[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: npm (mitigation)
|
From: |
Mike Gerwitz |
|
Subject: |
Re: npm (mitigation) |
|
Date: |
Mon, 17 Jul 2017 22:12:41 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
On Mon, Jul 17, 2017 at 11:45:29 +0200, Catonano wrote:
> in my idea I would have build a database withh conditions for being non
> free forr every npm package.
>
> So we could have queried the database for questions like: is there any non
> free or non buildable package in the dependency tree of, say, the current
> Jquery ?
Being able to query the graph for non-free dependencies is good,
yes. My concern is developing a (reasonably) fool-proof system for
detecting those packages that doesn't require manual verification, which
would be extremely costly, outside of a reasonable randomly-chosen set.
I'm not saying it's impossible; it's just difficult with such wildly
varying standards and carelessness with regards to licensing that is
prominent in the JS community.
But we have to start somewhere, so anything you can come up with would
be good. :)
> You might remember my post of a few months back about an attempt of mine to
> crawl thhe npm registry and storing data found there.
I do---I'm sorry if there are details that I missed or should know; I
haven't been able to follow this too closely. I can be a bit of a
parrot sometimes with certain issues. :x
--
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com
signature.asc
Description: PGP signature
Re: npm (mitigation), Jan Nieuwenhuizen, 2017/07/14