-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
more clarity on licence breaches #25
Conversation
This would aim to close #15 |
releasing.qmd
Outdated
@@ -54,7 +54,9 @@ If a package started its development on an internal git server, or a private rep | |||
|
|||
When discussing the open sourcing of a codebase, it is important to flag to internal counsel existing external projects, and the overlap of scope with the project you intend to release. | |||
|
|||
It is possible that decisions made before open sourcing could become a risk after open sourcing. As an example of a plausible scenario; a team need to implement a new function. This function exists in another GPL-3 copy left licenced project. To add that project would introduce multiple dependencies that aren't used by that particular function so a member of the team decides to copy the function into the package. One year later, the package is open sourced with the licence infringing code. Such an occurrence could be lessened by a Contributor Licence Agreement (CLA; see [the bot contributor-assistant](https://github.com/contributor-assistant/github-action) for an example of CLA automation). A CLA helps ensure that anyone contributing to a project acknowledges specific terms expected of contributions, like the contributions are novel code and the author will abide by the projects licence terms. In the absence of a CLA it is important to ensure that all code within the package is original, and there is no culture of cannibalising external code and infringing on people's copyright within the development team even for internal projects. | |||
It is possible that decisions made before open sourcing could become a risk after open sourcing. As an example of a plausible scenario; a team need to implement a new function. This function exists in another GPL-3 copy left licenced project. To add that project would introduce multiple dependencies that aren't used by that particular function so a member of the team decides to copy the function into the package. One year later, the package is open sourced under MIT. This would be a license breach as the authors have re-released copy-left code as permissive, and have incoporated the code without flagging it's source, changes they made, and the original licence (GPL3 requirements). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is possible that decisions made before open sourcing could become a risk after open sourcing. As an example of a plausible scenario; a team need to implement a new function. This function exists in another GPL-3 copy left licenced project. To add that project would introduce multiple dependencies that aren't used by that particular function so a member of the team decides to copy the function into the package. One year later, the package is open sourced under MIT. This would be a license breach as the authors have re-released copy-left code as permissive, and have incoporated the code without flagging it's source, changes they made, and the original licence (GPL3 requirements). | |
It is possible that decisions made during development can become license liabilities. As an example of a plausible scenario; a team need to implement a new function. This function exists in another GPL-3 copy left licenced project. To add that project would introduce multiple dependencies that aren't used by that particular function so a member of the team decides to copy the function into the package. The newly developed package is open sourced under MIT. This would be a license breach as the authors have re-released copy-left code as permissive, and have incoporated the code without flagging it's source, changes they made, and the original licence (GPL3 requirements). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am being very nitpicky here - I apologise.
Its just that strictly speaking, copying something from a GPL project into an internal project and not releasing that project internally under GPL is a license infringement in itself (even if it is hidden by the actions happening internally in a company, so it is unlikely to ever get detected by anybody outside of internal employees, who may still flag it if they have bad intensions). I suggest to edit out the text to indicate that time passes to avoid the rabbit hole of that period of time where the code is used internally in a company under incorrect licenses
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From my point of view, the PR can be merged. I think my suggestion avoids some questions regarding the time period of that one-year which is mentioned now and license compatibility during that period, but if you disagree, then I won't make a fuzz about it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good points 👍🏽
I edited to flag this is always an issue - and that the example is a specific example that has been seen by a contributing company
No description provided.