-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not copy source code for Reciprocal licenses #28
base: master
Are you sure you want to change the base?
Conversation
While I agree with that, how are we enforcing the copy of the licensed code if there's any change in it? |
can't we use the |
We could follow that approach, but we should also confirm the dependencies that have changed and only copy the code for those ones which have a reciprocal license. That's the optimal behavior, so I'm wondering what's the middle point we might be agreeing here. |
what you mentioned (in bold) makes sense to me and is a good middle ground |
Is there any change in the If this is not a good default, maybe it would make sense to at least make it configurable with a dedicated command-line option (like the |
It looks like long term we'll be able to ensure the vendor directory is not modified |
You can probably quickly hash the modules in the vendor folder and compare them with hash in go.sum no? |
@wlynch do you have thoughts on this PR? |
Did some research today - this would need more work. We can't guarantee that all users are vendoring their dependencies. If for whatever reason the upstream source is unavailable, deleted, or modified, you could get into a state where the source used in a binary would no longer be available and would not meet license obligations (for licenses like MPL 2.0 the obligation is on the binary distributor). We would need to keep this behavior for non-vendored dependencies. |
An opt-out flag SGTM, so long as we include a warning about the consequences of doing so. I haven't poked around the x/mod code recently, but I'm curious if we can easily detect if the module has been vendored at all (even if we can't verify the go.sum easily yet). 🤔 |
@Bobgy any change you could include this in your v2 work? |
According to the description:
For software that uses
Reciprocal
licenses, we don't need to copy the source directory as long as the code is unmodified. As normally users use third-party tools to vendor the dependencies, it seems to be overly cautious to always copy source code for Reciprocal licenses.