SpiderNode for Firefox chrome code
myk at mykzilla.org
Fri Dec 16 19:17:28 UTC 2016
> Axel Hecht <mailto:l10n at mozilla.com>
> 2016 December 14 at 13:02
> Vendoring in 3rd party modules has two hard challenges, I think.
> For one, many node modules are in permissive licenses, which is great
> on one side. But there's also the lack of protection against software
> patents that'd we'd expose ourselves to. Y'know, the reason our
> licensing guidelines say APL instead of something like MIT or BSD.
Right! The Tofino team noted a related licensing issue in their
Engineering update on Tofino
> The other is that we'd effectively vendor code into our bug bounty
That's a good point that I hadn't previously considered. I suppose it's
true for all our third-party dependencies, including those we're pulling
in from Chrome (with Project Mortar and others). The difference with
Node may be that it's easy to entrain highly-complex dependency graphs
with many modules of unclear stewardship.
> We should do that very open-eyed, and make sure that we have the right
> relationship with the upstream module owner for that to work out for us.
Indeed. I suspect we'd need a policy that allows us to vendor
third-party modules only when we're willing to fork them if needed to
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the firefox-dev