Hacker News new | ask | show | jobs
by shp0ngle 924 days ago
what IS weird though is the go exosystem thing.

in go ecosystem, copyleft is very much not the norm.

People might not realise that by just adding copyleft dependency to go.mod, the entire project becomes effectively agpl as it has the code built-in.
1 comments
jorams 924 days ago
If you add a dependency without understanding the license that dependency is released under, you should stop doing that. That counts for every license, and particularly if there is no license.
link
shp0ngle 924 days ago
It goes transitively though.

Some popular go packages grab tens (sometimes over hundres, but not as much as in node world) dependencies.

NOBODY checks the license all the transitive dependencies in go world.

What should or should not happen is one thing, this is the reality

edit: oh but that lead me to google this

neat

https://github.com/google/go-licenses

link
Tomte 923 days ago
Yes, that's why (apart from the Cyber Resilience Act) license scanners and SBOMs are a thing.
link