Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Projects licensed MPL-2.0 includes go code #55

Closed
06kellyjac opened this issue Mar 12, 2021 · 1 comment
Closed

Projects licensed MPL-2.0 includes go code #55

06kellyjac opened this issue Mar 12, 2021 · 1 comment

Comments

@06kellyjac
Copy link

TL;DR: I'm not convinced MPL-2.0 actually requires a copy of source code when used as a library. It just being publicly available where you say it is looks like enough

MPL-2.0 license FAQ

Q7: I want to distribute (outside my organization) complete and unchanged executable programs built from MPL-licensed software by someone other than me. What do I have to do?

As long as the people who distributed the program to you have complied with the MPL, typically nothing. To check and see if the people who distributed the program to you have complied with the MPL, look for the notice that tells you where the software is available in Source Code form (i.e., check that it complies with Section 3.2(a)), and then check that the Source Code is available in that place, including a notice that informs you that the Source Code is available under the terms of the MPL (i.e., check that it complies with Section 3.1).

Also not a lawyer but that just sounds like if you have used some-library and you say it's from github.com/org/some-library (either in go.mod/go.sum or vendor or third_party/VENDOR-LICENSE), as long as the code is there (github.com/org/some-library) with a MPL license it meets the requirements

https://www.npmjs.com/package/next-mdx-enhanced
next-mdx-enhanced (GitHub, NPM) is MPL-2.0 but I doubt that every project that depends on it is now required to commit their node_modules directory so the source is distributed with their code.
That's 2.6k uses in repos commited to GitHub alone

Fossa are probably the most famous License Compliance company/service and their https://github.com/fossas/fossa-cli is apparently 13% MPL-2.0 + 25% MPL-2.0-no-copyleft-exception here, but they don't have any external source-code outside of their vendor dir. In fact they have deleted their vendor dir after https://github.com/fossas/fossa-cli/tree/v1.1.4 in https://github.com/fossas/fossa-cli/tree/v1.1.5

Even assuming MPL-2.0-no-copyleft-exception doesn't have the same source code requirement, thats 13% of their dependencies which would require the source code be included if that was the case

Related tektoncd/cli#1307
@wlynch
Copy link
Contributor

wlynch commented Jun 18, 2021

Closing this since I believe this is largely the same as #28 (if it's not, feel free to reopen this!). See #28 (comment) for some more discussion, but tl;dr - if you don't control the remote source, then you can't guarantee the source code used will be available. The easiest thing to do to ensure compliance is to vendor the code. As you mentioned, go mod vendor should be able to meet this requirement, so we could look into using that if present instead of copying the code ourselves.

@wlynch wlynch closed this as completed Jun 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wlynch @06kellyjac