[thed]

This article touches a point I have been wondering about regarding the Notice condition: "But web developers, as a whole, haven’t got the memo.".

The JavaScript and npm ecosystem are extremely dependency-heavy. Even if you only take a few yourself, the number of sub-dependencies of even a simple application are often in the hundreds.

Why does "everyone" ignore the attribution of their dependencies and sub-dependencies? Laziness? Risk of getting sued too low? What happens if Oracle buys all the left-pads in the world?

[kemitchell]

I doubt there's any single answer that isn't tautological. In other kinds of development, like embedded programming, notice files are a part of the cycle. Web developers simply haven't developed the habit.

Which is a real head scratcher, because as a rule, JavaScript developers use JavaScript package managers, and JavaScript package managers, especially npm, provide good license metadata and auditability. You can have an automated tool, usually a plugin for your front-end bundler, compile a pretty good notice file for you, no many how many direct and transitive dependencies you have.

I think there's also a chicken-and-egg problem, in that it's not exactly clear how to make the notices file for front-end code available. Link from website footer? At the top of the client bundle? Comment at the top of the client bundle, with a URL for the notices files?

[detaro]

I've seen at least some minified/bundled JS files that neatly preserved the copyright notices for each minified blob they included.

[ignoramous]

Minifiers and obfuscators are one reason newer licenses like MPLv2 don't require minified JavaScript to carry attribution and copyright notices.

[detaro]

MPLv2 does require you to inform the recipient that the software is under MPLv2 and where to find the source code for it.

[ignoramous]

Yes, but not necessarily as part of the minified code.

> Q16: Is "minified" JavaScript Source Code?

> No. Minified JavaScript, while not an "executable" in the software engineering sense of the word, is difficult for humans to read, edit, and modify. As such, it is not "the preferred form for modification" and so it is not Source Code as defined by the license. Therefore, minified JavaScript is the Executable form, and the responsibilities set out in the license for distribution of the Executable form should be met when you distribute minified MPL-licensed JavaScript.

> This means, among other things, that you do not need to, and probably should not preserve the MPL boilerplate (which begins "This Source Code Form...") when minifying JavaScript. However, you do need to comply with section 3.2(a) by informing the recipients of the minified source how they can obtain a copy of the source code. How exactly you do this will depend on how they can obtain that copy, but one way would be to include a comment with a link to the source code in either the page which uses the JavaScript or in the JavaScript file itself.

> Note that treating minified JavaScript as an executable increases distributor flexibility by allowing MPL-licensed code to be combined into a single file with non-MPL JavaScript source code without requiring the non-MPL code to be distributed under the terms of the MPL.

Ref: https://www.mozilla.org/en-US/MPL/2.0/FAQ/

[fenomas]

> You can have an automated tool, usually a plugin for your front-end bundler, compile a pretty good notice file for you,

I think the tl;dr is that this is feasible but not common, and there's no single widely-used default way of doing it.

E.g. Many packages put their copyright/license info in special inline comments (using /! ... / tags), and every minifier I've used keeps such tags by default. But including these tags in your bundles can be undesirable - if a dependency has: /! Copyright foo@bar / without specifying the package name, then your bundle will appear to be entirely (c) that author.

OTOH the huge majority of projects do include a valid license identifier in a package.json tag (since npm complains if you don't). But I don't think there's any widely-used default way of generating a good licenses declaration from them.

[torstenvl]

I'm not following your train of thought here really. Are you saying that people are stripping out the notice from the source code as a matter of course and then redistributing it?

[IshKebab]

He's saying that if you depend on A and A depends on B and they're both MIT licensed then technically you should include the licenses for A and B on your site, but most people only include A.

[Doxin]

Surely the MIT license only mentions leaving the notice intact, It doesn't say anything about including the notice on your website.

[sbergot]

"The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software."

If you are using some js library with the MIT license in your frontend then you are distributing a copy of the software. You have to include the notice somewhere on your website (typically next to the library)

[Doxin]

People viewing your website don't get a copy of the software, nor do they get a substantial portion. The MIT license (like most licenses) applies to the code, not to what that code produces.

[b112]

If people are downloading the source, and executing that code, eg as parent said "frontend", then yes, it's on their computer. It's not server side, such as with PH, or python or backend js.

However, the license doesn't have to appear on the website portion specifically highlighted for human viewing. It merely needs to exist, say, at the top of every javascript file.

Or a link to where the text form of the license is.

Just because it's inconvenient, and just because people are ignoring it, doesn't mean it's being done as it should be...

[6gvONxR4sf7o]

Is that minification?

[cyral]

I thought minifiers were supposed to keep licenses (they can detect the license header). I suppose this could get turned off or messed up by accident with the gigantic custom webpack bundlers even stuff like create-react-app ship with.

[nicoburns]

Lots of libraries don't put the license in the header, only in a separate LICENSE file.

[fiddlerwoaroof]

I've looked at Webpack's output before, and I don't recall seeing any headers there.

[sbergot]

Webpack definitely keeps the license headers even when minification is on. They have to start with something like "@license".

[alexchamberlain]

Are their product/business owners aware of the legal obligations that their developers are signing them up for? Do the developers actually have the authority to enter into these licences?

[sbergot]

Webpack keeps the licenses when outputting bundles. Given the popularity of this tool a lot of people are respecting the attribution clause.