wilzbach
commented
9 years ago 2) AFAIK (i am not a lawyer) if we choose BSD as project license, we can use dependencies with at least the following licenses: Apache 2, MIT
Open wilzbach opened 9 years ago
wilzbach
commented
9 years ago 2) AFAIK (i am not a lawyer) if we choose BSD as project license, we can use dependencies with at least the following licenses: Apache 2, MIT
benediktrauscher
commented
9 years ago Prohibiting dependencies that are not licensed appropriately sounds very restrictive and may stop people from contributing, don't you think?
wilzbach
commented
9 years ago Prohibiting dependencies that are not licensed appropriately sounds very restrictive and may stop people from contributing, don't you think?
Yes I do agree, but where is the value of the contribution if our userbase can't use the contribution due to license restrictions?
BTW the most depended packages on npm are all permissive license (MIT, BSD, ISC, Apache 2) - so I think this is more an edge case question.
We could also say that everything under the BioJS organization must be license X (or compatible to it) and on the registry we shows a traffic light depending on the licenses of the component's dependencies (green: usable for companies, orange: usable for open research, red: no information found etc.).
mhelvens
commented
9 years ago Like in #3, I must repeat: It's not productive to enforce anything. You're going to exclude ¾th of potential contributors. Rather, make recommendations and allow the registry to be filtered by licence. Even nicer: allow the registry be filtered by license type and/or compatibility.
Feedback from the industry session at the 1st BioJS conference showed that licensing is a key problem for companies. Ideally only a single, very permissive license (like BSD or MIT) should be chosen and be a requirement for all submitted components as for them it is very important to restrict access to the modified source code. See also permissive free software licence (aka non copy-left license) on wikipedia.
Open questions: 1) are there many authors who wouldn't be able to submit their code because of their company's/university's policy? (e.g. they are only allowed to share their code with GPL) 2) is it still possible to include dependencies which aren't licensed under the chosen license (many modules are MIT) 3) can we enforce author's not to include dependencies with incompatible licenses (e.g. GPL)? 4) Should we use MIT, BSD or Apache 2 as project license?