1 |
On Wed, Sep 11, 2019 at 4:48 PM William Hubbs <williamh@g.o> wrote: |
2 |
|
3 |
> On Wed, Sep 11, 2019 at 04:34:27PM -0700, Alec Warner wrote: |
4 |
> > On Wed, Sep 11, 2019 at 10:39 AM Michael Orlitzky <mjo@g.o> |
5 |
> wrote: |
6 |
> > |
7 |
> > > On 9/11/19 1:21 PM, William Hubbs wrote: |
8 |
> > > > +++ b/dev-vcs/hub/hub-2.12.3.ebuild |
9 |
> > > > ... |
10 |
> > > > |
11 |
> > > > LICENSE="MIT" |
12 |
> > > |
13 |
> > > This license is wrong, as it's pretty much guaranteed to be every time |
14 |
> > > you commit one of these packages. I find it pretty troubling that one |
15 |
> > > corporation is able to force this stuff through even though it's a |
16 |
> > > security and legal hazard for everyone else. |
17 |
> > > |
18 |
> > |
19 |
> > How is it wrong? |
20 |
> > |
21 |
> > https://github.com/github/hub/blob/master/LICENSE |
22 |
> |
23 |
> The argument is that because of the vendoring, LICENSE= needs to list |
24 |
> all licenses for the vendored dependencies that are different from MIT |
25 |
> as well. |
26 |
> |
27 |
|
28 |
I see, I tend to believe that argument in that case. |
29 |
|
30 |
|
31 |
> |
32 |
> Personally I don't have a comment about this, but that's what is being |
33 |
> pushed for. I'll let you guys debate this but it isn't really relevant |
34 |
> to the eclass. ;-) |
35 |
> |
36 |
|
37 |
I think it's difficult to put instructions in the eclass like: |
38 |
|
39 |
+# $ cd /my/clone/of/upstream |
40 |
+# $ git checkout <release> |
41 |
+# $ go mod vendor |
42 |
+# $ tar cvf project-version-vendor.tar.gz vendor |
43 |
|
44 |
And then not mention this fairly easy trap (it's so easy to fall into you |
45 |
did it twice.) |
46 |
|
47 |
-A |
48 |
|
49 |
|
50 |
> William |
51 |
> |