On Sun, 23 Jul 2023 11:10:26 +1000 Yuchen wrote: > #+begin_src js > /* content of foo.js which is under gpl3+ */ > // SPDX-License-Identifier: GPL-3.0-or-later > // code from foo.js > /* content of bar.js which is nonfree */ > // code from bar.js > #+end_src > > librejs will assume the code in bar.js is also under gpl3+, and let it > through, when it shouldn't.
such "bundles" suggest deeper questions - how would librejs know on which line of the concatenation does foo.js end and bar.js begin? if such a fundamental question can not be resolved by a machine, then i would disqualify such "bundles", as fundamentally deceptive - i can think f a a worse case where foo.js declares a permissive license, then bar.js is actually GPL-licensed, but does not declare so in the source file, or that information was stripped by a minimizer - the concatenated output file could technically be a GPL violation i would reject the entire bundle (even if that applies to all "bundles"), and allow the user to whitelist the entire bundle manually - presumably, it is not possible to identify each well-licensed vs ill-licensed bundle segments to be offered as whitelist options - there is no remedy downstream for poor licensing so ideally, ask the upstream and/or developers of the "bundler" software to be diligent/regular about reflecting license and copyright declarations of each input file in the output file > #+begin_src js > // BUNDLER_FILE BEGIN foo.js > // SPDX-License-Identifier: GPL-3.0-or-later <-- upstream wrote this > // code from foo.js > // BUNDLER_FILE BEGIN bar.js > // @license GPL-3.0-or-later <-- upstream wrote this > // code from bar.js > // BUNDLER_FILE BEGIN non-free.js > // SPDX-License-Identifier: Unknown <-- bundler injected this > // code from non-free.js > #+end_src
