[question] clarification on restrictions on use of conan audit

[planetmarshall]

What is your question?

Hi - I'm interested in automated post-processing of the results of conan audit (specifically - creating a Github bot that acts on the JSON output). Thing is, a conservative reading of the Restrictions on Use would appear to prohibit this kind of thing.

I'm not expecting legal advice, just an opinion if the intention was to prevent this kind of thing and if you think it would go beyond "acceptable use" (provided I stay within the rate limit). Thanks!

For reference:

User will not, nor shall it permit, facilitate, or otherwise allow any other person or entity to ... (vii) copy, modify, or create derivative works of the Conan Audit; (ix) develop, implement, or install any third third-party extension, plug-in, or other means of access or use of the Conan Audit, without prior written approval from JFrog;

Have you read the CONTRIBUTING guide?

• I've read the CONTRIBUTING guide

[memsharded]

Hi @planetmarshall

Without being fully valid feedback, as we might need to check with legal, I think the question here is:

otherwise allow any other person or entity to ...

Who is exactly using the Github bot? Is that your own personal and private processing of the conan audit output? If it is your own personal and private processing of the output, it sounds it is possible to do it.

If the Github bot is exposing those results to others, to the public, other users could use that Github bot or anything similar that would expand the usage of the results besides your own private usage (personal or within the organization), then it sounds that it would require explicit permission from JFrog.

[planetmarshall]

Who is exactly using the Github bot? Is that your own personal and private processing of the conan audit output? If it is your own personal and private processing of the output, it sounds it is possible to do it.

Yes - if I were to make the bot source available (say, in the form of a Github Action) - the user would have to use their own token to run conan audit.

If the Github bot is exposing those results to others, to the public, other users could use that Github bot or anything similar that would expand the usage of the results besides your own private usage (personal or within the organization), then it sounds that it would require explicit permission from JFrog.

Anyone else using the bot would have to use their own token (so it would be their results, not mine). So I think this is fine, because it's just a reprocessing/representation of the existing output. But I thought it was worth checking.

Thanks for the response.

[memsharded]

Yes - if I were to make the bot source available (say, in the form of a Github Action) - the user would have to use their own token to run conan audit.

Then you are not really allowing any other person to access the information, as they will have to have their own tokens and agree with the terms and conditions themselves directly.
I'll try to run a quick check with legal and let you know.