Projects licensed MPL-2.0 includes go code

[06kellyjac]

TL;DR: I'm not convinced MPL-2.0 actually requires a copy of source code when used as a library. It just being publicly available where you say it is looks like enough

---

MPL-2.0 license FAQ

Q7: I want to distribute (outside my organization) complete and unchanged executable programs built from MPL-licensed software by someone other than me. What do I have to do?

As long as the people who distributed the program to you have complied with the MPL, typically nothing. To check and see if the people who distributed the program to you have complied with the MPL, look for the notice that tells you where the software is available in Source Code form (i.e., check that it complies with Section 3.2(a)), and then check that the Source Code is available in that place, including a notice that informs you that the Source Code is available under the terms of the MPL (i.e., check that it complies with Section 3.1).

Also not a lawyer but that just sounds like if you have used some-library and you say it's from github.com/org/some-library (either in go.mod/go.sum or vendor or third_party/VENDOR-LICENSE), as long as the code is there (github.com/org/some-library) with a MPL license it meets the requirements

https://www.npmjs.com/package/next-mdx-enhanced
next-mdx-enhanced (GitHub, NPM) is MPL-2.0 but I doubt that every project that depends on it is now required to commit their node_modules directory so the source is distributed with their code.
That's 2.6k uses in repos commited to GitHub alone

Fossa are probably the most famous License Compliance company/service and their https://github.com/fossas/fossa-cli is apparently 13% MPL-2.0 + 25% MPL-2.0-no-copyleft-exception here, but they don't have any external source-code outside of their vendor dir. In fact they have deleted their vendor dir after https://github.com/fossas/fossa-cli/tree/v1.1.4 in https://github.com/fossas/fossa-cli/tree/v1.1.5

Even assuming MPL-2.0-no-copyleft-exception doesn't have the same source code requirement, thats 13% of their dependencies which would require the source code be included if that was the case

---

Related tektoncd/cli#1307

[wlynch]

Closing this since I believe this is largely the same as #28 (if it's not, feel free to reopen this!). See #28 (comment) for some more discussion, but tl;dr - if you don't control the remote source, then you can't guarantee the source code used will be available. The easiest thing to do to ensure compliance is to vendor the code. As you mentioned, go mod vendor should be able to meet this requirement, so we could look into using that if present instead of copying the code ourselves.