SpiderNode for Firefox chrome code
l10n at mozilla.com
Wed Dec 14 21:02:49 UTC 2016
Am 14/12/16 um 01:24 schrieb Myk Melez:
> * It enables us to reuse modules from the Node ecosystem.
> Node would make it straightforward to integrate third-party modules
> from NPM. We can port some of them today, but many depend on core Node
> modules (or their own native modules), which makes porting expensive
> and often unfeasible. Whereas Node would make it possible to vendor
> modules using NPM's standard dependency management tools.
> Of course we'd still need to ensure that the modules (and their
> dependencies) are high-quality and have compatible licenses. Rust has
> the same problem with third-party crates. Still, that's a good problem
> to have, if it means we can sometimes borrow instead of build new
Others have raised concerns I share, but I wanted to add to this one.
Vendoring in 3rd party modules has two hard challenges, I think.
For one, many node modules are in permissive licenses, which is great on
one side. But there's also the lack of protection against software
patents that'd we'd expose ourselves to. Y'know, the reason our
licensing guidelines say APL instead of something like MIT or BSD.
The other is that we'd effectively vendor code into our bug bounty
program. We should do that very open-eyed, and make sure that we have
the right relationship with the upstream module owner for that to work
out for us.
More information about the firefox-dev