Seeing big companies take advantage of BSD or MIT licensed projects without sharing their contributions will always pain me. - eviltoast
  • peopleproblems@lemmy.world
    link
    fedilink
    arrow-up
    11
    ·
    2 months ago

    Something I don’t get paid enough to understand - what constitutes contributions, and what’s the definition of selling the software?

    For instance, I don’t think I’ve worked on a project where we have made changes to the source code for security policies (much quicker path to update immediately if something gets flagged). But I don’t think I know of an instance where we sell our software as a service - as far as I know it’s largely used to support other services we sell.

    Except now that I say that, that’s not entirely true, we DO have a review board that we have to submit every third party library to and it takes forever to hear back but we have occasionally gotten a “no can’t use that” or “contract is pending.” So maybe I’m just super unaware of who reviews the third party software and they review the licenses.

    • AA5B@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      edit-2
      2 months ago

      We have a scanner that does that on every build.

      It blocks builds for dependencies with

      • licenses not acceptable to Legal
      • serious or critical vulnerabilities.
      • political messages, even if you agree with them
      • we may also add a criteria to block non-release dependencies.

      As a developer, you’re free to use anything that works

      I have yet to figure out how my company views contributing back to open source. I don’t know of anyone actively doing that, but it turns out we host a few originals of open source. I’ve been trying to improve development processes, get tools and dependencies up to date …… but then I ran into things where it’s a bigger change because of the downstream opensource dependencies and because it’s not really owned by the company