Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pkg.go.dev: known licenses are not recognised and the site misrepresents license status of packages #35595

Closed
kortschak opened this issue Nov 14, 2019 · 2 comments

Comments

@kortschak
Copy link
Contributor

@kortschak kortschak commented Nov 14, 2019

Note that I am aware that #35570 exists, however the method for providing feedback there is broken in that it will not work with firefox. Nor does it allow AFAICS nuanced conversation of issues, so I am reporting here.

It appears that the license recognition code used by pkg.go.dev has an unfortunately high false positive rate. Packages such as gonum.org/v1/gonum and modernc.org/cc, both of which have BSD-3-clause licenses (here and here) (note also that while the source code link for modernc.org/cc is provided on the overview at pkg.go.dev, even that is missing for the Gonum page).

This harms the packages where this happens by failing to present them to users and misrepresents the licensability of the packages potentially harming them by causing potential users to move on to other packages where the license is accepted.

Note also that it arguably does not properly cover the owner of go.dev since other packages that import and reflect the APIs of these lost packages may be rendered. For example k8s.io/kubernetes/pkg/controller/garbagecollector imports Gonum packages but does not present the Gonum license (and in fact shows the wrong license). In a clearer example, github.com/openshift/origin vendors a number of Gonum packages and pkg.go.dev thus misrepresents the license for openshift/origin by only showing the Apache license in its LICENSE file (and also in the search results).

@andybons

This comment has been minimized.

Copy link
Member

@andybons andybons commented Nov 15, 2019

Thanks for the issue. We are working to address the feedback widget issues on Firefox and we’re working to improve our license classification.

Please email go-discovery-feedback@google.com, as issues for pkg.go.dev are not tracked in this repository. I understand the desire to have an open, nuanced conversation, but it’s difficult to do so given the legal considerations surrounding licensing more generally. The moderators on that list are responsive and will do what they can to help.

Thanks for your patience on this.

@andybons andybons closed this Nov 15, 2019
@kortschak

This comment has been minimized.

Copy link
Contributor Author

@kortschak kortschak commented Nov 15, 2019

I understand the desire to have an open, nuanced conversation, but it’s difficult to do so given the legal considerations surrounding licensing more generally.

This is high-level Catch-22 action.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.