Disclaimer: I’m not a lawyer and this is not legal advice. For licensing advice see a lawyer. Preferably one familiar with software licenses.
We’ve been asked to add features to Glide to strip unused packages from the
vendor/ folder. Some have asked why we don’t have a feature that does that when other Go package managers do it. The reason has to do with software licenses and how following them makes things complicated.
There are a couple things to consider:
- Stripping files from a codebase, which includes removing subdirectories containing unused packages, is a form of modification. That invokes the modifications clauses in licenses.
- Checking in the
vendor/folder to your VCS repository and pushing it to a public location means you’re distributing those vendored packages. That invokes the distribution clause in the licenses.
Given the variety of open source licenses and their differing clauses this is complicated to automate. We don’t want to write a tool that, by default, causes developers to violate the licenses in the packages they’re using.
Modification and distribution aren’t a problem for every license. Some of them are OK which others are not. Given the variety of licenses we cannot assume what’s in them or how they will be used. Instead, we have to assume the worst case as the default.
Out of the box Glide is used for open source and closed source projects. To build the safest tool, the one that doesn’t inadvertently cause users to violate software licenses, we’ve opted not to modify the code within the fetched projects.
That doesn’t mean the code should never be modified. Developers who know the licenses in the packages they consume, their use cases, and what’s ok to do can modify as needed. This just isn’t so easy to automate.
I hope this helps to explain why we’re doing what we’re doing. We’re trying to look out for the best interest of Glide’s users.