Hacker News new | ask | show | jobs
by JMTQp8lwXL 1907 days ago
How is one supposed to reasonably know, when downloading a package from a public repository, that the included license is authoritative? Are we supposed to research every package we use, and scour all software in existence to maybe trace back true ownership to someplace else? Seems like an auditing nightmare.
2 comments
lamontcg 1907 days ago
You can't. If you're notified then you need to promptly fix the issue with the complainant. When it comes to being sued for damages you can point at the the fact that there was no reasonable way for you to know that the license you trusted was invalid and at the author who was presumably negligent. If you've cooperated fully and mitigated it quickly that should protect you. Ignorance in this case is an excuse when it is reasonable and defensible ignorance, and not negligence on your part.
link
johannes1234321 1907 days ago
> Seems like an auditing nightmare.

Yes and that's why large companies are often extremely reluctant to take in 3rd party code without auditing and estimating the risk.

link
yebyen 1907 days ago
In fact they even sell insurance for this, and companies that want you to use their software can offer indemnity protection with the same effect.

"What if somebody sues me because my use of your software constitutes a violation of their intellectual property rights?" – "Don't worry, we will protect you. Since you pay so much money and are a valued customer of XYZcorp, we don't want you to worry about such things. You'll be covered by our umbrella policy."

This conversation certainly happens, (although it almost certainly wouldn't have happened between any of "Rails" customers and the Rails core team.)

link
JMTQp8lwXL 1906 days ago
This has not been my experience. Getting the work done fast is prioritized more highly than the (small) compliance risk. Unless the company wants to pay you to invent a bespoke in-house version of React.
link
johannes1234321 1906 days ago
For using open source stuff while working on your machine there are often pre approved licenses. But for production use and even more for software being distributed any serious place I have seen, there is paperwork. (Sometimes of better quality, sometimes more of a rubber stamp process)
link