-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using closure modules results in JS output appearing to be licensed as apache v2 #3551
Comments
For what it's worth, these commits are bringing Closure Library into compliance with a Google-internal rule that the library had previously had a grandfathered exemption from. It is indeed intended to uphold the terms of the Apache license, while adding the minimal number of bytes to compiled output as possible. We were instructed that this text was sufficient (see https://spdx.org for more details, I guess - IANAL). The behavior of In terms of mandatory, you can do what you want with the output of the compiler. If you are documenting your licenses elsewhere, then nothing is stopping you from adding a post-processing step to remove the extra license, and that would surely be preferable to forking the library. |
Well we already fork the compiler so that BUNDLE has sourcemaps and defines, so that the PersistentInputStore is restored, so one more patch isn't a big deal. I'll bring it up on google/j2cl, since no annotations from .java make it into .js, so we can't easily control how arbitrary java jars get their license respected in this way, see if they have a plan... Agreed that I don't want to get into what a lawyer may or may not suggest (and certainly don't want to advise anyone downstream on what they should be doing), but only want to point out that my naive read of the license file says that this isn't sufficient, a copy of the license is required, not just its name.
|
I think it would be reasonable to have an option to output the licenses to another file rather than included at the top of the output or turn it off completely. Ultimately, we don't attempt to provide any enforcement of licenses (not everything file with a license is tagged @license for example) that is up to the folks deploying the code. Happy to entertain a patch. |
This works, but emits some warnings. We probably need to update the js source code inputs to get rid of those to avoid using deprecated js apis. NOTE: Closure isn't at the latest, because of that introcucing top level comments which break tests, but more importantly, make generated js files appear as if they're apache licenced. We're at the last revision before that change gets introduced. Full context at: google/closure-compiler#3551, which got introcuded via google/closure-library@1fe1bd8 Signed-off-by: Otto van der Schaaf <[email protected]>
This works, but emits some warnings. We probably need to update the js source code inputs to get rid of those to avoid using deprecated js apis. NOTE: Closure isn't at the latest, because of that introducing top level comments which break tests, but more importantly, make generated js files appear as if they're apache (re-)licensed. AINAL but I think we shouldn't do that. We're at the last revision before that change gets introduced, which is still quite a leap, and fairly recent. Full context at: google/closure-compiler#3551, which got introcuded via google/closure-library@1fe1bd8 Signed-off-by: Otto van der Schaaf <[email protected]>
The license comments are coordinated via Right now, this is hardcoded. It would be helpful to expose a public |
From https://developers.google.com/closure/compiler/docs/js-for-compiler#tag-license, it appears that any
@license
comments end up in the compiled output, and no flags can prevent that (and perhaps, nor should they). Given a project which uses goog.provides/module/etc, the google/closure-library@1fe1bd8 commit appears to add a license header advertising only apache v2 to the JS output, where previously a (potentially proprietary) project might have had no license shown, giving the impression that the entire file is now apache v2.My hunch is that this is to make sure that the apache license terms are upheld, but at least as I understand apache v2 this isn't sufficient - the full text of the license still needs to be included elsewhere, so I'm not sure why this is now mandatory.
Sorry for such an open ended report, but I'm not sure what the takeaway should be for downstream projects - including licenses is mandatory? Fork closure-library to remove it? Introduce additional command line args to make this optional (
--license-file-provided-outside-js=true
)?The text was updated successfully, but these errors were encountered: