-
Notifications
You must be signed in to change notification settings - Fork 9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
swagger-ui-dist violates the licence of about seven dozen packages #5042
Comments
For the CSS part I’d suggest just listing them manually. As far as I can tell, CSS is only Swagger’s own, Tachyon (as dependency), and necolas/normalize.css (embedded into Tachyon), and due to tachyons-css/tachyons-sass#34 you won’t be able to auto-detect the latter anyway. Also, as far as I can tell, the licences of all involved components all do not require shipping the source code of the dependencies alongside. The Apache 2.0 licence does require also shipping the NOTICE text file (but none of them has one currently), so I believe that shipping the listed copyright statements and licence bodies (i.e. the content of the file I uploaded, plus (perhaps in separate files?) the Apache 2.0 and the MPL 2.0 licences should be enough. However, updating this list is a hassle anyway. I’d suggest to check that whatever tool you use to analyse your (direct and transitive) dependencies outputs the same list as I have found in the file I attached (and please do tell me if I missed anything), and then ensure updates are tracked. If your tool does not find something I found, manual investigation is necessary. I based most of my findings on Thanks for considering! |
Thanks for the followup here @mirabilos - I meant to comment after I submitted my PR.... Seriously thank you for the effort here. I know that license investigation sucks. As an open-source project, we rely in large part on the contributions of users, and you've really shown up to fill that need here. I'll be manually reviewing the tool output to make sure it's not missing anything that you listed. As for the licenses that don't require shipping with the build - I'd rather play it safe and include everything we can pick up, than to have something change from under us and possibly be out of compliance. |
You’re welcome, and thank you for being so understanding — most upstreams, especially GitHub and the fast-moving “modern” world (javascript, ruby, …) aren’t. With “require shipping” I meant source code. Some licences, such as the GNU GPL, would require you to ship the sources of (all (GPL) or some (LGPL)) of your dependencies together with the minified artefacts. To the best of my knowledge and research, none of the ones used do, though. Shipping the copyright statements is always, shipping the licences themselves almost always required. (That’s the file I attached plus the Apache 2 and MPL 2 licence documents.) Some licences like Apache 2 also require shipping notices, but your upstreams (currently, and TTBOMK) don’t have any extra notices to ship. (That means just shipping all those licences and copyright notices should suffice.) |
Closing issue. Work already completed. In addition, we now have a script to run license checks |
swagger-ui-dist redistributes just minified ECMAscript and CSS, without listing (or even honouring!) their licences. Most of them don’t even require source code redistribution, just listing.
I’ve tried to unearth the list of files that actually go into the three
.js
and one.css
file. I found that tachyons upstream similarily violates the licence of one package (necolas/normalize.css). I tracked webpack’s “buildins”[sic!], too. I’ve done this once for 3.20.0 and, honestly, with to never have to do this again. There’s no automated way either, this is over half a day of manual hard work from a person experienced with licence analysis and archæology. (Not kidding.) I really wish to not have to ever see any NPM package again, that is, having the unthanking job of licence head honcho.I’m nice enough to share my final findings. No warranties for this, YMMV, or I may have made a human mistake. Do note that the result is utterly version-specific; a change in a minor version of a transitive dependency may invalidate this if they switch licences.
swagger-ui-dist-LICENCE.txt
Honestly, you should get this into order upstream. You’re in danger of being sued over licence violations from some big names. Without this, embedding swagger-ui in any project is inviting danger.
The text was updated successfully, but these errors were encountered: