finos
Don't bundle CSL license file into FDC3 NPM module
The CSL license file is being bundled into the FDC3 NPM module. The CSL governs the Standard and its documentation, but any software or source code (i.e. what the NPM module contains) is distributed under Apache 2.0 instead.
While the package.json's license field indicates Apache-2.0, CI tools that inspect the module (such as JFrog Xray https://jfrog.com/help/r/jfrog-security-documentation/managing-compliance-licenses) will pick up the embedded license and may make it more difficult for firms to onboard the library, unnecessarily.
Update the build and re-release the module without bundling the CSL license files (License.md - License.spdx can remain as it indicates Apache-2.0).
@bingenito @robmoffat
Hi @wang-wayne,
We'd love your help! There is a wider piece of work going on in the FDC3 world around https://github.com/finos-labs/fdc3-for-the-web, which we are going to merge back into the main FDC3 project.
As we do that, we're going to adopt a "monorepo" approach, which I feel this CSL issue is definitely related to.
If you are interested in helping out with that wider piece of work, drop me a mail at [email protected] because I think I'm going to need to set up a meeting on this to try and make sure we do it properly
thanks!
I thought I just needed to exclude the license files when running webpack. I don't have experience with monorepo. I'm sorry I couldn't be more helpful.
As far as we can tell, you can't just exclude the LICENSE.md file, so its a case of restructuring the repo to separate the software distribution (which is under the Apache 2.0 license) from the the Standard's documentation (which is under the CSL).