Yarn2nix-moretea is GPL-3.0 licensed, should be MIT

[adisbladis]

Describe the bug

Problem

All expressions in nixpkgs are supposed to be MIT licensed, but yarn2nix-moretea is licensed under GPL-3.0.

yarn2nix-moretea as an externally developed project under different licensing terms that we use for nixpkgs.
It was merged into nixpgks in #108138 without the license being changed to MIT or a compatible license.

Impact

Every package using mkYarnPackage is using improperly licensed expressions, which at the time of writing looks to be a bit more than 25 packages.

Solution

I have two proposed solutions, neither of which are particularly appealing:

1. Re-license yarn2nix-moretea under MIT

This would require assembling relicensing signatures from all existing yarn2nix authors which include both contributors when it was in nix-community & in nixpkgs.
It's gonna take some time and keep us in license non-compliance in the mean time.

2. Drop yarn2nix, migrate packages to something else

The newly added yarnBuildHook looks like a good contender as pointed out by @SuperSandro2000 in chat.

CC

CCing authors and other relevant parties

• @zimbatm
• @moretea
• @Lassulus

---

Add a 👍 reaction to issues you find important.

[emilazy]

Just to repeat what I said on Matrix, if we can’t figure out something better in a few days I will open a relicensing issue and start the work of pinging all the contributors. Reimplementing it sounds nice, but I suspect it would take quite a while given the speed at which Nixpkgs language ecosystems tend to move.

[SuperSandro2000]

yarn2nix can be easily misused and trigger IFD. I think too that in the long run we should replace it.

Maybe yarnBuildHook/yarnConfigHook from #318015 are already enough and the package can easily be migrated?

[emilazy]

(Nixpkgs potentially actually being GPLv3 is very much a bug IMO.)

Migration is all well and good, but we probably ought to try to relicense anyway: we can’t change old revisions of Nixpkgs and it’s not good for multiple years of Nixpkgs history to be under unclear licensing conditions.

[Lassulus]

I guess re-licensing is the better way for now? We can ping all the contributors, from a glance I read most of the names before.

[emilazy]

Yes, I think we should probably at least try. I will open a new GitHub issue for it today so that we can discuss here without it getting bogged down in rote responses.

[emilazy]

Okay, here we go I guess: #334374

[WilliButz]

Oof, thank you @emilazy for trying to clean up that mess.
I just got the notification from the tracking issue and I feel that a big portion of any blame should go towards my direction because of the introduction in #60429, rather than #108138
While I (try to) put a lot more thought into licenses today, it didn't cross my mind back then that vendoring with the included license could have such implications.

[emilazy]

No worries @WilliButz – thanks for trying to improve the Node packaging situation in Nixpkgs and for your quick reply to the ping! This is an institutional failure IMO, and I think that it would have been caught before merge these days.

[dotlambda]

@petabyteboy (GitHub account is gone; will try to follow up via email unless anyone knows other current contact information)

https://discourse.nixos.org/u/petabyteboy seems still active. It might be worth posting the same as #334374 on Discourse if you want people's replies to be public (unlike with email).