-
-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: update author names + remove license headers #636
Conversation
This package redistributes libzmq in executable form https://www.npmjs.com/package/zeromq?activeTab=code. @bluca, can you confirm that the licensing on this project is still kosher and compatible with upstream? |
Zeromq.js license has not changed for the past 14 years, and it compiles with the MPL 2 license of libzmq. |
You changed the license in this very PR. What lawyer did you consult? I’m no lawyer, but it seems this project (edit: more specifically, the distribution of zeromq via npm ever since 5.2.6) is in violation of section 3.2 of the MPL. I also don’t know whether removing copyright headers from files is okay. That’s something else to ask the lawyers. |
The license is still MIT, and I changed the author names to reflect the history of the software, which was incomplete. The license headers are not required and were inaccurate as the LICENSE file applies to the whole repository. The license of zeromq.js is the license of the zeromq.js library, which includes all the source code that's in this repository. Each dependency has its own license, and it's the responsibility of the user to reproduce the notices for the dependencies. |
I suspect that's correct, but it would be unprofessional and unethical for me to make that call without the involvement of the rights-holders or any input from lawyers.
THIS NEEDS LEGAL REVIEW, even if that just means a professional telling you everything is above-board. Here's my reasoning spelled out:
@bluca, could you PLEASE make sure this gets in front of the right eyes? |
copyright notices with year ranges and such are not technically required, and haven't been since the Bern convention. However, I'd encourage you to use SPDX one-line headers in every source file. For NPM, I'm not familiar with it and I don't use it, but I note that zeromq does not appear in the dependencies list: https://www.npmjs.com/package/zeromq?activeTab=dependencies and I think that's because it's not a regular dependency, tracked by NPM, but it is prebuilt and embedded. I imagine there is tooling to list all licenses used by dependencies that is automated and relies on dependency tracking to work, and I assume embedding like this wouldn't work, so you need to find a solution for that, as users cannot be expected to manually inspect all code pulled in for prebuilt binaries. I do not know what is the best practice for that for NPM packages. |
No description provided.