tachyons-sass violates the licence of its one upstream project #34
Comments
|
Afaik it is sufficient to use this short license header. We do not want the full license text in all (minified) files. Also the MIT license text is always the same. |
|
Also see https://stackpath.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css This is common and ok. Otherwise you would have to open an issue for all frontend frameworks and other projects. |
|
Daniel Ruf dixit:
Afaik it is sufficient to use this short license header.
No. Read the MIT licence itself:
>[…] subject to the following conditions:
>
>The above copyright notice and this permission notice shall be
>included in all copies or substantial portions of the Software.
The licence requires being incorporated. Unless you have a waiver
from the normalize.css author. (In which case that waiver would
probably be in the normalize.css repo and apply to everyone.)
This is common and ok.
This is common and very much not ok.
We do not want the full license text in all (minified) files.
Then either get a waiver from the normalize.css author (and
include that full waiver in your normal source code, so that
_your_ downstreams know), or don’t use anything under… almost
all Open Source licences — they all require that the licence
be reproduced alongside. As things currently are, you violate
the licence from @necolas by distributing your project, and,
what’s worse, your downstreams do the same. I had to manually
add it in the one project I’m using swagger-ui-dist in, in
order to stay legally compliant.
Also the MIT license text is always the same.
Funny you mention that: the MIT licence is notoriously bad
in that there are so many different versions around there
that the original MIT licence (the one people normally use)
has the licence identifyer “Expat”, and “MIT” is being used
to identify the group of all of them.
So, no.
|
|
I think @jonathantneal and the whole dev community (including me) do not see it like this. |
|
https://www.iusmentis.com/computerprograms/opensourcesoftware/license-notices-web-applications/ A reference to the license is still ok. Like I wrote. https://unpkg.com/react@16.8.2/umd/react.production.min.js As we do not ship the source but compiled files it is ok to reference to the license location. The generated MIT license on GitHub and on other platforms is always identical except the owner name and year differ. Modifying a license text makes it a whole different license. What you propose is not practical and would not make any change when we use minifiers which strip comments. |
|
https://code.jquery.com/jquery-3.3.1.min.js Good luck opening an issue in every JS / CSS project and so on. |
|
Daniel Ruf dixit:
I think @jonathantneal and the whole dev communjfy do not see it like this.
Can you read?
What exactly in “this permission notice shall be included in all copies”
do you not understand?
|
So you deliver all this data to the client? Great for the performance. This is still not the sourcecode, the repo is and has the license file. |
|
I can read and what you propose is very unlikely to happen (in almost all projects). Same for font files, they have metadata which includes a reference to the full license, not the full license. Otherwise we would have huge assets. |
Notices like license headers are common which refer to the location of the full license text. http://kendo.cdn.telerik.com/2019.1.115/js/kendo.all.min.js I still see no issue here. |
|
Please just include whatever our projects do in whatever the ways our projects do them. In normalize.css, the reference is pretty short: /*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */Thanks! I certify this or whatever as a co-creator of normalize.css and as one who helped published some of the more recent releases. Seriously, I’d have licensed it CC0 if I knew what a pain in the neck licensing can be. What’s done is done. I won’t have more to add to this thread, and I have nothing but love and respect for you all. If Nic has anything more to add, please follow his lead. Pardon me if I peace out ✌️ |
|
Daniel Ruf dixit:
So you deliver all this data to the client? Great for the performance.
It does not need to be in the same file. But, when you aggregate,
you must make sure that the aggregate ships it. When you aggregate
naïvely (i.e. just concatenating minified files, then shipping that)
you violate the licence.
The body of the licence must be included with all copies. Fine, put
it into a LICENCE.txt file or something.
The copyright notices must be included. These should fit into the
minified files, together with a pointer to the external file with
the licence bodies.
But, both must be distributed, and when aggregated into a downstream,
aggregated into their files (again, not necessarily in the same file).
What I do, in that project, is to (manually) aggregate all the notices
and licences of all dependencies we ship and put them into a large
LICENCE.txt file (plus separate text files for the big licences, like
Apache or LGPL or Creative Commons). Then I point to that file every‐
where *and* make sure it is always included. (That’s crucial.)
Jonathan Neal dixit:
projects do them. In normalize.css, the reference is pretty short:
```css
/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */
This does not reproduce the author’s copyright either. And, in
tachyons-sass, the licence is lost, too.
|
During swagger-api/swagger-ui#5042 I found out that tachyons embeds code from https://github.com/necolas/normalize.css/ without reproducing its copyright statement and full licence terms, as required by the MIT licence.
The source code simply has https://github.com/tachyons-css/tachyons-sass/blob/master/tachyons.scss#L28 so https://github.com/tachyons-css/tachyons-sass/blob/master/license better be changed to reproduce https://github.com/necolas/normalize.css/blob/master/LICENSE.md in full.
However (see the swagger-ui-dist issue above) this is also a problem for your downstreams. The generated CSS file distributed from your NPM module contains necolas/normalize.css code without its full licence terms and statements. A method of aggregation would be best, or perhaps embed it into the generated CSS (even though that would kinda defeat minification).
The text was updated successfully, but these errors were encountered: