search

digitalbazaar / forge

A native implementation of TLS in Javascript and tools to write crypto-based and network-heavy webapps
https://digitalbazaar.com/
Other
5.09k stars 785 forks source link

Consistent Header Licensing #382

Open Lomilar opened 8 years ago

Lomilar commented 8 years ago

Hi,

We have an open source project that is using the Forge library for cryptography, and one of our contributors pointed out that the preambles copyright and license declarations in the code files for Forge libraries are rather inconsistent and do not always refer to the license.

I have narrowed our use to the forge.min.js, jsbn.js and prime.worker.js, however:

prime.worker.js simply refers to an authorship and copyright notice. jsbn.js is a separate license (cited in the preamble) -- This one is OK. forge.min.js (being a minified file) does not include a preamble or any information about the license.

There are several other files with inconsistent preambles as well.

We greatly enjoy the use of the Forge library and would like to assure our contributors and users that the use of our project does not carry any unnecessary legal burden due to possible misunderstandings.

Thanks!

davidlehn commented 8 years ago

Yes, not all the files have consistent headers. This project grew over time and that hasn't been cleaned up. What info would you like to see in the files? Files that are just from forge won't be hard to fix up. Files that have various authors or the code came from elsewhere are a little harder to deal with. It would be good to have this all be clearer, I'm just not sure how best to do so.

As far as forge.min.js, it gets tricky since that's all the files together. There is a requirejs option to add the first comment block to the output. As it is now that makes a huge mess since many files have large docs that get included. That can be fixed by breaking up the first comment block. But then you get every files header all at the front of the min.js code. They say this also breaks source maps. The suggested option of using @license annotations didn't work for me.

Lomilar commented 8 years ago

Many people have all sorts of opinions about what should be in the code file preamble, but for BSD I'm going to suggest from the following site:

https://opensource.org/licenses/BSD-3-Clause

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

The best reason I have heard is that "Code often gets separated from its project, so including the preamble in every file is good for your users, as it prevents them from having to track down the license for every file when license audit time comes around."

The jquery min has a one liner at the top which refers to the license on the web, and that seems okay. I have no issues switching to the forge.bundle.js, since minifying other people's licenses is a strange situation to be in. (Maybe link to your NOTICE file and cite all the other licenses there? It's a lot of work.)