Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

swagger-ui-dist violates the licence of about seven dozen packages #5042

Closed
mirabilos opened this issue Nov 22, 2018 · 4 comments
Closed

swagger-ui-dist violates the licence of about seven dozen packages #5042

mirabilos opened this issue Nov 22, 2018 · 4 comments

Comments

@mirabilos
Copy link
Contributor

swagger-ui-dist redistributes just minified ECMAscript and CSS, without listing (or even honouring!) their licences. Most of them don’t even require source code redistribution, just listing.

I’ve tried to unearth the list of files that actually go into the three .js and one .css file. I found that tachyons upstream similarily violates the licence of one package (necolas/normalize.css). I tracked webpack’s “buildins”[sic!], too. I’ve done this once for 3.20.0 and, honestly, with to never have to do this again. There’s no automated way either, this is over half a day of manual hard work from a person experienced with licence analysis and archæology. (Not kidding.) I really wish to not have to ever see any NPM package again, that is, having the unthanking job of licence head honcho.

I’m nice enough to share my final findings. No warranties for this, YMMV, or I may have made a human mistake. Do note that the result is utterly version-specific; a change in a minor version of a transitive dependency may invalidate this if they switch licences.

swagger-ui-dist-LICENCE.txt

Honestly, you should get this into order upstream. You’re in danger of being sued over licence violations from some big names. Without this, embedding swagger-ui in any project is inviting danger.

@mirabilos
Copy link
Contributor Author

For the CSS part I’d suggest just listing them manually. As far as I can tell, CSS is only Swagger’s own, Tachyon (as dependency), and necolas/normalize.css (embedded into Tachyon), and due to tachyons-css/tachyons-sass#34 you won’t be able to auto-detect the latter anyway.

Also, as far as I can tell, the licences of all involved components all do not require shipping the source code of the dependencies alongside. The Apache 2.0 licence does require also shipping the NOTICE text file (but none of them has one currently), so I believe that shipping the listed copyright statements and licence bodies (i.e. the content of the file I uploaded, plus (perhaps in separate files?) the Apache 2.0 and the MPL 2.0 licences should be enough.

However, updating this list is a hassle anyway. I’d suggest to check that whatever tool you use to analyse your (direct and transitive) dependencies outputs the same list as I have found in the file I attached (and please do tell me if I missed anything), and then ensure updates are tracked. If your tool does not find something I found, manual investigation is necessary. I based most of my findings on webpack --profile --json on all three webpack config files plus quite some amount of manual investigation. (Not all upstreams ship their licences in a sensible or meaningful way.)

Thanks for considering!

@shockey
Copy link
Contributor

shockey commented Nov 23, 2018

Thanks for the followup here @mirabilos - I meant to comment after I submitted my PR....

Seriously thank you for the effort here. I know that license investigation sucks. As an open-source project, we rely in large part on the contributions of users, and you've really shown up to fill that need here.

I'll be manually reviewing the tool output to make sure it's not missing anything that you listed. As for the licenses that don't require shipping with the build - I'd rather play it safe and include everything we can pick up, than to have something change from under us and possibly be out of compliance.

@mirabilos
Copy link
Contributor Author

You’re welcome, and thank you for being so understanding — most upstreams, especially GitHub and the fast-moving “modern” world (javascript, ruby, …) aren’t.

With “require shipping” I meant source code. Some licences, such as the GNU GPL, would require you to ship the sources of (all (GPL) or some (LGPL)) of your dependencies together with the minified artefacts. To the best of my knowledge and research, none of the ones used do, though.

Shipping the copyright statements is always, shipping the licences themselves almost always required. (That’s the file I attached plus the Apache 2 and MPL 2 licence documents.)

Some licences like Apache 2 also require shipping notices, but your upstreams (currently, and TTBOMK) don’t have any extra notices to ship. (That means just shipping all those licences and copyright notices should suffice.)

@tim-lai
Copy link
Contributor

tim-lai commented Jun 10, 2020

Closing issue. Work already completed. In addition, we now have a script to run license checks npm run deps-license

@tim-lai tim-lai closed this as completed Jun 10, 2020
@frantuma frantuma added this to the M3 milestone Jun 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants