Require distribution terms (license notice header) to be defined in package.json #1591

Open
binki opened this Issue Jul 19, 2013 · 0 comments

2 participants

@binki

With the information in http://cdnjs.com/packages.json , one can for many libraries write some code that can, for example, walk the dependency tree of jquery.ba-bbq and automatically determine that it needs jquery and jquery-migrate. Now, it would be nice to be able to comply with the common distribution term “The above copyright notice and this permission notice shall be included in all copies or substantial portions of this software” ( https://github.com/jquery/jquery/blob/master/MIT-LICENSE.txt#L12 ). There does not seem to be a well-defined commonjs PackageJson spec-defined way to expose this information about a package. cdnjs already uses non-standard package.json keys (e.g., "filename" isntead of "main"), so I would like to propose it add another required key specific to including the JavaScript into cdnjs, "_cdnjs_distribution_terms", which would hold an array of lines. For example, for jquery this key would look like:

{
    "name": "jquery",
    "filename": "jquery.min.js",
    "version": "2.0.3",
    "description": "jQuery is a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development. jQuery is designed to change the way that you write JavaScript.",
    "homepage": "http://jquery.com/",
    "_": "Other keys excluded for the sake of brevity.",
    "_cdnjs_distribution_terms": [
        "Copyright 2013 jQuery Foundation and other contributors",
        "http://jquery.com/",
        "",
        "Permission is hereby granted, free of charge, to any person obtaining",
        "a copy of this software and associated documentation files (the",
        "\"Software\"), to deal in the Software without restriction, including",
        "without limitation the rights to use, copy, modify, merge, publish,",
        "distribute, sublicense, and/or sell copies of the Software, and to",
        "permit persons to whom the Software is furnished to do so, subject to",
        "the following conditions:",
        "",
        "The above copyright notice and this permission notice shall be",
        "included in all copies or substantial portions of the Software.",
        "",
        "THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,",
        "EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF",
        "MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND",
        "NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE",
        "LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION",
        "OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION",
        "WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."
    ]
}

I know the name itself would need work. Also, this key should be defined per version of the package as different version will have different years in (just) the copyright line or, in some cases, I suppose completely different text if a project switches which license it is using.

I know that a "licenses" key is proposed in places like http://wiki.commonjs.org/wiki/Packages/1.1 . However, the information supplied there is insufficient because it does include the copyright/year line in the notice itself which seems like it is inseparable from the rest of the notice text (which is often a boilerplate blurb). Also, I am proposing this be at a cdnjs level because the cdnjs changeset reviewers would be able to review changesets and verify that the added libraries actually are released under the terms specified in "_cdnjs_distribution_terms" unlike the "licenses" key (about which commonjs states “This property is not legally binding and does not necessarily mean your package is licensed under the terms you define in this property.”). And, yes, this may be opposition to ideas in issue #123 to automate everything. This shouldn’t conflict with too much of #123’s goals, which are mostly to automatically notice that new library versions have been released and automatically obtain a copy of the new script itself and update the "version" key and, depending on how it’s implemented, create a pull request automatically which would need human review to check things (such as "_cdnjs_distribution_terms").

Of course, asking for "_cdnjs_distribution_terms" is ridiculous. If anyone has better ideas of how to automatically scrape distribution terms or pointers to a different web-browser-oriented JavaScript metadata repository that already has this sort of information, and in this form (not commonjs "licenses"), that’d be helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment