Hi all,

I noticed that NPM is using an Artistic-2.0 with additional terms and
conditions:

-----------------

npm License

Copyright (c) npm, Inc. and Contributors All rights reserved.

npm is released under the Artistic License 2.0, subject to additional
terms that are listed below.

The text of the npm License follows and the text of the additional terms
follows the Artistic License 2.0 terms:
...

---------------

https://docs.npmjs.com/policies/npm-license


It seems that people there are not familiar of what is the goal of a
license. Otherwise they wouldn't have used the following additional term:

"Additional policies relating to, and restrictions on use of, npm
products and services are available on the npm website. All such
policies and restrictions, as updated from time to time, are hereby
incorporated into this license agreement. By using npm, you acknowledge
your agreement to all such policies and restrictions."

Hence, the license text may vary dpending on an update of such policies.
I guess this makes it difficult to provide a SPDX-Identifier. Any
thoughts on this?

Best regards,

Till

Hi Till:
You have eagle eyes!

On Mon, May 2, 2022 at 10:46 AM Till Jaeger via lists.spdx.org
<jaeger=jbb.de@...> wrote:

I noticed that NPM is using an Artistic-2.0 with additional terms and
conditions:

This is IMHO a total and complete mess and non-sense, eventually non
FOSS at all.
Anyone from Microsoft or GitHub to fix this monstrosity?

Till:
Do you know when this showed up?
NB: I am adding a rule to ScanCode Toolkit to report this ASAP.
--
Cordially

Philippe

Quoting Philippe Ombredanne (2022-05-02 13:43:56)

On Mon, May 2, 2022 at 10:46 AM Till Jaeger via lists.spdx.org
<jaeger=jbb.de@...> wrote:

I noticed that NPM is using an Artistic-2.0 with additional terms
and conditions:

This is IMHO a total and complete mess and non-sense, eventually non
FOSS at all.
Anyone from Microsoft or GitHub to fix this monstrosity?

Release notes for npm v2.14.13 contains the following:

npm-the-CLI is licensed under the terms of the [Artistic License
2.0](https://github.com/npm/npm/blob/8d79c1a39dae908f27eaa37ff6b23515d505ef29/LICENSE),
which is a liberal open-source license that allows you to take this
code and do pretty much whatever you like with it (that is, of course,
not legal language, and if you're doing anything with npm that leaves
you in doubt about your legal rights, please seek the review of
qualified counsel, which is to say, not members of the CLI team, none
of whom have passed the bar, to my knowledge). At the same time the
primary registry the CLI uses when looking up and downloading packages
is a commercial service run by npm, Inc., and it has its own [Terms of
Use](https://www.npmjs.com/policies/terms).

So seems to me (assuming licensing hasn't changed since v2.14.13) the
command-line tool *is* freely licensed, and only when describing
npm-as-a-whole-including-online-service is it not free.


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private

Am 02.05.22 um 13:43 schrieb Philippe Ombredanne:

Hi Till:
You have eagle eyes!
On Mon, May 2, 2022 at 10:46 AM Till Jaeger via lists.spdx.org
<jaeger=jbb.de@...> wrote:

I noticed that NPM is using an Artistic-2.0 with additional terms and
conditions:

This is IMHO a total and complete mess and non-sense, eventually non
FOSS at all.
Anyone from Microsoft or GitHub to fix this monstrosity?
Till:
Do you know when this showed up?

I stumbled across this rather by accident because I was looking for information on why NPM uses Artistic-2.0.

Internet Archive does not provide much help:
https://web.archive.org/web/20220315191342/https://docs.npmjs.com/policies/npm-license

Best,
Till

NB: I am adding a rule to ScanCode Toolkit to report this ASAP.
--
Cordially
Philippe