[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NPM importer
From: |
swedebugia |
Subject: |
Re: NPM importer |
Date: |
Thu, 22 Nov 2018 00:22:54 +0100 |
On 2018-11-21 23:01, Brett Gilio wrote:
Mike Gerwitz writes:
The JavaScript community has poor licensing practices, and the culture
is somewhat hostile to the ideals of the free software movement (they
focus on permissive licensing to empower non-free software developers
using those libraries).
To say the least. It will take a good deal of implementing a license
checker on the importer, as well as human verification to ensure that we
are maintaining a high ethical standard.
We might want to use the same approach as licensee:
"The solution
Licensee automates the process of reading LICENSE files and compares
their contents to known licenses using a several strategies (which we
call "Matchers"). It attempts to determine a project's license in the
following order:
If the license file has an explicit copyright notice, and nothing more
(e.g., Copyright (c) 2015 Ben Balter), we'll assume the author intends
to retain all rights, and thus the project isn't licensed.
If the license is an exact match to a known license. If we strip away
whitespace and copyright notice, we might get lucky, and direct string
comparison in Ruby is cheap.
If we still can't match the license, we use a fancy math thing called
the Sørensen–Dice coefficient, which is really good at calculating the
similarity between two strings. By calculating the percent changed from
the known license to the license file, you can tell, e.g., that a given
license is 95% similar to the MIT license, that 5% likely representing
legally insignificant changes to the license text."
https://github.com/benbalter/licensee
We could perhaps also semi-automate the generation of emails to authors
of the offending npm packages with unclear packages.
Say only 1% of 470.000 has unclear license, that equals 4700 emails to
authors. :)
In a hypothetical scenario with import of 20 npm packages a day it will
take us 477.000/20 = 23850 days = 65 years to import them all.
In a hypothetical scenario with import of 500 npm packages a day it will
take us 477.000/500 = 954 days = 2,6 years to import them all.
This is based on the assumption that all are free software, but that is
probably not the case.
BTW
ssb-patchwork had over 400 dependants in 10+ levels and the dotfile is
attached. The rendered png is crazy looking. Reminds me of the holy
spaghetti monster.
A graph of all npm packages and top packages is also available:
https://exploring-data.com/info/npm-packages-dependencies/
--
Cheers
Swedebugia
ssb-patchwork.dot.bz2
Description: application/bzip
- NPM importer, swedebugia, 2018/11/11
- Re: NPM importer, Julien Lepiller, 2018/11/11
- Re: NPM importer, swedebugia, 2018/11/19
- Re: NPM importer, Julien Lepiller, 2018/11/20
- Re: NPM importer, swedebugia, 2018/11/20
- Re: NPM importer, swedebugia, 2018/11/20
- Re: NPM importer, Julien Lepiller, 2018/11/20
- Re: NPM importer, swedebugia, 2018/11/21
- Re: NPM importer, Mike Gerwitz, 2018/11/20
- Re: NPM importer, Brett Gilio, 2018/11/21
- Re: NPM importer,
swedebugia <=
- Re: NPM importer, swedebugia, 2018/11/21
- Re: NPM importer, Brett Gilio, 2018/11/22
- import libjs-*.deb from Debian? (was Re: NPM importer), Giovanni Biscuolo, 2018/11/22
- Re: import libjs-*.deb from Debian? (was Re: NPM importer), Ricardo Wurmus, 2018/11/30
- Re: NPM importer, Julien Lepiller, 2018/11/22
- Re: NPM importer, swedebugia, 2018/11/24
- Re: NPM importer, swedebugia, 2018/11/23
- Re: NPM importer, Ricardo Wurmus, 2018/11/30
- Packaging async and underscore (Was: Re: NPM importer), swedebugia, 2018/11/30
- Re: Packaging async and underscore, Julien Lepiller, 2018/11/30