2017-07-15 5:34 GMT+02:00 Mike Gerwitz <m...@gnu.org>: > On Fri, Jul 14, 2017 at 13:57:30 +0200, Jelle Licht wrote: > > Regardless, the biggest issue that remains is still that npm-land is > mired > > in cyclical dependencies and a fun-but-not-actually unique dependency > > resolving scheme. > > I still think the largest issue is trying to determine if a given > package and its entire [cyclic cluster] subgraph is Free. That's a lot > of manual verification to be had (to verify any automated > checks). npm's package.json does include a `license' field, but that is > metadata with no legal significance, and afaik _defaults_ to "MIT" > (implying Expat), even if there's actually no license information in the > repository.
And that is exactly why this probably won't end up in Guix proper, at least for the foreseeable future. And also the reason that the entire npm situation is so sad. The default MIT/Expat only applies to people who generate their package metadata via npm init by just pressing enter; IANAL, but directly referring to a valid and common SPDX identifier is not that different from including some file under the name of LICENSE/COPYING. It is true that lots of npm projects do not include copyright and/or license headers in each source file, but this is also true for lots of other free software. - Jelle
