Sorry for all the typos, I blame Siri dictation taking ;-p On Mon, Oct 5, 2015 at 9:47 PM Carlos Santana <csantan...@gmail.com> wrote:
> Hi I wanted to share some insight about the experience we had when we try > to include the cordova cli, plugins, and platform with our IBM product > MobileFirst Platform Foundation (ealier know as Worklight). > > Version 7.1 that we released in Aug/2015, was the first time we shipped > the cordova cli, and the nodejs related files with the product. > > One aspect of doing this was legal clearance, we didn't have any issues > with the code author by the Cordova project, were we found we needed some > assistance ws with the npm dependencies that cordova-cli, cordova-lib, and > platforms depended on. > > I'm attaching the license info for all the packages we needed to clear by > IBM legal team, this took time but was not that bad because only one > package was red flagged. > > If someone is planning to re-distribute cordova then I hope it can benefit > you. > > The reason that it took time is because some packages didn't have a a > license easy to find, other didn't have a license, so legal team needed to > contact package owner. > > Edna Morales was the one involved working with Edna, she did a great > dealing with all no so fun legal requirements. > > Here is an example of some packages that was not clear about their > license: commander 0.5.2; connect 1.8.5; and cookie-signature 0.0.1. But > Edna figured it out that some were devDependencies, and others were MIT > > I wan to discuss some more at the F2F on how do we make it easier to ship > cordova with a third party product, or if not shipping telling customer to > go ahead to get cordova on their own and give them some type of confidence > that cordova doesn't have any legal problems to download and install to > later integrate our ibm product. > > One would assume that Cordova being under Apache, there should not be so > many headches and so much legal work to re-distribute. > > With this I'm not saying that we never depend on 3rd party open source, or > that don't refresh those dependencies. Some of the npm libraries that we > use are good to depend on like 'q', 'shelljs', 'glob', 'npm', but others > have a large dependency graph with questionable dependencies underneath > > Now we are planning to add express as new npm dependency to cordova-cli, > brining with it 43 npm packages for us to clear on the next release of our > product. Not complaining but want you to be aware that when you add one > dependency you bring along all the dependency tree with it and the impact > that this causes downstream. > > I'm writing this email with a positive tone to make project better, foster > open source, and to bring in to perspective some items that some of you > might already be aware and some other might not be aware. > > Sorry for the long email, but by know you should already know me well :-) > >
