From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jelle Licht Subject: Re: npm (mitigation) Date: Sat, 15 Jul 2017 05:57:56 +0200 Message-ID: References: <871spi5q5g.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="001a1143ce48c4af5b0554532b38" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:32795) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dWEDT-0003bk-03 for guix-devel@gnu.org; Fri, 14 Jul 2017 23:58:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dWEDS-0004KB-2l for guix-devel@gnu.org; Fri, 14 Jul 2017 23:58:03 -0400 In-Reply-To: <871spi5q5g.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mike Gerwitz Cc: guix-devel --001a1143ce48c4af5b0554532b38 Content-Type: text/plain; charset="UTF-8" 2017-07-15 5:34 GMT+02:00 Mike Gerwitz : > On Fri, Jul 14, 2017 at 13:57:30 +0200, Jelle Licht wrote: > > Regardless, the biggest issue that remains is still that npm-land is > mired > > in cyclical dependencies and a fun-but-not-actually unique dependency > > resolving scheme. > > I still think the largest issue is trying to determine if a given > package and its entire [cyclic cluster] subgraph is Free. That's a lot > of manual verification to be had (to verify any automated > checks). npm's package.json does include a `license' field, but that is > metadata with no legal significance, and afaik _defaults_ to "MIT" > (implying Expat), even if there's actually no license information in the > repository. And that is exactly why this probably won't end up in Guix proper, at least for the foreseeable future. And also the reason that the entire npm situation is so sad. The default MIT/Expat only applies to people who generate their package metadata via npm init by just pressing enter; IANAL, but directly referring to a valid and common SPDX identifier is not that different from including some file under the name of LICENSE/COPYING. It is true that lots of npm projects do not include copyright and/or license headers in each source file, but this is also true for lots of other free software. - Jelle --001a1143ce48c4af5b0554532b38 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


2017-07-15 5:34 GMT+02:00 Mike Gerwitz <mtg@gnu.org>:
On Fri, Jul 14, 2017 at 13:57:30 +0200, Jel= le Licht wrote:
> Regardless, the biggest issue that remains is still that npm-land is m= ired
> in cyclical dependencies and a fun-but-not-actually unique dependency<= br> > resolving scheme.

I still think the largest issue is trying to determine if a given package and its entire [cyclic cluster] subgraph is Free.=C2=A0 That's = a lot
of manual verification to be had (to verify any automated
checks).=C2=A0 npm's package.json does include a `license' field, b= ut that is
metadata with no legal significance, and afaik _defaults_ to "MIT"= ;
(implying Expat), even if there's actually no license information in th= e
repository.

And that is exactly why this pr= obably won't end up in Guix proper, at least for the
fore= seeable future. And also the reason that the entire npm situation is so sad= .

The default MIT/Expat only applies to people who genera= te their package metadata
via npm init by just pressing enter= ; IANAL, but directly referring to a valid and
common SPDX id= entifier is not that different from including some file under the name
<= /div>
of LICENSE/COPYING.

It is true that lots of npm projects = do not include copyright and/or license headers in
=C2=A0each source fil= e, but this is also true for lots of other free software.

-
Jelle
--001a1143ce48c4af5b0554532b38--