How do people find out or know whether your repo which is having MIT or apache or AGPL license is being used by a corpo and profiting from it and not making the code open source or paying license fees?
How do people find out or know whether your repo which is having MIT or apache or AGPL license is being used by a corpo and profiting from it and not making the code open source or paying license fees?
I’m unfamiliar with this phrase, are you able to explain what it means (or point me towards an explanation)? Is it relating to forking?
It means, at least in the golang world, that they keep a copy of your source for themselves and use it for builds. They don’t pull from the public repo every time they build their stuff, so malicious code could only get in with new versions, but they check for that.
They’ve checked in my code in their own repository, using an automated tool that keeps track of its origin so they can still check for updates. (The build tool knows to check this directory before trying to pull in dependencies from elsewhere)
One benefit to them is that their build won’t break if I decide to delete that specific repository (see also: the left-pad incident) or do silly things with version tags (deleting versions, or re-tagging a different commit with the same version number, that sort of thing).
But more relevantly for this thread, it also means that if I release a new version and they upgrade to it, the PR on their repository won’t just be incrementing a version number in
go.mod
and adding an unreadable hash togo.sum
: the diff will show all the changes I’ve made since the version they previously used.