search

trailofbits / semgrep-rules

Semgrep queries developed by Trail of Bits.
GNU Affero General Public License v3.0
317 stars 33 forks source link

Consider a better choice of license? #30

Closed pombredanne closed 1 year ago

pombredanne commented 1 year ago

Hello! This is a neat set of rules, and I wanted to find if you really sure you want this to be "Attribution-NonCommercial-ShareAlike 4.0 International"? This is not even usable for open source projects. My 2 cents: any bonafide open source license would be awesome rather than this! Thanks for your kind consideration!

pombredanne commented 1 year ago

Just my 2 cents but you also seem to use code from https://gobyexample.com/methods in https://github.com/trailofbits/semgrep-rules/blob/main/go/nil-check-after-call.go which is under another license

woodruffw commented 1 year ago

Thank you for raising this! I apologize if this wasn't clear, but this repository was intentionally not licensed under an OSS license.

That being said, I believe the terms of CC BY-NC-SA don't prohibit open source projects from using this work, so long as they abide by its terms: they may not use it for commercial purposes, but may otherwise use it so long as they share any changes they make under the same terms. This may exclude some open source projects (which isn't ideal, see the next paragraph), but it's similar in nature to the non-commercial clause that comes with sample software.

That being said as well, I agree that this license just isn't a good fit. I'm going to raise this internally and see if we can adjust it to something that still protects our interests while also being more compatible/less fraught.

Just my 2 cents but you also seem to use code from https://gobyexample.com/methods in https://github.com/trailofbits/semgrep-rules/blob/main/go/nil-check-after-call.go which is under another license

Thanks for pointing this out -- this looks like a mistake on our part (Go by Example is under a CC license that we thought was compatible, but it doesn't look like it is). I'll open a PR to clarify that the repository's license applies to the rules themselves, not the examples that accompany them.

woodruffw commented 1 year ago

Update: we discussed this internally, and came to the agreement that AGPLv3 would protect our interests here while also making the codebase more available to the larger OSS ecosystem.

I'll include that in the follow-up PR.

pombredanne commented 1 year ago

Thank you ++, this is perfect.

woodruffw commented 1 year ago

No problem, thank you as well for bringing it to our attention!