We need to do a license review. While ideally it would be addressed by Apache's license review, the way our process works, it isn't, so we get to look at all of the code blobs that we would be "importing" (all dependencies) and identify where they're from and what their license is. Then after that we get to make sure that their licenses are compatible. And then we get to update a file which tries to explain to our users how the licenses impact them. (In general, the answer is "no impact", but the problem is that there's a process before we get to that point, it can easily burn a person-week.)
Note that I'm not opposed to any particular direction, just commenting to Andrew's point about there being potential overhead in anything that happens, but especially involving new components. Also, the same would apply for any new component, and in principle, it's a one-off thing, so as long as we don't add component A for release 1, replace it with component B for release 2, and replace it with component C for release 3, then it's just a single week's cost for the three releases and is only paid for that first release. The churn is more of a problem for us (and we only pay for it if we choose to do a release, we do fewer releases than Cordova or probably most of the other derivatives). ________________________________________________________________________ From: Andrew Grieve <agri...@chromium.org<mailto:agri...@chromium.org>> Date: Mon Dec 15 2014 10:28:47 GMT-0500 (EST) To: dev <dev@cordova.apache.org<mailto:dev@cordova.apache.org>> Subject: Re: Browserify JS is in Maybe most other companies are not in the same boat, but at Google we can't add any software to our build process without it all being checked into source control (and reviewed). Currently NPM is our biggest dependency, but thankfully we use that only for fetching (and so don't need it if we already have things locally). We launched an app (Primer) a few months ago, and as a part of that I had to re-write some of cordova-lib in Python (was actually not that bad). So, I'm really trying to figure out what the goals of browserify are in case I need to re-implement it (Gorkem will also have to re-implement it in Java for Thyme) I *think* we're at: 1. To concatenate cordova-js with plugin JS 2. To trim away modules from cordova-js that are not used by plugins & the active platform Sound good? Complete list? On Mon, Dec 15, 2014 at 9:25 AM, Michal Mocny <mmo...@chromium.org<mailto:mmo...@chromium.org>> wrote: > Thanks Steven. > > On Mon, Dec 15, 2014 at 12:15 AM, Steven Gill > <stevengil...@gmail.com<mailto:stevengil...@gmail.com>> > wrote: > > > > For the lazy: cordova_plugins.js discussion > > https://issues.apache.org/jira/plugins/servlet/mobile#issue/CB-8153 > > On > > Dec 14, 2014 6:58 PM, "Michal Mocny" > > <mmo...@chromium.org<mailto:mmo...@chromium.org>> wrote: > > > > > Lets discuss the cordova_plugins.js thing elsewhere, this thread has > > > > > forked > > > a lot already. > > > > > > On Sun, Dec 14, 2014 at 6:22 PM, Carlos Santana > > > <csantan...@gmail.com<mailto:csantan...@gmail.com>> > > > wrote: > > > > > > > > This is the part that I like the most: > > > > "and start > > > > writing plugins as proper node modules. Maybe even push them to npm > > > > > and > > > > manage dependencies that way." > > > > > > > > Agree with having less XHR, and concatenate cordova + plugins. > > > > > > > > Not in love with cordova_plugins.js to know what plugins are included > > > > > > in > > > > the app, would prefer to see a package.json with all software that > was > > > use > > > > to build the app, and maybe one day could a be a real valid > > pacakge.json > > > > that can be use to pull down dependencies. > > > > > > > > The same way we depend on npm, elementree, and dozen more npm modules > > > > > > > that > > > > our platforms and cli depend on, we don't distribute browserfy will > be > > > just > > > > another one. > > > > One thing I will consider with browserfy if there is a any code > coming > > > from > > > > browserfy like the bootstrap code that contains the require function, > > > > > > > then > > > > maybe only this code get's legally review as it going to be part of > > > > > the > > > App > > > > that developer builds with cordova. > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, Dec 12, 2014 at 5:34 PM, Brian LeRoux > > > > <b...@brian.io<mailto:b...@brian.io>> wrote: > > > > > > > > > > yeah we are *not* proposing to distribute browserify or its deps > > > > > > > > > > > > > > > On Fri, Dec 12, 2014 at 1:38 PM, Joe Bowser > > > > > <bows...@gmail.com<mailto:bows...@gmail.com>> > > wrote: > > > > > > > > > > > What are we actually distributing? > > > > > > > > > > > > On Fri Dec 12 2014 at 12:36:03 PM Andrew Grieve < > > > agri...@chromium.org<mailto:agri...@chromium.org>> > > > > > > wrote: > > > > > > > > > > > > > On Fri, Dec 12, 2014 at 1:51 PM, Joe Bowser > > > > > > > <bows...@gmail.com<mailto:bows...@gmail.com> > > > > > > wrote: > > > > > > > > > > > > > > > On Fri Dec 12 2014 at 10:25:51 AM Andrew Grieve < > > > > > agri...@chromium.org<mailto:agri...@chromium.org>> > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > I'm not actually worried about my disk filling up. > > Dependencies > > > > > must > > > > > > be > > > > > > > > > vetted for appropriate licenses, so now there's more > > > > > > > > > > overhead > > > > here. > > > > > > If > > > > > > > we > > > > > > > > > need to make a change to the module system now we need to > > > > > > > > > > > poor > > > > > > through > > > > > > > > docs > > > > > > > > > and make PRs instead of just editing our very small > > code-base. > > > > > > > > > > > > > > > > > > > > > > > > > > This mix of MIT and 3-Clause BSD looks compatible to me. > It's > > > > weaker > > > > > > > than > > > > > > > > Apache, but not incompatible. Do we really need to send this > > > > > > > > > > to > > > > > legal? > > > > > > > > > > https://github.com/substack/node-browserify/blob/master/LICENSE > > > > > > > > > > > > > > > > There are people who can argue your other points better, but > > > > > > > > > > > saying > > > > > > that > > > > > > > > the license is the overhead when you can find it in the repo? > > > > > > > > > > > I'm > > > > > not > > > > > > > sure > > > > > > > > how we would have gotten this far if we had to check with > > > > > > > > > legal > > > for > > > > > > every > > > > > > > > single dependency. > > > > > > > > > > > > > > > > > > > > > > I meant that it depends on a bunch of other modules. Run > > > > > > > > > > > > license-checker > > > > > > on > > > > > > > browserify and you get: http://pastebin.com/XDMCTRRb > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Carlos Santana > > > > <csantan...@gmail.com<mailto:csantan...@gmail.com>> > > > > > > > > > >
