You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note that I am aware that #35570 exists, however the method for providing feedback there is broken in that it will not work with firefox. Nor does it allow AFAICS nuanced conversation of issues, so I am reporting here.
It appears that the license recognition code used by pkg.go.dev has an unfortunately high false positive rate. Packages such as gonum.org/v1/gonum and modernc.org/cc, both of which have BSD-3-clause licenses (here and here) (note also that while the source code link for modernc.org/cc is provided on the overview at pkg.go.dev, even that is missing for the Gonum page).
This harms the packages where this happens by failing to present them to users and misrepresents the licensability of the packages potentially harming them by causing potential users to move on to other packages where the license is accepted.
Note also that it arguably does not properly cover the owner of go.dev since other packages that import and reflect the APIs of these lost packages may be rendered. For example k8s.io/kubernetes/pkg/controller/garbagecollector imports Gonum packages but does not present the Gonum license (and in fact shows the wrong license). In a clearer example, github.com/openshift/origin vendors a number of Gonum packages and pkg.go.dev thus misrepresents the license for openshift/origin by only showing the Apache license in its LICENSE file (and also in the search results).
The text was updated successfully, but these errors were encountered:
Thanks for the issue. We are working to address the feedback widget issues on Firefox and we’re working to improve our license classification.
Please email go-discovery-feedback@google.com, as issues for pkg.go.dev are not tracked in this repository. I understand the desire to have an open, nuanced conversation, but it’s difficult to do so given the legal considerations surrounding licensing more generally. The moderators on that list are responsive and will do what they can to help.
I understand the desire to have an open, nuanced conversation, but it’s difficult to do so given the legal considerations surrounding licensing more generally.
Note that I am aware that #35570 exists, however the method for providing feedback there is broken in that it will not work with firefox. Nor does it allow AFAICS nuanced conversation of issues, so I am reporting here.
It appears that the license recognition code used by pkg.go.dev has an unfortunately high false positive rate. Packages such as gonum.org/v1/gonum and modernc.org/cc, both of which have BSD-3-clause licenses (here and here) (note also that while the source code link for modernc.org/cc is provided on the overview at pkg.go.dev, even that is missing for the Gonum page).
This harms the packages where this happens by failing to present them to users and misrepresents the licensability of the packages potentially harming them by causing potential users to move on to other packages where the license is accepted.
Note also that it arguably does not properly cover the owner of go.dev since other packages that import and reflect the APIs of these lost packages may be rendered. For example k8s.io/kubernetes/pkg/controller/garbagecollector imports Gonum packages but does not present the Gonum license (and in fact shows the wrong license). In a clearer example, github.com/openshift/origin vendors a number of Gonum packages and pkg.go.dev thus misrepresents the license for openshift/origin by only showing the Apache license in its LICENSE file (and also in the search results).
The text was updated successfully, but these errors were encountered: