Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npmjs.com & github.com's Terms & Conditions seem at odds #727

Open
darcyclarke opened this issue Oct 3, 2023 · 0 comments
Open

npmjs.com & github.com's Terms & Conditions seem at odds #727

darcyclarke opened this issue Oct 3, 2023 · 0 comments
Labels
content Issues or PRs related to the content of the docs policies

Comments

@darcyclarke
Copy link

darcyclarke commented Oct 3, 2023
edited
Loading

Current Behavior

"You may access and use data about the security of Packages, such as vulnerability reports, audit status reports, and supplementary security documentation, only for your own personal or internal business purposes. You may not provide others access to, copies of, or use of npm data about the security of Packages, directly or as part of other products or services."

ref.

documentation/content/policies/open-source-terms.mdx

Lines 122 to 127 in 8c9313d

4. You may access and use data about the security of Packages, such
as vulnerability reports, audit status reports, and supplementary
security documentation, only for your own personal or internal
business purposes. You may _not_ provide others access to, copies
of, or use of npm data about the security of Packages, directly
or as part of other products or services.

Expected Behavior

"The GitHub Advisory Database allows you to browse or search for vulnerabilities that affect open source projects on GitHub.

License Grant to Us

We need the legal right to submit your contributions to the GitHub Advisory Database into public domain datasets such as the National Vulnerability Database and to license the GitHub Advisory Database under open terms for use by security researchers, the open source community, industry, and the public. You agree to release your contributions to the GitHub Advisory Database under the Creative Commons Zero license.

License to the GitHub Advisory Database

The GitHub Advisory Database is licensed under the Creative Commons Attribution 4.0 license. The attribution term may be fulfilled by linking to the GitHub Advisory Database at https://github.com/advisories or to individual GitHub Advisory Database records used, prefixed by https://github.com/advisories."

ref. https://github.com/github/docs/blob/main/content/site-policy/github-terms/github-terms-for-additional-products-and-features.md?plain=1#L67-L77

IANAL, but when npm switched to proxying through to the GitHub Advisory Database the results of the security audit endpoints indirectly assumed the license/terms of that data. It seems (& again, IANAL) incorrect that any data returned from those endpoints would not be covered by the same CC 4.0 License which explicitly states "You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits."
@darcyclarke darcyclarke changed the title npmjs.com's Terms & Conditions seem at odds with github.com npmjs.com & github.com's Terms & Conditions seem at odds Oct 3, 2023
@lukekarrys lukekarrys added content Issues or PRs related to the content of the docs policies labels Oct 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
content Issues or PRs related to the content of the docs policies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@darcyclarke @lukekarrys and others