On Thu, Sep 24, 2020 at 7:52 AM Jared K. Smith <jsmith(a)fedoraproject.org> wrote:
On Wed, Sep 23, 2020 at 7:44 PM Stephen Gallagher <sgallagh(a)redhat.com> wrote:
>
> Node’s package.json contains the license, so we should be able to just extract that
recursively.
In theory, yes. In practice, some packages completely leave it out, some packages put it
under "license" and some under "licenses", and many packages don't
bother to include the license text with the code. I've filed dozens of tickets with
upstream NodeJS projects to improve these, most of which have been ignored for years.
I've come to the unfortunate conclusion that the NodeJS community in general can't
be bothered with license details.
I have spoken to a lawyer about this in the past. We are allowed to
make a "best reasonable effort" here. As long as we capture all of the
known licenses and we are responsive and immediately take action if
someone comes with a challenge, we should be fine.