 So, hi everyone, all right So this is that's that's me hangry Which I'm getting now, so I'll keep it short I've been I've been doing a bit of coding lately and I wanted to talk about This problem that's near and dear to my heart, which is software licensing. I love it Intellectual property is the worst thing that happened to humankind today It is my my life's mission to end it so so with that understatement. Let me continue Imagine that you're working on a project, right and you're like, hey, there's open source everyone should use it It's awesome and it's available under you know, whatever random open source license. It's free But somebody goes like well, that's cool. But wait a minute like what about all the dependencies? What do they use? Well, you're like, I don't know Who knows right nobody checks that stuff So you kind of just like, you know pretend you don't have this problem now The problem gets really bad because npm is awesome with npm. You have a lot of dependencies So I just do a little experiment To show like how far this goes and if you if you just like see these commands here So if you just to create a new project And then you install it like a you know a reasonably simple stack like express and browser fire And then you just lend some stuff with standard and you you know use ES6 So you have battle and then you test of course with the karma mocha and Chi, right? This is reasonably reasonable stuff if you run you know If you check like how many dependencies of your dependencies have and then all the way down, right? You're like, okay. Well, let's check. Let's check it out. And I'm like, hang on a second My computer is not the fastest. Okay, so There's a lot and then you're like, okay. Well shit. There's more Oh So there's there's a lot of dependencies, right? So it's crazy. I have no idea what license they all use So I cannot guarantee that my application is actually free to use despite the license that I put on my code. That's a problem Now with just this stack you have about fourteen hundred and seventy something Dependencies and that will change tomorrow because somebody's dependencies will in the current their version And if you do npm install tomorrow, it'll be slightly different. Am I right? Cool So this is what I you know kind of like dependency how there's like callback hell and no dependency hell is a similar Where you just have a way too many dependencies and they've all got like, you know It's different versions all the time and to keep breaking things and so how you know, so basically There's a couple of different things that are going on here So if you're if you're if your dependency is It's not delayed by how Okay, so if you're the dependency that you're that you're using is Like version two and they're already at version five or something What's gonna happen is that if you patch some problem in that dependency if you if you fix the license for that for that package or if you fix some other bug and They accept your patch is going to go into the latest version It's not gonna go back back into like version two it could in theory and can do that But nobody that I've ever seen does that so, you know That's just sort of how the tools are set up for people to work and it's a problem The other thing is if your dependency That has a bug is like a sub dependency of some other sub dependency of some other dependency or whatever Good luck, right? If you fix that and then they have to like convince all these other people in a chain to bump the dependencies of their Package JSON, right? They have to bump the versions there. It takes a long time. It's a lot of effort I've been doing it for the last couple of weeks and it's just like really really dependency hell It's like that's why it's like unfixable bugs And then just generally there's a lot of projects where the maintainers are awesome people They produce awesome code, but they just don't maintain their packages I'm not gonna name names, but I've dealt with a lot of these guys in the past like in the last couple of weeks It's it's and you know You actually just don't deal with them because they just ignore you or whatever and they probably have valid reasons They're awesome developers who have too much stuff going on to care about like small little people But anyway, so there's there's right now there's solutions like Green Keeper that just came out recently I think it was announced like a JS con for something this is really really cool tool It just creates a lot of work for you like a lot of it automates bunch of stuff, but it creates more stuff out of that It's basically like gymnasium or David David DM if you've seen those things version I Basically, they basically check the dependencies of your project and then tell you when some of them are getting out of date and then they send you an email and Green Keeper is a little bit better It sort of does a pull request So I don't know but still it's still it's still telling you like do more work and you're like But this thing work just fine. Why are you making me do shit work? You should read that article. It's really good Say what? Yeah, yeah the same thing. Yeah, you get badges and now you can get pull requests and It's just it's just like, you know pointless work. That's what it feels like So, all right now back to the legal problem, right? That's the main thing that I'm trying to talk about Similar to dependency hell this gives it this kind of gives us a license hell And the reasons for that are because at first like in the beginning before there was anything npm had this property called licenses in your package JSON file and That didn't really work out like that. That's been deprecated Because it was very confusing what you have to put in there Some people put like the name of the license in there or a URL to a license or a file name without the license context in it Some people who didn't speak American. They used like different typos and different kinds of spellings and whatever And some Americans probably also did that So then there's other things like different projects would use files called license dot txt or markdown or or you know Old schools like copying markdown or different in different ecosystems. They'll use different files for that So it's not really like, you know easy to guess like what if you file it? What if your project has all four of those permutations, right? So good luck So it's really really annoying to have this kind of ambiguity when somebody asks like, you know, you have to make like sign a contract That says can you use this software? You have ambiguity. That's never a good thing when you know when lawyers ask you questions So nowadays we've got this one property called license in your package JSON and if you have that that's good Now you also have to make sure that the value of that property is good So are we legal yet probably not right there's a lot of those legacies floating around but it's definitely getting better And so NPM is starting to tackle this this with this license property So right now if you just do NPM in it, it'll generate by default this license property would value ISC and that's totally cool That's totally fine But there's all these other licenses like MIT VSD creative commons Apache new stuff. So what's going on there? Well, they're okay, but I see it ISC is pretty much the best choice So for for a lot of reasons if you if you look at the ISC license, it's like two lines. It's super easy All the other ones are longer No, that's annoying like I don't want to have to read a whole bunch of text like if you if you do look at the reason Why I see so short is because the burn convention of like the 19th century When slavery was still a thing, but that's where in touch it probably comes from that's my point, right? So at the time it was it was a bit dodgy But that basically that's all been simplified and the ISC is pretty much like the simplest English language known to man If you want to just not fall under the copyright system So there's not a thing called copy left, which is sort of this like, you know, word hack That that has some issues if you want to like use it commercially some people complain about and gripe about it Some licenses have like attribution, which is a huge pain in the And then there's there's like the creative commons stuff, which is a cool initiative But they also have these little checkboxes when you choose your license to make it non-commercial or What's it? What's ending again non-derivative, right? Yeah, so so non-commercial and on derivative They're basically evil because they're just totally not open source licenses Then if you can't do whatever you want with it, right? So just use ISC, please. Okay, there's hopefully more around that I'm not gonna get into that now, but back to the license property. This is like totally awesome If you if you put a string in there, you got to make sure that it's what's known as an spdx identifier So spdx is the specification that was published by the Linux Foundation who have faced this problem for like, you know, a hundred years or something So they have to like describe the licenses and make sure that everything's cool Especially like look at the like the whole was that was a really crazy one the gen 2 I don't know some of these guys are like really cool and they're very very strict about it So they've solved this problem like very very thoroughly. There's like all specification It's called spdx and that's basically I mean node only takes a couple of things out of that The first one is license identifiers and that's really simple. That's just short codes like MIT or you know GPL-3.0 It's basically Because that we can all agree on so rather than like somebody calling it MIT-x11 or MIT slash x11, you know, people just say like now There's just MIT. Okay, and everyone uses the same thing easy to understand There's a whole list of these licenses if I have internet access I can Right, so there's a bunch of licenses here So they all have you know So instead of typing out like creative commons attribution node derivative or some random hyphenation and all that you just use the short code and By doing so your town and PM that your license is the license that's listed out in the full official license sex by the spdx You know Linux the Linux foundation and all that stuff So so you don't have to like dump this text in your repository You don't have to put headers in your source files. All this you don't have to keep updating You know like these copyright timestamps and all that kind of stuff So this this just solves those problems very very simply with the license property where you put this thing into it, right? straightforward you can also Have a project where you use multiple licenses like some projects you can choose like, you know Like like ISC license or the WTF PL, which is really cool. That's probably the second best license you can use But you can do more complicated things if you're really annoying I don't really I don't really know what this means But there's like a bison exception. I guess it's like some cattle thing Anyway, so don't bother with these things but they're supported and they're like a standard for it And then nobody's gonna like misinterpret it. It'll just work So so I was looking around like how can I use this in my you know in my daily life as I as anyone would right? And there's this really cool tool by a guy whose name I forgot but he made this thing called no license validator and It's like on npm. So what you do is you install it and then you just run it and it has this thing called You know, I have to like put a little attribute in there dash dash deep And then you can tell it like which license do you use right? So if I'm using ISC, I'll just I'll say, okay I'll run that on my Project and if I go Give it a second. Okay, this is only an SSD. All right, here we go So these are all the licenses that are not compliant with ISC right now. So these are all invalid licenses So, okay, but you know, I can see like there's a bunch of things a bunch of licenses here that are called like MIT This there's things like Apache to BSD3 clause. I can recognize that these are available in the list of the SPDX licenses So, okay, let's let's let's see. Okay We'll we can just specify a conflict file, you know, so You know, we'll say like, you know, we think we're not lawyers I'm not a lawyer, but I think like these licenses are pretty much compatible with ISC All right, so I'll use whatever code is published under those if I do that and you know, I've got My conflict file and I run that then it'll say, okay. Now there's a bunch of bugs Right. So all these licenses, like BSD is actually not in the license list. It's kind of annoying because a lot of people use it So now our problem has been narrowed down like we basically in from like 600 something out of the 1400 packages that I'm using I already cut away like 900 of those and said like these are all fine to use But then out of the 600 I've cut away another like, you know, 550 or so and now we've got still and those are all like I'm fine My license compatible with those at least so now I've got 55 like problems and That's sort of been a bit of a hell for me. So that's my my my my dependency hell again, right? So luckily we've at least turned the license hell into a dependency hell, which is a problem that a lot of people are facing So I'm not alone So what I've been doing in the last like week or something is For for my little, you know personal project. I've set up Like an issue on github where I just track all my 55 or whatever Broken licenses that I'm not legally allowed to use And I've started filing issues everywhere So I'm like a huge pay-to-the-ass on For a lot of people and I'm sort of tracking and sometimes it's really cool because like, you know, I had I did one Rather opinionate a person so I was trying to be as polite as I could And then he goes like I'm trying to be optimistic about it. So it's like, hey, thank you for you know, and I looked into it and he's totally right Okay, that's that's usually the thing about him like he hurts your feelings, but he's actually really smart He's like a million years old and he knows a lot more than you know, so I looked up I looked up a bunch of stuff that actually disputed what the creative commons said and what SPD The Linux Foundation say and as far as I can tell yeah, you're totally allowed to do what he does Which is put things under a public domain, which is a problem because I'm an npm There's no value that tells you that tells anyone that public domain is like a license. It's not actually a license It's copyright is a weird thing. So probably anything the public domain is actually not copyrighted Anything under an open source license is copyrighted. So if you say it's probably domain It's not technically a license. So there's no SBDX identifier for it So yeah, but you know what he does is totally valid. It just can't go into npm. So I know it's kind of like stuck there now So I don't know how I'm gonna deal with that, but there's there's loads more I mean It's really cool though to get like, you know a one-line package JSON metadata pull request accepted into like somebody's packages Like I got something you know in some pretty big Packages and I felt like really proud. So I hope that people help me out with that Because yeah, it's gonna it's gonna take a lot of effort to solve for like all the packages in npm Now the other problem is not only do you have to like get these little tiny pull requests with the license property? Accepted. You also have to deal with dependency hell of getting all the dependencies in like older versions Like I said, if you're if they're using like a lower my major version How you have to get those bums and all the pen the dependence of those packages, right? Hence the dependency help Right. So anyway, okay going on Until then I'm just sort of cheating right and what I'm doing is I'm using my node license validator tool And I'm just sort of saying okay all these 55 packages. Just just ignore that and and and eventually I can manually tracking like okay when they get fixed, you know, there'll be a warning I'm trying to get a feature implemented in that tool that will tell me like when those packages actually are fixed and Have a proper license and then I can take it automatically out of this this cheating exemptions, right? But basically what happens now is I whitelist my licenses and I whitelist my packages And then I can pass my build because the coolest thing is to put this into your CI, right? This is like after after like testing and linting you put auditing in there. It's a new thing So you break the build you don't break the law Remember that remember that so and I know you can just use like a watching task or something to set this up So that as soon as you do npm install it'll validate the whole thing again, and they'll tell you like oh you install this dependency, but Totally illegal, right? so Another thing that I found really fun was basically like just going around spamming everyone and annoying the hell out of all these famous Famous projects, so I had a number of like this is like the last couple of days Just expanding all these famous projects like sub-stack probably. I don't know. He doesn't he's not even responding to me So I know it's going on there whatever And then just like a little bit extra information that I wanted to give out there I mentioned the public domain is like a quirk, and I'm really not sure how npm is going to solve that I don't know I need to like reach out and Start a bigger discussion about that because it's it's really useful to put things into public domain And if like, you know if you're like working for the government and they have to like publish things into public domain Sometimes legally it's like the only way they can publish intellectual property Then like they technically couldn't create npm packages and I would be ashamed Another thing is if Two caveats like if you're if you don't have a license for your stuff, right? If you're like creating private things or whatever First thing put like the private true on your package json and then for license. There's this exception This is not an spdx license identifier, but npm explicitly allows this So this is like a really really fun to the standard a little bit Sorry, I Don't know I'm using three, but I think two also you I think npm to supports it. I Send the documentation so it must be two Anyway, and then if you're using like a custom license it don't just don't do that But if you really want to or have to Under duress or something then you can put this special magic string in there that says see license in and then a file name And then the file name should hopefully exist. That would be nice Yeah, but that's the problem, right because they all these kind of things go wrong And if there's like a URL don't do that, but if it's a URL then Anyway, and then lastly, there's a couple of other tools You know if you if you just for some reason showed up here, and you don't like node then please leave But you know if you can also use version I and pivot a license finder I found those I haven't tried them Why could why should I? Okay, cool. Yeah, that's about it any questions about licensing in general or this tool in particular Any other questions? Thank you