Re: Updated version of proposed LibreJS spec changes

[bill-auger]

On Sun, 23 Jul 2023 11:10:26 +1000 Yuchen wrote:
> #+begin_src js
> /* content of foo.js which is under gpl3+ */
> // SPDX-License-Identifier: GPL-3.0-or-later
> // code from foo.js
> /* content of bar.js which is nonfree */
> // code from bar.js
> #+end_src
> 
> librejs will assume the code in bar.js is also under gpl3+, and let it
> through, when it shouldn't.

such "bundles" suggest deeper questions - how would librejs know on which line
of the concatenation does foo.js end and bar.js begin?

if such a fundamental question can not be resolved by a machine, then i would
disqualify such "bundles", as fundamentally deceptive - i can think f a a worse
case where foo.js declares a permissive license, then bar.js is actually
GPL-licensed, but does not declare so in the source file, or that information
was stripped by a minimizer - the concatenated output file could technically be
a GPL violation

i would reject the entire bundle (even if that applies to all "bundles"), and
allow the user to whitelist the entire bundle manually - presumably, it is not
possible to identify each well-licensed vs ill-licensed bundle segments to be
offered as whitelist options - there is no remedy downstream for poor licensing

so ideally, ask the upstream and/or developers of the "bundler" software to be
diligent/regular about reflecting license and copyright declarations of each
input file in the output file

> #+begin_src js
> // BUNDLER_FILE BEGIN foo.js
> // SPDX-License-Identifier: GPL-3.0-or-later <-- upstream wrote this
> // code from foo.js
> // BUNDLER_FILE BEGIN bar.js
> // @license GPL-3.0-or-later                 <-- upstream wrote this
> // code from bar.js
> // BUNDLER_FILE BEGIN non-free.js
> // SPDX-License-Identifier: Unknown          <-- bundler injected this
> // code from non-free.js
> #+end_src