Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Non-open source code in this repo #1

Open
omajid opened this issue Nov 30, 2020 · 20 comments
Open

Non-open source code in this repo #1

omajid opened this issue Nov 30, 2020 · 20 comments

Comments

@omajid
Copy link

omajid commented Nov 30, 2020

There's a number of files in this repository that include license headers that restrict the usage of those files:

/*!
* Note: While Microsoft is not the author of this script file, Microsoft
* grants you the right to use this file for the sole purpose of either: 
* (i) interacting through your browser with the Microsoft website, subject 
* to the website's terms of use; or (ii) using the files as included with a
* Microsoft product subject to the Microsoft Software License Terms for that
* Microsoft product. Microsoft reserves all other rights to the files not 
* expressly granted by Microsoft, whether by implication, estoppel or
* otherwise. The notices and licenses below are for informational purposes 
* only.

This license restricts what can be done with this file, which seems to run counter to the "No Discrimination Against Fields of Endeavor" requirement of the Open Source Definition and the 4 Essential Freedoms.

https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery-1.6.2-vsdoc.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery.validate-vsdoc.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery-1.6.2.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery.validate.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery-1.6.2.min.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery-ui-1.8.11.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery-1.6.2-vsdoc.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery.validate.min.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery-ui-1.8.11.min.js
https://github.com/Humanizr/sample-aspnetmvc/blob/master/MvcSample/Scripts/jquery.validate-vsdoc.js

@omajid
Copy link
Author

omajid commented Nov 30, 2020

cc @tmds

@omajid
Copy link
Author

omajid commented Jan 7, 2021

cc @leecow @dleeapho

@omajid
Copy link
Author

omajid commented Aug 4, 2021

cc @dseefeld

@omajid
Copy link
Author

omajid commented Aug 4, 2021

This code is/was included in the version of Humanizr used in source-build: https://github.com/dotnet/source-build/tree/main/src

Anyone using source-build is at risk of violating the license.

@danmoseley
Copy link

cc @Pilchie

@richlander
Copy link

Ping ...

That license looks super dated, from a very different time. Do we have a newer version of jquery that we could use for this purpose?

@MichaelSimons
Copy link

Ping - We are nearing the end of 7.0. Is this something that can get fixed?

@leecow
Copy link

leecow commented Sep 22, 2022

@danmoseley - since this is your area now. Can we determine if any outstanding questions are preventing us from fixing this?

@danmoseley
Copy link

@rafikiassumani-msft I see MVC -- does your team own this ? what are your thoughts.

@rafikiassumani-msft
Copy link

rafikiassumani-msft commented Sep 28, 2022

@danmoseley By reading the conversation in the following issue dotnet/aspnetcore#34785, it looks like @mkArtakMSFT has updated the license for .net7. This might have been backported to .net6 as well. There may not be any outstanding issues, however, I will confirm with Artak.

@mkArtakMSFT
Copy link

There have been two aspects of this. One was changes in our own repos (aspnet/jquery-validation-unobtrusive#156, aspnet/jquery-validation-unobtrusive#148, dotnet/aspnetcore#43060, dotnet/aspnetcore#42999). The second was specific to this repo, which @ChrisSfanos has taken on to follow up. Seeing no changes here I assume he had concluded that nothing should be done? @ChrisSfanos, can you confirm, please?

//cc @richlander

@ChrisSfanos
Copy link

Thanks @mkArtakMSFT - the team agreed that the proper solution is for an end user to swap out a new version of jQuery that carries the desired license and move forward with that package - thanks!

@danmoseley
Copy link

@MichaelSimons is the work here you need completed?

@MichaelSimons
Copy link

@danmoseley - yes I believe the work here is done. What needs to happen next is that the .NET product repo(s) that reference Humanizer, need to update their reference version to newer/latest Humanizer. I will track down those repos and open issues.

@MichaelSimons
Copy link

This issue should be closed now.

@mthalman
Copy link

@omajid - What tools and/or process did you use for finding this? I'm trying to figure out how we can have a more automated way to catch things like this.

@omajid
Copy link
Author

omajid commented Aug 18, 2023

@mthalman There's an internal service at Red Hat which uses https://github.com/nexB/scancode-toolkit to scan code for license and copyrights.

@mthalman
Copy link

I've been playing with that. Is there some trick to get it to detect this particular finding? When I ran it on one of the example files here, all it said in the results was that it was json and mit licenses. Nothing particularly interesting in the results that would indicate anything to investigate closer.

@omajid
Copy link
Author

omajid commented Aug 18, 2023

I've been playing with that. Is there some trick to get it to detect this particular finding?

I just tried it out and you are right. scancode doesn't catch this license :(

It looks like I only caught it because of another scanner (falsely) flagged this file as implementing SEED crypto. On reviewing the file for crypto, I must have seen the license header.

Our scanning tool for crypto looks like a hacky/home-brewed solution, and nothing as robust as scancode :(

@omajid
Copy link
Author

omajid commented Aug 18, 2023

Could we take the text here and add it to scancode as another license to identify? https://scancode-toolkit.readthedocs.io/en/stable/how-to-guides/add_new_license.html. And fail if this license is found?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants