Extend Security Best Practices for your Project#3465
Conversation
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
|
|
||
| Using open source dependencies can speed up development, but each package includes a license that defines how it can be used, modified, or distributed. Some licenses are permissive, while others (like AGPL or SSPL) impose restrictions that may not be compatible with your project's goals or your users' needs. | ||
|
|
||
| Imagine this: You add a powerful library to your project, unaware that it uses a restrictive license. Later, a company wants to adopt your project but raises concerns about license compliance. The result? You lose adoption, need to refactor code, and your project’s reputation takes a hit. |
There was a problem hiding this comment.
@Jeffrey-Luszcz feel free to suggest a better example for the mixed-license scenario in the license section. You probably have a much stronger one than mine 🙏
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
xcorail
left a comment
xcorail
left a comment
There was a problem hiding this comment.
Nice additions!
I will let @Jeffrey-Luszcz weigh in on the licensing stuff, and I made a suggestion for the IR plan section, but I like the rest.
|
@UlisesGascon I see @xcorail has some suggestions above. Can you take a look and discuss/accomodate? I've pinged @Jeffrey-Luszcz and he'll be taking a look when he can. Thank you for the contribution. |
|
|
||
| Imagine this: You add a powerful library to your project, unaware that it uses a restrictive license. Later, a company wants to adopt your project but raises concerns about license compliance. The result? You lose adoption, need to refactor code, and your project's reputation takes a hit. | ||
|
|
||
| To avoid these pitfalls, consider including automated license checks as part of your development workflow. These checks can help identify incompatible licenses early in the process, preventing problematic dependencies from being introduced into your project. |
There was a problem hiding this comment.
Is there an existing auto license check tool that we could link users to?
There was a problem hiding this comment.
Not an expert on this, but we could point readers to a couple of options but not easy to adopt (IMO).
For example, FOSSA is a commercial tool that provides automated license-compliance scanning, and there’s also the OSS Review Toolkit (ORT), an open-source option that includes a license scanner: https://oss-review-toolkit.org/ort/docs/tools/scanner/
Most of the scanners I use personally are specific to npm universe 🤔.
This comment has been minimized.
This comment has been minimized.
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
Co-authored-by: Xavier RENE-CORAIL <xcorail@github.com>
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
Co-authored-by: Xavier RENE-CORAIL <xcorail@github.com>
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
xcorail
left a comment
xcorail
left a comment
There was a problem hiding this comment.
LGTM for me - I just suggested a typo fix.
I will approve the PR, but I defer to @Jeffrey-Luszcz for the licensing part
Thanks @UlisesGascon for these additions!
Co-authored-by: Xavier RENE-CORAIL <xcorail@github.com>
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
UlisesGascon
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
jmeridth
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
jmeridth
temporarily deployed
to
Pages Preview
GitHub Actions
Inactive
ahpook
left a comment
ahpook
left a comment
There was a problem hiding this comment.
Let's get this merged and deployed!
|
@ahpook iterate ftw. Thank you for merging. |
cc: @KevinCrosby, @Jeffrey-Luszcz @DUBSOpenHub @jonchurch @blakeembrey @ljharb @RafaelGSS
Note: This PR will impact #3462 and #3461