search

sindresorhus / ama

[[I'm slow at replying these days, but I hope to get back to answering questions eventually]] Ask me anything!
https://blog.sindresorhus.com/answering-anything-678ce5623798
143 stars 32 forks source link

How is it possible some of your packages are distributed without a license? #537

Closed honzajavorek closed 6 years ago

honzajavorek commented 6 years ago

Basically all your packages contain a license file. It is usually lowercased and it usually contains a MIT license. However, many of your packages do not include the license in their npm distribution, although the file is present in the GitHub repository.

First, this is a problem, as effectively the npm package code is distributed unlicensed and cannot be used anywhere (where they care about licenses). It needs to be distributed with a full license text attached.

Second, I couldn't figure out how it can happen. I think not including the license file is just a mistake, not an intention, especially given some other packages of yours are correctly distributed with the license file inside. There's no .npmignore file or anything which should prevent the file to get to the final tarball before publishing to npm, but still, it isn't there. To me, it's a mystery on how it's possible the license file doesn't get packaged and uploaded to the npm.

One example: https://github.com/sindresorhus/is-path-cwd

honzajavorek commented 6 years ago

I've made an analysis. I took all packages listed at https://www.npmjs.com/~sindresorhus, tried to install them and to detect whether they have license on GitHub and whether they have the license attached to the resulting npm package distribution.

I'm attaching my dirty Python script I wrote to do the analysis, as well as the results of the analysis.

check.py sindresorhus-analysis.txt sindresorhus-packages.txt

GitHub Issues

Rowno commented 6 years ago

FYI, the package.json still specifies the license: https://github.com/sindresorhus/is-path-cwd/blob/master/package.json#L5

sonicdoe commented 6 years ago

@sindresorhus specifies a package’s files using the files array in package.json. Nowadays, npm always includes the license file but this hasn’t always been the case: see https://github.com/npm/npm/issues/5529 for the original feature request in 2014 and https://github.com/npm/npm/issues/12564 for a bug report in 2016.

I’m guessing the packages missing the license files have been published with a version of npm that did not include this feature (or which included the aforementioned bug).

honzajavorek commented 6 years ago

@rowno That’s not legally sufficient - you really need to attach the full license text, and the copyright notice.

honzajavorek commented 6 years ago

@sonicdoe So that means when someone uses files and they do not specify the license there explicitly, it is excluded from the package? :scream:

I thought it can only happen with .npmignore. That’s actually terrible news.

honzajavorek commented 6 years ago

I mean, used to exclude, as you say it shouldn’t be the case anymore. But still. That means hundreds of code in npm is effectively unlicensed.

honzajavorek commented 6 years ago

I filed issues on projects with names beginning to is-. I don't want to be a PITA, but as many npm projects depend on these, they're transitively problematic regarding licensing and it causes problems to my projects. I'm open to help with resolving the issues as much as I can, as a contributor. Possibly, I'll be opening Pull Requests with the license being added to files and with a patch version bumped, so @sindresorhus isn't overwhelmed much by this issue.

sindresorhus commented 6 years ago

Thanks for reporting this, @honzajavorek. I'll get them all fixed soon.

sindresorhus commented 6 years ago

This was solved a long time ago but I forgot to comment back here.

I'm not involved in the Grunt project anymore, so I can't handle the grunt-contrib-* modules.