wang-wayne
commented
4 months ago I will work on this issue.
Open kriswest opened 6 months ago
wang-wayne
commented
4 months ago I will work on this issue.
robmoffat
commented
4 months ago Hi @wang-wayne,
We'd love your help! There is a wider piece of work going on in the FDC3 world around https://github.com/finos-labs/fdc3-for-the-web, which we are going to merge back into the main FDC3 project.
As we do that, we're going to adopt a "monorepo" approach, which I feel this CSL issue is definitely related to.
If you are interested in helping out with that wider piece of work, drop me a mail at rob.moffat@finos.org because I think I'm going to need to set up a meeting on this to try and make sure we do it properly
thanks!
wang-wayne
commented
4 months ago I thought I just needed to exclude the license files when running webpack. I don't have experience with monorepo. I'm sorry I couldn't be more helpful.
kriswest
commented
4 months ago As far as we can tell, you can't just exclude the LICENSE.md file, so its a case of restructuring the repo to separate the software distribution (which is under the Apache 2.0 license) from the the Standard's documentation (which is under the CSL).
robmoffat
commented
4 months ago looping @Lecss
The CSL license file is being bundled into the FDC3 NPM module. The CSL governs the Standard and its documentation, but any software or source code (i.e. what the NPM module contains) is distributed under Apache 2.0 instead.
While the package.json's license field indicates Apache-2.0, CI tools that inspect the module (such as JFrog Xray https://jfrog.com/help/r/jfrog-security-documentation/managing-compliance-licenses) will pick up the embedded license and may make it more difficult for firms to onboard the library, unnecessarily.
Update the build and re-release the module without bundling the CSL license files (License.md - License.spdx can remain as it indicates Apache-2.0).
@bingenito @robmoffat