Dependabot contributions license is unclear #14940
Unanswered
edulix
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
In 2019 Dependabot @greysteil mentioned in dependabot/feedback#615 (archived for dependabot feedback repo) that:
"We clarified this in the "Intellectual Property" section of our terms a few months back.
However, this was for dependabot before it was acquired by Github, it seems. In August 2021 I asked about the same question in a private Github Ticket (reference #1291040 but the ticket is private and also it disappeared somehow..?). I was answered that
GitHub grants a non-exclusive, worldwide right or license to perform, display, and use the contributions and any content contained in, accessed by or transmitted through Dependabot to customer’s repositories. They are also working on updating the terms to specifically include this.
I don't see this update in the Github Terms of Service today, more than 8 months later. Maybe I didn't find and it's there, I don't know. Dependabot has merged millions of PRs. What is the license of all these millions of contributions remains unclear (to me anyway).
Please either:
a. Point to the specific part of the Github Terms of Service where this issue is addressed.
b. Change the Github Terms of Service so that future (and past!) merged PRs are correctly licensed.
Beta Was this translation helpful? Give feedback.
All reactions