Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SlickGrid distribution bundles third-party dependencies without proper license attribution #393

Closed
vlsi opened this issue Jul 13, 2019 · 3 comments
Closed

SlickGrid distribution bundles third-party dependencies without proper license attribution #393

vlsi opened this issue Jul 13, 2019 · 3 comments

Comments

@vlsi
Copy link
Contributor

vlsi commented Jul 13, 2019
edited
Loading

https://registry.npmjs.org/slickgrid/-/slickgrid-2.4.10.tgz and https://github.com/6pac/SlickGrid/archive/2.4.10.tar.gz contain third party files, and there are license violations.

Samples go below.

Technically speaking there are multiple ways to deal with that:

A) Do not distribute third-party dependencies. For instance, if SlickGrid releases do not require qunit.js, then you could probably just exclude it from the release.

B) If you do want to redistribute certain third-party dependencies, then you need to ensure your use adheres licenses. Typically it means you keep copyright notices, and typically you take those from LICENSE / NOTICE files of the third-party dependencies you bundle.

Samples:

  1. lib/select2.js. It comes from select2.
    Select2 is MIT licensed, and it does require you to keep copyright notice which is

Copyright (c) 2012-2017 Kevin Brown, Igor Vaynberg, and Select2 contributors

However Select2 copyright notice is not retained in SlickGrid distribution. I believe that was not intentional, however that violates MIT license.

  1. css/bootstrap.css

It points to Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) however the link is wrong. The included bootstrap is 3.3.2 while the link points to a much newer license file. It is kind of misleading.

  1. JQueryUI:
    css/smoothness/* (css, png) <-- it is not clear what is the license for the files.
@ghiscoding
Copy link
Collaborator

Well technically speaking, select2 is only used in the examples not in the library itself. Does it really need the license to follow in that case? If so, then the entire lib requires licenses for all the other lib used again in all examples. I'm assuming the biggest one, that is used within the lib, would be jQuery and jQuery UI which are also missing licenses, are the biggest ones to look into. I always thought that only the main library requires the license, not the other one used for examples purpose, though I could be wrong.

If you think this is a problem, it would be really nice if you could create a PR with necessary licenses.

@vlsi
Copy link
Contributor Author

vlsi commented Jul 17, 2019

@ghiscoding ,

Does it really need the license to follow in that case?

Of course it is required.
Here's Select2's license: https://github.com/select2/select2/blob/develop/LICENSE.md
It makes no distinction on the usage type.
SlickGrid distributes a copy of select2, and the license says

Select2 license: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software

If so, then the entire lib requires licenses for all the other lib used again in all examples

That is true. However a critical problem with select2 is SlickGrid has absolutely no traces to select2 copyright owner.

You can find an example of "collecting licenses for third-party" in #390 (comment)

I always thought that only the main library requires the license, not the other one used for examples purpose, though I could be wrong.

"main library" (==SlickGrid?) requires a license so others know the terms under which SlickGrid can be used.
However, when SlickGrid is using third-party libraries, then it must adhere to their licenses.
For instance, SlickGrid happens to bundle select2 library as a part of npmjs distribution archive. That means SlickGrid must adhere to select2 license. select2 license says that "copyright notice" and "permission notice" must be included in all copies, so if SlickGrid choses to bundle select2, it must include the relevant copyright info. Note: this applies even in case select2 is not used. The license says "copies or substantial portions", and it does not distinguish between "actively used" / "used in test code" / "used in examples" / and so on.

If you think this is a problem

It is.

it would be really nice if you could create a PR with necessary licenses

I'm afraid I would tentatively decline the offer. I'm doing the similar work for Java (Apache JMeter / Apache Calcite), and I don't have spare capacity for SilckGrid.

@ghiscoding ghiscoding mentioned this issue May 13, 2023
Merged
@ghiscoding
Copy link
Collaborator

closed by #771, to be released in upcoming Roadmap to v4.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vlsi @ghiscoding