When fixing an issue, I came across code that is (in some parts) identical to code in the BSD licensed https://github.com/gorilla/securecookie codebase.

Specifically:

• https://github.com/henrylee2cn/faygo/blob/master/session/sess_utils.go#L144-L188 is identical to https://github.com/gorilla/securecookie/blob/master/securecookie.go#L315-L351 - save for replacing the error values
• https://github.com/henrylee2cn/faygo/blob/master/session/sess_utils.go#L125-L140 is identical to https://github.com/gorilla/securecookie/blob/master/securecookie.go#L273-L292 - save for replacing the error values
• https://github.com/henrylee2cn/faygo/blob/master/session/sess_utils.go#L83-L116 is identical to https://github.com/gorilla/securecookie/blob/master/securecookie.go#L390-L426 - including comments and the short URL.

I'm not a stickler for licenses, and I don't know whether you are new to open-source (and thus OSS licensing!), but the concern here is that you are:

• Copying upstream code in part, but not in whole, and thus introducing weaknesses in the process: #8
• Isolating your users from any upstream fixes we make to securecookie
• Already vendoring some code, but not all, which makes this appear intentional.

Can you please either:

1. Import the securecookie library (vendored or otherwise) and, if necessary, wrap the functions for your own API?
   -or-
2. Attribute the library correctly in all files where it is used as per https://github.com/gorilla/securecookie/blob/master/LICENSE

Thanks!

The session package comes from beego and retains beego's copyright statement. I do not know who is ultimately infringing, and do not want to figure out.

The code is from gorilla/securecookie.

I strongly suggest you fix your license to attribute this correctly, and/or just vendor the securecookie code directly.

If you are copying it from Beego, then Beego also needs to resolve this, but you are responsible for your repository.