[Non-Free] The Prosperity Public License 2.0.0

realaravinth · May 8, 2022, 9:58am

dependabot/dependabot-core/blob/main/LICENSE

The Prosperity Public License 2.0.0

Contributor: GitHub Inc.

Source Code: https://github.com/dependabot/dependabot-core

This license lets you use and share this software for free,
with a trial-length time limit on commercial use. Specifically:

If you follow the rules below, you may do everything with this
software that would otherwise infringe either the contributor's
copyright in it, any patent claim the contributor can license
that covers this software as of the contributor's latest
contribution, or both.

1. You must limit use of this software in any manner primarily
   intended for or directed toward commercial advantage or
   private monetary compensation to a trial period of 32
   consecutive calendar days. This limit does not apply to use in
   developing feedback, modifications, or extensions that you

This file has been truncated. show original

I was trying to locate and fork GitHub’s Dependabot in response to this user’s request on the Gitea forum when I ran into this licence.

A more worthy fork is the GitLab implementation(already posted here), which at the moment is carrying an MIT licence.

dachary · May 8, 2022, 10:17am

Good find I was not aware and, like yourself, tempted to install it.

realaravinth · May 8, 2022, 1:09pm

This seems like a perfect candidate for a federated service.

My schedule is completely packed for this year, but this seems like an interesting problem so leaving resources for anyone that’s interested:

Implementation requirements

GitHub’s implementation has decent, high-level architecture overview to how it works.

Every supported forge requires a method to fetch (package management)files from the forge
Every supported package manager requires a parser implementation to understand how dependencies are described
Every supported package repository(pypy.org, crates.io, etc.) requires implementation to get the latest version
Additionally, vulnerable dependencies must be checked and warned(emails to the maintainer or other private and secure channels)^[0].

ForgeFed requirements

ForgeFed must include support for fetching files via federation similar to this Gitea endpoint. This is currently not a part of the ForgeFed goals.

Many code analysis services use this endpoint for cheap and on-demand source files fetching, so there is incentive in defining source files fetching within the ForgeFed spec.

Footnotes

[0]: The GitLab implementation relies on GitHub Advisory database, which per GitLab Dependabot documentation, requires a GitHub access token. But I believe the GitHub Advisory database can be replaced with the NIST Vulnerability Database(NVD) feeds. If anyone is aware of other trusted, independent sources, kindly let me know.