open source license compliance


#1

Hi there

i have a question regarding the open source license compliance (in commercial software).
How do you handle it?

For homogenous npm projects there are solutions.
I have tried https://fossa.io and https://whitesourcesoftware.com
Both found a lot of npm dependencies, over 300 libraries with licenses in their package.json
But they also struggle with the meteor oecosystem.
This is in the source directory the .meteor/versions file.

For me the meteor is only the development platform and at the moment of build, the outcome should be a regular nodejs compatible file which can be deployed on any nodejs server.
Please correct me if i am wrong or if there are details i missed.

If i then search for jquery there is not any file/directory with this name in the build directory.
How does the nodejs server know that jquery is needed and where is it loaded from.

Can anyone help me to understand the mechanic?

Back to the initial question, how do you handle this?
Have you found other automatic workflows to generate an overview of used liceneses?
How do you create a list of all used libraries, which i think have to be published somewhere in the product?

Side-question: Do you take care about deep-dependencies or is a top-level MIT license, like meteor has, good enough?

I would appreciate any kind of feedback / discussion.
Thank you very much for your help
Best regards
Jörgen


#2

That’s pretty normal for any NodeJS application. The number of NPM modules added can be mind boggling.

So, these are not NPM packages, but Meteor (“atmosphere”) packages. These most likely have licenses as well, since they’re usually associated with git (and mostly GitHub). However, you’re correct in thinking it’s hard to track these down.

Traditionally, that’s a Meteor package dependency. However, these days it’s possible to use the NPM package directly. In either case, license information is findable.

I’ve used license-checker. It does a good job with NPM package dependencies, but doesn’t handle Meteor’s packages.

You raise a great point here, and it should not be that hard to find the licenses as long as there’s some link between Meteor’s package.js and the appropriate repo. However, that link is not mandatory, and sometimes automating the determination of license can’t be easily done.

I think anyone developing commercial software should care about this.