Attribute Code Used from gorilla/securecookie
elithrar opened this issue · comments
When fixing an issue, I came across code that is (in some parts) identical to code in the BSD licensed https://github.com/gorilla/securecookie codebase.
Specifically:
- https://github.com/henrylee2cn/faygo/blob/master/session/sess_utils.go#L144-L188 is identical to https://github.com/gorilla/securecookie/blob/master/securecookie.go#L315-L351 - save for replacing the error values
- https://github.com/henrylee2cn/faygo/blob/master/session/sess_utils.go#L125-L140 is identical to https://github.com/gorilla/securecookie/blob/master/securecookie.go#L273-L292 - save for replacing the error values
- https://github.com/henrylee2cn/faygo/blob/master/session/sess_utils.go#L83-L116 is identical to https://github.com/gorilla/securecookie/blob/master/securecookie.go#L390-L426 - including comments and the short URL.
I'm not a stickler for licenses, and I don't know whether you are new to open-source (and thus OSS licensing!), but the concern here is that you are:
- Copying upstream code in part, but not in whole, and thus introducing weaknesses in the process: #8
- Isolating your users from any upstream fixes we make to securecookie
- Already vendoring some code, but not all, which makes this appear intentional.
Can you please either:
- Import the securecookie library (vendored or otherwise) and, if necessary, wrap the functions for your own API?
-or- - Attribute the library correctly in all files where it is used as per https://github.com/gorilla/securecookie/blob/master/LICENSE
Thanks!
The session package comes from beego and retains beego's copyright statement. I do not know who is ultimately infringing, and do not want to figure out.
The code is from gorilla/securecookie.
I strongly suggest you fix your license to attribute this correctly, and/or just vendor the securecookie code directly.
If you are copying it from Beego, then Beego also needs to resolve this, but you are responsible for your repository.