-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Seek legal advice on LICENSE and copyright blocks in code #3979
Comments
Before we ask for legal resources we should run some open source compliance testing, that should point out all the biggest discrepancies. |
Also, the LF's compliance people are likely to first point us at Fossology since it's hosted at the LF and they've contributed to it :) |
Also need to update src/res/node.rc when we figure out copyright information for v0.12 and v0.10. |
Not entirely sure if this belongs here or a separate issue. The current LICENSE file doesn't list libuv as an "externally maintained" library: libuv's LICENSE file calls out externally maintained libraries that it uses which I would expect to also see listed in Node's LICENSE: |
Thanks @richardlau, that's within scope of this discussion, I'll make sure it's on the list. I'd also like to include the questions raised in #3959 regarding npm's licensing and how we should respond to those concerns—if we should respond at all. I'm not keen to see more arguing on GitHub of these issues without proper legal input from those representing Foundation interests. I'll try and put together a full proposal in this thread for the CTC to sign off on at the next meeting if it agrees to go ahead. |
I could not possibly agree more. Lots of amateur lawyering going on here, which really doesn't serve anyone's interest. |
@isaacs As your (teams) attorney has pointed out attorney to attorney communication is probably required to resolve this... and that's a professional result experienced from my litigation in the past. My attorneys and situations in the past and present give some precedence on this and I would hope that npm would be willing to mitigate this with a good faith effort. node is responsible for distributing this as a package so they should take action lest someone does a TDN and/or CERT on npm for FOSS violations... we all do not want that. Regardless of whether or not it's considered "upstream" it's a separate package that can be removed... even if it's considered "integral" to getting things started. npm should be an optional install as the compromise imho... as I pointed out on the other issue it may have to go away manually because all of my Organizations and Corporate entities may officially rescind any implied compliance with altered FOSS licensing especially on licensing that isn't OSI approved. I think it would be a fantastic move to write a short routine to ask to end-users what packaging handler they want to use. In short please be courteous and civil. Perhaps you should look into Roberts Rules of Order and Conduct for giving good faith efforts. :) I would prefer some compromise that helps the eco-system of node rather than a hindrance. A mentor and colleague of mine simplified the differences between node and io.js quite simply when they remerged... they "kissed and made up"... perhaps this is what needs to be done here.
I look forward to this. :) |
Oh my .. tried getting fossology going but it's a beast. Linux only, 23 .debs in its Ubuntu binary download, I gave up when those debs started installing postgresql and other major dependencies. That's no handy little utility and the documentation doesn't really make it clear what value I'd be getting for such high cost. |
OK, this has been tough to put into clear words and difficult to fully grok the nature of the concerns raised in #3959 and pick apart what we are being asked to care about and what is not Foundation business. The writeup which I'm proposing we submit to the Foundation Board contains a short summary and extended details for context and clarification: https://gist.github.com/rvagg/e60c533e4caaace44a12 I'm happy to bikeshed around the contents but I'd really like to get this done for the board meeting next week. I expect that most value will come from discussion during the CTC meeting tomorrow, particularly with those who have been involved in the #3959 discussion. The summary is: Request for legal advice from the Node.js Foundation CTC to the Board
The first two are just things I'd really like to get proper legal input on because we've had so much pseudo-legal discussion on the matters and have not accepted proper outside input (e.g. I attempted to provide input from our legal counsel at NodeSource when we removed the copyright blocks but that was ignored at the time). So we need solid answers so we can stop arguing as if we're authorities on these matters. The last one is obviously much more nuanced and IMO is mainly focused on ensuring that community concerns are taken into account and dealt with appropriately. It's unfortunate #3959 has even lowered to the level of threats of legal action against the Foundation and I'd like to see that we take appropriate action to ensure that we've done right by the community and answer the concerns and accusations being made where they are ours to answer. |
https://www.dropbox.com/s/9y8tn88aalevoqe/TSC-Legal-Request.pdf?dl=0 is what we've put together to submit to the Foundation board which meets next week. From there it may be passed on to the Foundation Legal Committee but it's in the Board's hands. We're looking for help on 3 items, the last one of which is some oversight on the npm licensing issues. The CTC may have opinions on the state and resolution of the matters but without the proper qualifications we're going to leave it to the board to ensure that any required action is taken, if there is any action to be taken at all. We believe that we've passed enough contextual information on the matters as is required for legal professionals to be able to follow it through appropriately. |
Additional questions in the same area:
I'll try and make sure we get satisfactory answers to these as part of the same process. |
npm/npm#12187 got closed, with a statement that it's a Node.js bug for some reason. What can we do about the npm license in older versions? 0.10/0.12/4.x still have that clause that caused #3959, see #3959 (comment). |
https://github.com/nodejs/node/blob/v4.x/LICENSE#L920-L924:
This is still present in our 4.x branch. |
removed from agenda due to lack of movement, I still have to poke the legal committee for action on this |
Moved to nodejs/TSC#174 |
ref https://github.com/nodejs/node/pull/3965/files#r45569502
also #3926
I propose that the CTC formally ask the Foundation to spend some Legal resources on the question of how we ought to shape our LICENSE file and what should be done with the copyright blocks in code—is it OK for us to have removed them? Do we need anything extra in place? Can we remove the remaining ones that still exist (for individuals and a couple of companies)? etc.
Update 2016-02-01: Provide feedback to #5021 when we have it
The text was updated successfully, but these errors were encountered: