-
Notifications
You must be signed in to change notification settings - Fork 3k
npm init for closed source modules #8291
Comments
$ npm config set init-license closed |
That will change license for all modules I create, right? I don't want that. Also, npm is now warning if a license isn't spdx- compatible so I'll seeing a bunch of warnings... — On Sun, May 17, 2015 at 3:13 AM, Kenan Yildirim notifications@github.com
|
@kesla You can use config on cli as well, e.g. |
I've never seen |
@timoxley I'd gladly change to private, is that an acceptable name by spdx standards? We should probably document that somewhere. |
@ralphtheninja Thanks! Will work for now! |
Unfortunately I don't see "private" nor "closed" here https://spdx.org/licenses/ |
@kemitchell is the person with the most domain knowledge for best practices, but I believe the commonly accepted practice is to include |
I am summoned, and lo! I do appear. @othiym23 and I recently added new guidance to npm's documentation, visible with What's this |
Ok, thanks for explaining. Sounds promising and super helpful for proprietary and distributed modules - but what I don't understand is if this extra work is needed/necessary for scoped modules that will never be distributed outside of our private register. |
Or can I set |
@othiym23 has discussed doing a check to see if As for whether it's a good idea to have files lying around without any kind of license attached, that's really up to your judgment and your legal department or lawyer, if you have one. npm sets guidelines for package metadata and encourages certain best practices, but nobody guarantees that those practices have any good legal effect. Sorry for the disclaimer. Lame to read and lame to write. But necessary. Please be careful! |
@kemitchell thanks a lot for the reply, sounds reasonable. Will think a little more about it. Cheers! |
This is a bit too much work for my default internal development process. I regularly build temporary one-off modules and private internal modules that will never get published to npm or any other registry. We may reuse them internally or I may just use them for structuring my code effectively. It used to be straightforward to use npm init, then manually add The reality is, there is no license for the module in question and there never will be. Requiring me to specify a LICENSE by reference, then simplly putting a (c) statement in a LICENSE file is unnecessary make work. This is echoed in #8542 |
This is now handled by |
This is unclear after reading the whole thread. When I put in UNLICENSED:
So the actual valid value is What's wrong with |
@jcollum it is tricky:
|
Oh wow so Unlicense is actually the most permissive:
I'd like to know what I should put in for packages that are only intended for the use of other employees at my company. Private? None? That's how I arrived here, trying to figure out what was the right value for that field in package.json. |
@jcollum the usefulness and effect of The Unlicense are controversial. |
Sure, no problem. Still not sure what to put in that field though. For now I'll just put "none" and be done with it. |
Yeah... this is a classic case of waaay overthinking it. All I want to do is get NPM to be quiet about the value of my license field every time I type I've tried several variants of "shut up about it", like "none", "unlicensed", and "private" and NPM gripes at all of them. It also gripes if I exclude it or leave it blank. The thread above hasn't really helped either.. but I'm going to try |
... as expected:
NPM version 2.14.2 |
Ok, finally, a verdict .. thanks to @othiym23 ..
.. that seems to work just fine. Hopefully I won't have to see that warning again :) |
So if you want to work in peace with npm, But If you want to protect your code, you need to systematically setup a specific licence configuration even for your tests in case your code would leek on the net. Is that right ? |
No, that's not what UNLICENSED does. @sindresorhus explains it here: #8773 (comment) |
Thank you very much, that's much more clear and simple at the link you provide. |
First, I'm not an attorney nor do I claim to be qualified to give legal advice. You should contact an attorney if you find yourself in a position in which licensing, copyrights, or intellectual property rights matter. With that said: The thing to remember is that all code not explicitly released to the public domain is, by default, copyright and protected. You just have to realize that if your code is leaked, and it's useful to someone else, they can use it regardless of what license you write in any file. You just have to consider what, exactly, you're trying to protect your code from. First, keep in mind that your code is probably not worth protecting in the first place. Any value that source code carries stems from the planning and ongoing support and maintenance of the software. Without you, the author of the source, source code loses its value rapidly. So, if you're trying to protect your code from independent developers, just don't bother... at the end of the day, it's just not going to matter. Something actually worth protecting against, though, is mid-to-large sized companies. They have a lot to lose and, usually, they are more concerned about the license for an OSS component than the author is. Very few of them would even use your code, for any purpose, without first finding an explicit license telling them that they can do so. Of course, though, if they do not care about licenses... then it doesn't matter anyway, they'll use it and you can't stop them, except by, of course, not leaking your code in the first place. At the end of the day OSS licenses provide assurance to people who want to honestly and fairly use your source. Licenses do not protect against people who have no regard for intellectual property rights. Just do your best to affix the appropriate license information to your source and don't worry too much about the rest. |
This is daft, but "SEE LICENCE IN COPYRIGHT LAW" will do for me, as copyright is the default/implicit license for any creative works anyway. (disclaimer: I am not a lawyer) |
@alirobe : I'm also not a lawyer, but I think you're correct, and my small novella, above, said something similar. So, to reiterate: All creative works are protected, immediately and by default, in U.S. copyright law. You have to explicitly "release" your rights to make you works open to the public. However, NPM uses/requires/recommends specific values for the |
You can read up on DCMA or the Berne Convention if you like. I'm simply just going to remove the |
I've had the habit of setting license to
closed
for closed (work) modules.In the latest version of npm that's not possible, and simply pressing enter will set the default license (ISC). Can I use
npm init
somehow for these closed source modules without needing to go in and remove the attribute afterwards?The text was updated successfully, but these errors were encountered: