SpiderNode for Firefox chrome code

Myk Melez myk at mykzilla.org
Fri Dec 16 19:17:28 UTC 2016


> Axel Hecht <mailto:l10n at mozilla.com>
> 2016 December 14 at 13:02
> Vendoring in 3rd party modules has two hard challenges, I think.
>
> For one, many node modules are in permissive licenses, which is great 
> on one side. But there's also the lack of protection against software 
> patents that'd we'd expose ourselves to. Y'know, the reason our 
> licensing guidelines say APL instead of something like MIT or BSD.
Right! The Tofino team noted a related licensing issue in their 
Engineering update on Tofino 
<https://medium.com/project-tofino/engineering-update-on-tofino-8381d82398e8>.

> The other is that we'd effectively vendor code into our bug bounty 
> program.
That's a good point that I hadn't previously considered. I suppose it's 
true for all our third-party dependencies, including those we're pulling 
in from Chrome (with Project Mortar and others). The difference with 
Node may be that it's easy to entrain highly-complex dependency graphs 
with many modules of unclear stewardship.

> We should do that very open-eyed, and make sure that we have the right 
> relationship with the upstream module owner for that to work out for us.
Indeed. I suspect we'd need a policy that allows us to vendor 
third-party modules only when we're willing to fork them if needed to 
maintain them.

-myk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/firefox-dev/attachments/20161216/f9ef8468/attachment.html>


More information about the firefox-dev mailing list