Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkg.go.dev: known licenses are not recognised and the site misrepresents license status of packages #35595

Closed
kortschak opened this issue Nov 14, 2019 · 2 comments
Closed

pkg.go.dev: known licenses are not recognised and the site misrepresents license status of packages #35595

kortschak opened this issue Nov 14, 2019 · 2 comments
Labels
FrozenDueToAge

Comments

@kortschak
Copy link
Contributor

kortschak commented Nov 14, 2019
edited

Note that I am aware that #35570 exists, however the method for providing feedback there is broken in that it will not work with firefox. Nor does it allow AFAICS nuanced conversation of issues, so I am reporting here.

It appears that the license recognition code used by pkg.go.dev has an unfortunately high false positive rate. Packages such as gonum.org/v1/gonum and modernc.org/cc, both of which have BSD-3-clause licenses (here and here) (note also that while the source code link for modernc.org/cc is provided on the overview at pkg.go.dev, even that is missing for the Gonum page).

This harms the packages where this happens by failing to present them to users and misrepresents the licensability of the packages potentially harming them by causing potential users to move on to other packages where the license is accepted.

Note also that it arguably does not properly cover the owner of go.dev since other packages that import and reflect the APIs of these lost packages may be rendered. For example k8s.io/kubernetes/pkg/controller/garbagecollector imports Gonum packages but does not present the Gonum license (and in fact shows the wrong license). In a clearer example, github.com/openshift/origin vendors a number of Gonum packages and pkg.go.dev thus misrepresents the license for openshift/origin by only showing the Apache license in its LICENSE file (and also in the search results).
@andybons
Copy link
Member

Thanks for the issue. We are working to address the feedback widget issues on Firefox and we’re working to improve our license classification.

Please email go-discovery-feedback@google.com, as issues for pkg.go.dev are not tracked in this repository. I understand the desire to have an open, nuanced conversation, but it’s difficult to do so given the legal considerations surrounding licensing more generally. The moderators on that list are responsive and will do what they can to help.

Thanks for your patience on this.

@kortschak
Copy link
Contributor Author

I understand the desire to have an open, nuanced conversation, but it’s difficult to do so given the legal considerations surrounding licensing more generally.

This is high-level Catch-22 action.

@kortschak kortschak mentioned this issue Jan 25, 2020
Closed
@golang golang locked and limited conversation to collaborators Nov 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kortschak @andybons @gopherbot