On Wed, Sep 11, 2019 at 05:05:50PM -0700, Alec Warner wrote: > On Wed, Sep 11, 2019 at 4:48 PM William Hubbs wrote: > > > On Wed, Sep 11, 2019 at 04:34:27PM -0700, Alec Warner wrote: > > > On Wed, Sep 11, 2019 at 10:39 AM Michael Orlitzky > > wrote: > > > > > > > On 9/11/19 1:21 PM, William Hubbs wrote: > > > > > +++ b/dev-vcs/hub/hub-2.12.3.ebuild > > > > > ... > > > > > > > > > > LICENSE="MIT" > > > > > > > > This license is wrong, as it's pretty much guaranteed to be every time > > > > you commit one of these packages. I find it pretty troubling that one > > > > corporation is able to force this stuff through even though it's a > > > > security and legal hazard for everyone else. > > > > > > > > > > How is it wrong? > > > > > > https://github.com/github/hub/blob/master/LICENSE > > > > The argument is that because of the vendoring, LICENSE= needs to list > > all licenses for the vendored dependencies that are different from MIT > > as well. > > > > I see, I tend to believe that argument in that case. > > > > > > Personally I don't have a comment about this, but that's what is being > > pushed for. I'll let you guys debate this but it isn't really relevant > > to the eclass. ;-) > > > > I think it's difficult to put instructions in the eclass like: > > +# $ cd /my/clone/of/upstream > +# $ git checkout > +# $ go mod vendor > +# $ tar cvf project-version-vendor.tar.gz vendor > > And then not mention this fairly easy trap (it's so easy to fall into you > did it twice.) In the case of hub, I didn't make a vendor tarball because upstream does the vendoring, so I don't see how these two things are related. In other words, the way I see this is a tree-wide issue. LICENSE= for any package should list every license for every package it links to or uses. William