How do people find out or know whether your repo which is having MIT or apache or AGPL license is being used by a corpo and profiting from it and not making the code open source or paying license fees?

  • 555@lemmy.world
    link
    fedilink
    arrow-up
    11
    arrow-down
    1
    ·
    5 months ago

    So what you’re saying is you could take down an entire company by introducing a bug?

    • Perhyte@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      5 months ago

      I don’t think so, no.

      Leaving aside the fact that I don’t want to do that:

      They’ve quite sensibly vendored my library, so I’d have to hope they pull in updates without checking the code changes: since it’s such a tiny library (excluding tests but including fairly extensive comments, it’s less than 100 lines of quite readable code) I don’t think it’d be easy to get it past their code review system if I tried to sneak in enough code to take down entire companies.

      Also, my GitHub account is tied to my real-world identity, so I’d probably be in a lot of trouble if I somehow succeeded.

      • 555@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        If it’s less than 100 lines, why on earth don’t they just put that in their own code?

      • AnarchistArtificer@slrpnk.net
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        “vendored my library”

        I’m unfamiliar with this phrase, are you able to explain what it means (or point me towards an explanation)? Is it relating to forking?

        • maynarkh@feddit.nl
          link
          fedilink
          arrow-up
          3
          ·
          5 months ago

          It means, at least in the golang world, that they keep a copy of your source for themselves and use it for builds. They don’t pull from the public repo every time they build their stuff, so malicious code could only get in with new versions, but they check for that.