might remember my post of a few months back about an attempt of mine = to > crawl thhe npm registry and storing data found there. I do---I'm sorry if there are details that I missed or should know; I haven't been able to follow this too closely. I can be a bit of a parrot sometimes with certain issues. :x =2D-=20 Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJZbW6ZAAoJEIyRe39dxRuiA9QP/jcDh6vC82WjN9dMe+PNmNo7 mU9lumuRiETEWjkuPxihC/HfGT5ONQ8drK6kasz5/eNp+T4z7D65Sf22uibJiMLO sTff/LcOQJ8pm7++E2gEBPmFfvTZKn44WQPHhS07q3J1AJC7AYszmfcILs2MO/6f mocz5KCaA2EWHZoVGdVbeJ8zBOWRY3UT6VwjV3ZwSVPu6f/AMFwIIaphpvKQvDaJ AyKTB16A3aJYJGStHGimNB55qFT83ZunRROcyEvGJwvg7NrOYTQofYnKTZCHXFtb UKd/Fk4x/x0jtPI0qJKBGwOIYrCG0DHkaOHkKlK+lSvo+t7KGaPN81InlaOWX75T EvYRFSCiC8ZYQYkERk2/ymPlF1nLjYKhc0hkyNkiMpiq0bytMf4vcg4wjIN5PiUG PSFTwYj2pU5hvpE+bPDBsAVMaoISRXUgZgJK/NXhbzRTN8CN1oXq4V5YMazmaRKy /PaMdCbpaZDO+m7R9Vkfcfeq5/MnSKXcxoJ33v0ZgMjW9KJlV4b69iHaWtlUL9ql /dCJUpmzPam1tw9I/MJF+nX8whbo562CtUlAggettHuYyzzptjPNLOvtiT4GQiMZ 3+U2X8f2xbzPeCWPDjqMSihqWN2petUo0vHtGNlcFdoMfRWfShesUv3lRxOSrkJV XVwjs+cdQaYY56pqzwRI =wgAn -----END PGP SIGNATURE----- --=-=-=--