guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: npm (mitigation)


From: Jelle Licht
Subject: Re: npm (mitigation)
Date: Sat, 15 Jul 2017 05:57:56 +0200



2017-07-15 5:34 GMT+02:00 Mike Gerwitz <address@hidden>:
On Fri, Jul 14, 2017 at 13:57:30 +0200, Jelle Licht wrote:
> Regardless, the biggest issue that remains is still that npm-land is mired
> in cyclical dependencies and a fun-but-not-actually unique dependency
> resolving scheme.

I still think the largest issue is trying to determine if a given
package and its entire [cyclic cluster] subgraph is Free.  That's a lot
of manual verification to be had (to verify any automated
checks).  npm's package.json does include a `license' field, but that is
metadata with no legal significance, and afaik _defaults_ to "MIT"
(implying Expat), even if there's actually no license information in the
repository.

And that is exactly why this probably won't end up in Guix proper, at least for the
foreseeable future. And also the reason that the entire npm situation is so sad.

The default MIT/Expat only applies to people who generate their package metadata
via npm init by just pressing enter; IANAL, but directly referring to a valid and
common SPDX identifier is not that different from including some file under the name
of LICENSE/COPYING.

It is true that lots of npm projects do not include copyright and/or license headers in
 each source file, but this is also true for lots of other free software.

-
Jelle

reply via email to

[Prev in Thread] Current Thread [Next in Thread]