Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Seek legal advice on LICENSE and copyright blocks in code #3979

Closed
rvagg opened this issue Nov 23, 2015 · 15 comments
Closed

Seek legal advice on LICENSE and copyright blocks in code #3979

rvagg opened this issue Nov 23, 2015 · 15 comments
Labels
meta Issues and PRs related to the general management of the project.

Comments

@rvagg
Copy link
Member

rvagg commented Nov 23, 2015

ref https://github.com/nodejs/node/pull/3965/files#r45569502

also #3926

I propose that the CTC formally ask the Foundation to spend some Legal resources on the question of how we ought to shape our LICENSE file and what should be done with the copyright blocks in code—is it OK for us to have removed them? Do we need anything extra in place? Can we remove the remaining ones that still exist (for individuals and a couple of companies)? etc.


Update 2016-02-01: Provide feedback to #5021 when we have it

@mscdex mscdex added the meta Issues and PRs related to the general management of the project. label Nov 23, 2015
@mikeal
Copy link
Contributor

mikeal commented Nov 24, 2015

Before we ask for legal resources we should run some open source compliance testing, that should point out all the biggest discrepancies.

http://www.fossology.org/projects/fossology

@mikeal
Copy link
Contributor

mikeal commented Nov 24, 2015

Also, the LF's compliance people are likely to first point us at Fossology since it's hosted at the LF and they've contributed to it :)

@rvagg
Copy link
Member Author

rvagg commented Nov 24, 2015

Also need to update src/res/node.rc when we figure out copyright information for v0.12 and v0.10.

@richardlau
Copy link
Member

Not entirely sure if this belongs here or a separate issue.

The current LICENSE file doesn't list libuv as an "externally maintained" library:
https://github.com/nodejs/node/blob/master/LICENSE

libuv's LICENSE file calls out externally maintained libraries that it uses which I would expect to also see listed in Node's LICENSE:
https://github.com/nodejs/node/blob/master/deps/uv/LICENSE

@rvagg
Copy link
Member Author

rvagg commented Nov 30, 2015

Thanks @richardlau, that's within scope of this discussion, I'll make sure it's on the list.

I'd also like to include the questions raised in #3959 regarding npm's licensing and how we should respond to those concerns—if we should respond at all. I'm not keen to see more arguing on GitHub of these issues without proper legal input from those representing Foundation interests.

I'll try and put together a full proposal in this thread for the CTC to sign off on at the next meeting if it agrees to go ahead.

@isaacs
Copy link
Contributor

isaacs commented Nov 30, 2015

I'd also like to include the questions raised in #3959 regarding npm's licensing and how we should respond to those concerns—if we should respond at all. I'm not keen to see more arguing on GitHub of these issues without proper legal input from those representing Foundation interests.

I could not possibly agree more. Lots of amateur lawyering going on here, which really doesn't serve anyone's interest.

@Martii
Copy link

Martii commented Nov 30, 2015

@isaacs
Neither does "amateur" licensing/relicensing and being snarky about replies in other issues. Everyone is being agreeable and is abiding by multiple codes of conduct ... it would be helpful if this was done by all the maintainers as well. Don't assume that all developers don't know what they are talking about... it only makes those statements from you look bad and ruins your projects credibility... which serves no one. Your team dug this issue grave, got caught, and it's up to them how to plan to resolve it and node should take their corresponding appropriate action. I believe that @scriptjs has been more than appropriate in discussing that issue and I am currently building a level of respect for his initiative... time will tell for yours.

As your (teams) attorney has pointed out attorney to attorney communication is probably required to resolve this... and that's a professional result experienced from my litigation in the past. My attorneys and situations in the past and present give some precedence on this and I would hope that npm would be willing to mitigate this with a good faith effort. node is responsible for distributing this as a package so they should take action lest someone does a TDN and/or CERT on npm for FOSS violations... we all do not want that. Regardless of whether or not it's considered "upstream" it's a separate package that can be removed... even if it's considered "integral" to getting things started.

npm should be an optional install as the compromise imho... as I pointed out on the other issue it may have to go away manually because all of my Organizations and Corporate entities may officially rescind any implied compliance with altered FOSS licensing especially on licensing that isn't OSI approved. I think it would be a fantastic move to write a short routine to ask to end-users what packaging handler they want to use.

In short please be courteous and civil. Perhaps you should look into Roberts Rules of Order and Conduct for giving good faith efforts. :) I would prefer some compromise that helps the eco-system of node rather than a hindrance. A mentor and colleague of mine simplified the differences between node and io.js quite simply when they remerged... they "kissed and made up"... perhaps this is what needs to be done here.

I'll try and put together a full proposal in this thread for the CTC to sign off on at the next meeting if it agrees to go ahead.

I look forward to this. :)

@rvagg
Copy link
Member Author

rvagg commented Dec 2, 2015

Oh my .. tried getting fossology going but it's a beast. Linux only, 23 .debs in its Ubuntu binary download, I gave up when those debs started installing postgresql and other major dependencies. That's no handy little utility and the documentation doesn't really make it clear what value I'd be getting for such high cost.

@rvagg
Copy link
Member Author

rvagg commented Dec 2, 2015

OK, this has been tough to put into clear words and difficult to fully grok the nature of the concerns raised in #3959 and pick apart what we are being asked to care about and what is not Foundation business.

The writeup which I'm proposing we submit to the Foundation Board contains a short summary and extended details for context and clarification: https://gist.github.com/rvagg/e60c533e4caaace44a12 I'm happy to bikeshed around the contents but I'd really like to get this done for the board meeting next week. I expect that most value will come from discussion during the CTC meeting tomorrow, particularly with those who have been involved in the #3959 discussion.

The summary is:


Request for legal advice from the Node.js Foundation CTC to the Board

  1. Advice on appropriate LICENSE file format
  2. Advice on copyright and license blocks at the head of source files
  3. Advice on npm licensing given that the npm client is bundled with Node.js source and binary downloads:

    a. Are there any legal concerns arising from the npm client's new license (https://github.com/npm/npm/blob/master/LICENSE) that will eventually be included in all Node.js release lines.

    b. Are there any legal concerns arising from the license as it exists in all current Node.js releases and has existed in the same approximate form since Node.js v0.10.31—specifically: the modification of the Artistic License to include additional terms, the additional terms themselves, and the extension of terms to arbitrarily updatable terms on the npm website.

    c. Are there any actions or statements the Foundation needs to make resulting from any concerns that may exist.

The first two are just things I'd really like to get proper legal input on because we've had so much pseudo-legal discussion on the matters and have not accepted proper outside input (e.g. I attempted to provide input from our legal counsel at NodeSource when we removed the copyright blocks but that was ignored at the time). So we need solid answers so we can stop arguing as if we're authorities on these matters.

The last one is obviously much more nuanced and IMO is mainly focused on ensuring that community concerns are taken into account and dealt with appropriately. It's unfortunate #3959 has even lowered to the level of threats of legal action against the Foundation and I'd like to see that we take appropriate action to ensure that we've done right by the community and answer the concerns and accusations being made where they are ours to answer.

@rvagg
Copy link
Member Author

rvagg commented Dec 5, 2015

https://www.dropbox.com/s/9y8tn88aalevoqe/TSC-Legal-Request.pdf?dl=0 is what we've put together to submit to the Foundation board which meets next week. From there it may be passed on to the Foundation Legal Committee but it's in the Board's hands. We're looking for help on 3 items, the last one of which is some oversight on the npm licensing issues. The CTC may have opinions on the state and resolution of the matters but without the proper qualifications we're going to leave it to the board to ensure that any required action is taken, if there is any action to be taken at all. We believe that we've passed enough contextual information on the matters as is required for legal professionals to be able to follow it through appropriately.

@rvagg
Copy link
Member Author

rvagg commented Feb 14, 2016

Additional questions in the same area:

I'll try and make sure we get satisfactory answers to these as part of the same process.

@ChALkeR
Copy link
Member

ChALkeR commented Apr 6, 2016

npm/npm#12187 got closed, with a statement that it's a Node.js bug for some reason.

What can we do about the npm license in older versions? 0.10/0.12/4.x still have that clause that caused #3959, see #3959 (comment).

@ChALkeR
Copy link
Member

ChALkeR commented Apr 13, 2016

https://github.com/nodejs/node/blob/v4.x/LICENSE#L920-L924:

Additional policies relating to, and restrictions on use of, npm products and
services are available on the npm website. All such policies and restrictions,
as updated from time to time, are hereby incorporated into this license
agreement. By using npm, you acknowledge your agreement to all such policies
and restrictions.

This is still present in our 4.x branch.

@rvagg
Copy link
Member Author

rvagg commented Aug 24, 2016

removed from agenda due to lack of movement, I still have to poke the legal committee for action on this

@targos
Copy link
Member

targos commented Jan 9, 2017

Moved to nodejs/TSC#174

@targos targos closed this as completed Jan 9, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
meta Issues and PRs related to the general management of the project.
Projects
None yet
Development

No branches or pull requests

8 participants