On Wed, Sep 11, 2019 at 4:48 PM William Hubbs <williamh@gentoo.org> wrote:

> On Wed, Sep 11, 2019 at 04:34:27PM -0700, Alec Warner wrote:
> > On Wed, Sep 11, 2019 at 10:39 AM Michael Orlitzky <mjo@gentoo.org>
> wrote:
> >
> > > On 9/11/19 1:21 PM, William Hubbs wrote:
> > > > +++ b/dev-vcs/hub/hub-2.12.3.ebuild
> > > > ...
> > > >
> > > > LICENSE="MIT"
> > >
> > > This license is wrong, as it's pretty much guaranteed to be every time
> > > you commit one of these packages. I find it pretty troubling that one
> > > corporation is able to force this stuff through even though it's a
> > > security and legal hazard for everyone else.
> > >
> >
> > How is it wrong?
> >
> > https://github.com/github/hub/blob/master/LICENSE
>
> The argument is that because of the vendoring, LICENSE= needs to list
> all licenses for the vendored dependencies that are different from MIT
> as well.
>

I see, I tend to believe that argument in that case.


>
> Personally I don't have a comment about this, but that's what is being
> pushed for. I'll let you guys debate this but it isn't really relevant
> to the eclass. ;-)
>

I think it's difficult to put instructions in the eclass like:

+# $ cd /my/clone/of/upstream
+# $ git checkout <release>
+# $ go mod vendor
+# $ tar cvf project-version-vendor.tar.gz vendor

And then not mention this fairly easy trap (it's so easy to fall into you
did it twice.)

-A


> William
>