Attribute all dependencies of Insect

[triallax]

It just struck my mind that Insect has no real attribution for most of its dependencies, which I believes violates most, if not all, of these dependencies' license. This should be rectified as soon as possible.

For the PureScript dependencies, we can do something like this: https://github.com/purescript/spago#get-all-the-licenses-of-my-dependencies

For the JavaScript dependencies though, I have no idea, so we'll have to do some research.

[sharkdp]

Thank you for your concern.

It just struck my mind that Insect has no real attribution for most of its dependencies, which I believes violates most, if not all, of these dependencies' license.

To be honest, I'm not sure if that's true. We don't have a copy of the source code of those packages in our repo. MIT license requires attribution if you distribute a (modified) copy of the source code. We only point our dependency files at those projects. And if you do npm install or pulp/spago install to pull in those dependencies locally, you will get all of the respective LICENSE files.

What is indeed problematic is the NPM packaging process. If we distribute a (minimized and optimized) JavaScript file that includes (modified) source code of those dependencies, then we should also add a proper attribution.

But the repository as it is seems completely fine to me?

[triallax]

To be honest, I'm not sure if that's true. We don't have a copy of the source code of those packages in our repo. MIT license requires attribution if you distribute a (modified) copy of the source code. We only point our dependency files at those projects. And if you do npm install or pulp/spago install to pull in those dependencies locally, you will get all of the respective LICENSE files.

That is all completely correct, and I've already considered that. But also, can you clarify what you mean by "(modified)"? We still have to attribute the dependencies even without modifying them, or is that what you meant?

What is indeed problematic is the NPM packaging process. If we distribute a (minimized and optimized) JavaScript file that includes (modified) source code of those dependencies, then we should also add a proper attribution.

This is what I implicitly meant (I should've perhaps clarified that). We also face the same problem in the web version of Insect.

Also, note that both in the current master and in #322, JavaScript code from node_modules is not bundled in the NPM package, so we may not need to attribute those. However, we do have to attribute the PureScript dependencies; in my PR they are bundled, and in master output is incluced in the NPM package without any attribution.

However, with the web version, we will have to have both JavaScript and PureScript dependencies attributed.

But the repository as it is seems completely fine to me?

I'm not sure I understand that question.

[sharkdp]

To be honest, I'm not sure if that's true. We don't have a copy of the source code of those packages in our repo. MIT license requires attribution if you distribute a (modified) copy of the source code. We only point our dependency files at those projects. And if you do npm install or pulp/spago install to pull in those dependencies locally, you will get all of the respective LICENSE files.

That is all completely correct, and I've already considered that. But also, can you clarify what you mean by "(modified)"? We still have to attribute the dependencies even without modifying them, or is that what you meant?

Yes, that's what I meant: "If you distribute a modified or unmodified copy of the source code"

What is indeed problematic is the NPM packaging process. If we distribute a (minimized and optimized) JavaScript file that includes (modified) source code of those dependencies, then we should also add a proper attribution.

This is what I implicitly meant (I should've perhaps clarified that). We also face the same problem in the web version of Insect.

Ok, yes. I fully agree. Thank you for bringing it to my awareness.

Also, note that both in the current master and in #322, JavaScript code from node_modules is not bundled in the NPM package, so we may not need to attribute those. However, we do have to attribute the PureScript dependencies; in my PR they are bundled, and in master output is incluced in the NPM package without any attribution.

👍

However, with the web version, we will have to have both JavaScript and PureScript dependencies attributed.

👍

But the repository as it is seems completely fine to me?

I'm not sure I understand that question.

I just meant: I think we're not required to attribute the dependencies in the repository itself, only in the npm package and in the web version. We still could it of course. Maybe that would be the easiest option anyway.. if we don't automatically build this attribution-file during deployment, but have it checked in to the repo itself. On the other hand, that would probably just make it harder because we would then need to make sure it's always up-to-date.

[triallax]

Ok, yes. I fully agree. Thank you for bringing it to my awareness.

You're welcome.

I just meant: I think we're not required to attribute the dependencies in the repository itself, only in the npm package and in the web version.

Yeah, that's correct.

We still could it of course. Maybe that would be the easiest option anyway.. if we don't automatically build this attribution-file during deployment, but have it checked in to the repo itself. On the other hand, that would probably just make it harder because we would then need to make sure it's always up-to-date.

If we go that route, we could do something like #319. We can discuss whether to check the file into Git or not later.

[triallax]

Ah, I was thinking that I would get this fixed before v5.8.0 is released, but oh well. I'll get this closed as soon as possible.

[sharkdp]

Sorry for that. I am perfectly happy to create new releases whenever needed.