Packages without current source of licenses #83879
Comments
|
I just checked |
|
Searching GAPTypes brought me to https://discourse.julialang.org/t/swizzling-the-super-type-of-a-foreign-julia-type-or-how-evil-must-i-be/33733 by @fingolfin |
|
Ah, #19033 (comment) has a bunch of authors: @Moelf for BigG, @PetrKryslUCSD for MeshFinder, @lucianolorenti for Estapir, and @slmcbane for MirroredArrayViews |
|
Great detective work, looks like all packages can go into the "ping author" pile (and looks like at least some of the authors are still active in the community so that's helpful). Thanks Avik for looking at this, it's one of those things that potential enterprise users might (rightly!) freak out over. |
|
GAPTypes could be deleted / yanked from my POV. Of course you then may wish to yank old versions of GAP.jl that depend on it. |
|
While I don't disagree that we should remove these, I think that we should probably add terms of service to the registry, stating that by registering a package, you give at least some right to use the code. It's a little hard to pick terms; we may need to talk to a lawyer about this. I do also think that there's a pretty decent legal case to be made that by publishing and registering code, you obviously intended for people to use it, so that seems like some kind of implicit permission, but obviously we'd rather have explicit permission with clear terms. |
|
in my case it was superseded by https://github.com/tlienart/Franklin.jl so can we just delete it? I'm sure nobody ever used it |
|
I wonder if these could be removed from the registry? https://github.com/PetrKryslUCSD/MeshPorter.jl Their original raison d'etre passed. |
|
Wouldn't the easiest way forward here for the authors to just retrospectively slap an MIT license on this and then there's no need to yank anything? |
|
I believe these particular repos have all been deleted, so they would need to be reconstituted |
|
In my case the repository was deleted, I guess it can be removed from the registry |
|
If the repository is gone (as in the GAPTypes case), where do we "slap" that license to? |
|
I thought the issue was that these packages are still installable from package servers, so presumably the repos are mirrored there? If that's not the case then yanking is by definition fine. |
|
Julia's pkg server is designed so that even if author deleted original repo, packages are still installable -- this is a good design. deleting stuff from pkg server is a separate item, need manual review for sure |
|
That's what I understood, and I apologise if I'm just confusing the issue here but I thought the problem was exactly that (i) there are packages that are installable from General, It seemed to me that to the extent that authors are still contactable it might be feasible to get their permission to just retroactively add an MIT license to wherever these package now exist and General is getting them from, solving the litigation risk issue without yanking. I might be misunderstanding though and again sorry if I'm just adding noise here. |
|
from Slack, it sounds like from the copyright point of view, it might be OK if the authors just write something in this issue like "I waive copyright to the code in package XYZ", since that is a thing they have the right to do, and it would alleviate users from issues. It wouldn't solve the problem of there are packages without OSI-approved licenses (which is against General's policy in general) but it would mean that in such cases those problems aren't very impactful, and my opinion would be it's fine to leave the packages there without yanking them or such, in that case. |
|
I regret but I have already deleted all of those packages!
As suggested above, I wish to state for the record that I waive the copyright to the above four packages. |
|
In many jurisdictions you can not just "waive copyright". Certainly not in Germany. at the same time, let's not blow things out of proportion. "expose users to litigation risk" is not very plausible. Yes, a hypothetical risk exists, but there are many hurdles against that (like: you must actually use that package AND it's copyright holders must decide to sue AND they must have standing (package non-trivial -- difficult to argue for eg GAPTypes) and a bunch more. The argument given above that registering a package indicates intent to enable others to use your code also has legal weight. So it's not as black and white as some expressed it here. IANAL though (but I was involved centrally in legal proceedings against companies violating the GPL on code I hold oh and indeed: conversely, even if there is a license attached you are not free of risk... eg you might VIOLATE that license. And get sued for that ;-) |
The following packages do not seem to have publicly available sources, and the latest release (cached on the package servers) do not have any associated license file in them. I believe therefore that there is no permission for anyone to use that code, or even cache it on the package servers. I think these packages should be removed from the registry.
(PS: there are quite a few other packages in the registry without licenses, but since they have associated github repos, I will ping their authors first. If there is no response, we will have to take a similar call about those. But that's for later)
The text was updated successfully, but these errors were encountered: