Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Project includes a dependancy that has a license that forbids its use #3563

Closed
notbasetwo opened this issue Aug 18, 2021 · 13 comments · Fixed by #3570
Closed

Project includes a dependancy that has a license that forbids its use #3563

notbasetwo opened this issue Aug 18, 2021 · 13 comments · Fixed by #3570
Assignees
@daixiang0
Labels
area/test/unit good first issue Good for newcomers kind/compliance Issues that associated with compliance including OSS kind/devExperience Developer experience including developing locally P1 size/XS 2 days work triaged/resolved Indicates that this issue has been triaged
Milestone
v1.4

Comments

@notbasetwo
Copy link

notbasetwo commented Aug 18, 2021
edited by artursouza

Dapr depends on bouk/monkey, which has a license that forbids anybody to use it.

The license is as follows:

Copyright Bouke van der Bijl

I do not give anyone permissions to use this tool for any purpose. Don't use it.

I’m not interested in changing this license. Please don’t ask.

The package seems to be used in pkg/components/standalone_loader_test.go.

RELEASE NOTE: N/A
@CodeMonkeyLeet
Copy link
Contributor

Thanks for the heads up!

@yaron2 @artursouza this seems like it was introduced recently by PR #3158. Should this change be reverted?

@daixiang0
Copy link
Member

Still need to consider adding a license checker in case this issue occurs again.

@yaron2
Copy link
Member

yaron2 commented Aug 19, 2021

Thanks for the heads up!

@yaron2 @artursouza this seems like it was introduced recently by PR #3158. Should this change be reverted?

This is only used in the test (and thus not.compiled and distributed in our binaries).

We should not revert the entire PR, just rewrite the test.

@yaron2
Copy link
Member

yaron2 commented Aug 19, 2021
edited

Also thanks for reporting @notbasetwo

@artursouza artursouza added area/test/unit good first issue Good for newcomers kind/compliance Issues that associated with compliance including OSS kind/devExperience Developer experience including developing locally P1 size/XS 2 days work triaged/resolved Indicates that this issue has been triaged labels Aug 20, 2021
@daixiang0 daixiang0 mentioned this issue Aug 20, 2021
Merged
7 tasks
@mpldr
Copy link

mpldr commented Aug 22, 2021

I mean, you could just use it before the license was added:
@89z

Nope, before the License, it's All rights reserved.

@Oppen
Copy link

Oppen commented Aug 22, 2021

The T&C of GH imply you can use it due to the fact it's in a public repository. You would probably need to add it as a submodule just in case, because the terms say the grant applies when accessed via the GH service.

See clause 5:

If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking). You may grant further rights if you adopt a license.

Emphasis mine.

@StoneCypher
Copy link

@Oppen - GH's terms of service do not override the library's license.

@notbasetwo
Copy link
Author

The T&C of GH imply you can use it due to the fact it's in a public repository. You would probably need to add it as a submodule just in case, because the terms say the grant applies when accessed via the GH service.

See clause 5:

If you set your pages and repositories to be viewed publicly, you grant each User of GitHub a nonexclusive, worldwide license to use, display, and perform Your Content through the GitHub Service and to reproduce Your Content solely on GitHub as permitted through GitHub's functionality (for example, through forking). You may grant further rights if you adopt a license.

Emphasis mine.

The keyphrase here is "through the GitHub Service". That doesn't give you permission to use it on your own machine. It gives you permission to eye up the repository.

There are no complicated legal matters here - this is proprietary software with a license that does not permit it's usage. Even if on a technicality it may not stand up somewhere, it is also not in the spirit of FLOSS development to break the terms of a license.

@Oppen
Copy link

Oppen commented Aug 22, 2021

@Oppen - GH's terms of service do not override the library's license.

No, but the agreement grants special rights besides the license. It's essentially similar to dual licensing 🤷

The keyphrase here is "through the GitHub Service". That doesn't give you permission to use it on your own machine.

That's true.

it is also not in the spirit of FLOSS development to break the terms of a license

That's a completely different discussion.

@yaron2
Copy link
Member

yaron2 commented Aug 23, 2021

Thanks for the participation everyone, this is now closed with #3570.

@marviniter
Copy link
Contributor

I'm so sorry for my ignore to check package license,there are any way to auto check license when push a pr?I found some license check tools like google/go-licenses @yaron2

@artursouza artursouza added this to the v1.4 milestone Aug 25, 2021
@artursouza
Copy link
Member

I'm so sorry for my ignore to check package license,there are any way to auto check license when push a pr?I found some license check tools like google/go-licenses @yaron2

Please, create an issue with this proposal. I think it is interesting.

@marviniter
Copy link
Contributor

I'm so sorry for my ignore to check package license,there are any way to auto check license when push a pr?I found some license check tools like google/go-licenses @yaron2

Please, create an issue with this proposal. I think it is interesting.

I had create the proposal issue #3591

@daixiang0 daixiang0 mentioned this issue Sep 15, 2021
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@daixiang0 daixiang0

Labels
area/test/unit good first issue Good for newcomers kind/compliance Issues that associated with compliance including OSS kind/devExperience Developer experience including developing locally P1 size/XS 2 days work triaged/resolved Indicates that this issue has been triaged
Projects
None yet
Milestone
v1.4
Development

Successfully merging a pull request may close this issue.

remove bou.ke/monkey depencences daixiang0/dapr
9 participants
@StoneCypher @artursouza @Oppen @yaron2 @marviniter @daixiang0 @CodeMonkeyLeet @mpldr @notbasetwo