You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@poi.apache.org by Josh Micich <jo...@gmail.com> on 2009/10/13 22:30:48 UTC
Recent additions to POI "Added implementation of Digital Signature
support"
Hello All,
I noticed a rather significant change submitted recently:
http://svn.apache.org/viewvc?view=rev&revision=824836
My concern is not about the functionality - this sounds very much like
something that POI should have. There are a few issues that come to
mind, however:
- This is a big chunk of work to submit with no supporting discussion
e.g. a bugzilla entry or dev mail thread
- There are now 7 new jars that POI depends on to build (my biggest concern)
- There may be licensing issues (I am not in a position to judge this
properly). The files all contain a comment "Based on the eID Applet
Project code. Original Copyright (C) 2008-2009 FedICT". Is there a
new relationship between POI and "eid-applet"? Could we at least
document somewhere that this code contribution is properly sanctioned?
- There is a (small) compiler error introduced apparently because the
original code was compiled against JDK 6.
cheers,
Josh
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
Re: Recent additions to POI "Added implementation of Digital Signature support"
Posted by David Fisher <df...@jmlafferty.com>.
Hi Josh,
> I noticed a rather significant change submitted recently:
> http://svn.apache.org/viewvc?view=rev&revision=824836
I'm very glad you noticed. Big changes ought to be announced at a
minimum and preferably discussed in advance.
> My concern is not about the functionality - this sounds very much like
> something that POI should have. There are a few issues that come to
> mind, however:
>
> - This is a big chunk of work to submit with no supporting discussion
> e.g. a bugzilla entry or dev mail thread
> - There are now 7 new jars that POI depends on to build (my biggest
> concern)
I think that we should always vote on adding dependencies. What
dependencies are added?
> - There may be licensing issues (I am not in a position to judge this
> properly). The files all contain a comment "Based on the eID Applet
> Project code. Original Copyright (C) 2008-2009 FedICT". Is there a
> new relationship between POI and "eid-applet"? Could we at least
> document somewhere that this code contribution is properly sanctioned?
The svn comment is: "Added implementation of Digital Signature support
using code initially developed for the eId Applet project <http://code.google.com/p/eid-applet/
> and re-released under Apache License." Since the google page at
that link mentions it is licensed as "evil" LGPL, this could indicate
a deep concern. I think though that link is misleading.
I wonder if the relationship is between Apache XML Security and
FedICT? Where's the proof of the Apache License?
Also, with new dependencies it seems likely that we might need to edit
the Apache POI NOTICE and LICENSE files.
Regards,
Dave
> - There is a (small) compiler error introduced apparently because the
> original code was compiled against JDK 6.
>
>
> cheers,
> Josh
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
> For additional commands, e-mail: dev-help@poi.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
Re: Recent additions to POI "Added implementation of Digital Signature support"
Posted by David Fisher <df...@jmlafferty.com>.
Hi Ugo,
> I'm OK with waiting and discussing a bit. In any case, the README.txt
> has now been modified to read as follows
> <http://code.google.com/p/eid-applet/source/browse/trunk/README.txt?spec=svn213&r=213
> >:
>
> "The source code of the eID Applet Project is licensed under GNU
> LGPL v3.0.
> Part of the source code (OOXML signature code) is dual-licensed
> under both
> the GNU LGPL v3.0 and the Apache License v2.0. Only the files with a
> header
> containing both the GNU LGPL v3.0 and Apache License v2.0 license
> texts are
> dual-licensed. The dual-licensing was offered in response to a
> request from
> the Apache POI open source project. All other source code files
> remain under
> control of the GNU LGPL v3.0 license unless otherwise decided in the
> future
> by _ALL_ eID Applet Project copyright holders."
This is a good clarification to a point. I am not sure if it is
sufficient. It makes me wonder who _ALL_ the copyright holders are. I
assume that the files dual licensed are all FedICT's which is Belgium
Federal Government (and EU?)
Here is what is currently in the NOTICE:
> This product contains parts that were originally based on the eID
> Applet project (http://code.google.com/p/eid-applet/). Copyright (C)
> 2008-2009 FedICT.
Here is a suggestion:
This product contains an ASLv2 licensed version of the OOXML signer
package from the eID Applet project (http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
) Copyright (C) 2008-2009 FedICT.
I think that no matter what phrasing is used we should make sure that
legal@apache approves. I wonder if they will want a CCLA from FedICT.
Regards,
Dave
>
> Ugo
>
> --
> Ugo Cei
> Sourcesense - making sense of Open Source: http://www.sourcesense.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
> For additional commands, e-mail: dev-help@poi.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
Re: Recent additions to POI "Added implementation of Digital
Signature support"
Posted by Ugo Cei <u....@sourcesense.com>.
On Thu, Oct 15, 2009 at 11:59 PM, Dave Fisher <da...@jmlafferty.com> wrote:
> Hi Josh,
>
> This valuable contribution needs to wait for proper clarification of the
> dual-license for the feDict OOXML signer piece.
>
> Let's wait to put it back until that is done.
I'm OK with waiting and discussing a bit. In any case, the README.txt
has now been modified to read as follows
<http://code.google.com/p/eid-applet/source/browse/trunk/README.txt?spec=svn213&r=213>:
"The source code of the eID Applet Project is licensed under GNU LGPL v3.0.
Part of the source code (OOXML signature code) is dual-licensed under both
the GNU LGPL v3.0 and the Apache License v2.0. Only the files with a header
containing both the GNU LGPL v3.0 and Apache License v2.0 license texts are
dual-licensed. The dual-licensing was offered in response to a request from
the Apache POI open source project. All other source code files remain under
control of the GNU LGPL v3.0 license unless otherwise decided in the future
by _ALL_ eID Applet Project copyright holders."
Ugo
--
Ugo Cei
Sourcesense - making sense of Open Source: http://www.sourcesense.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
Re: Recent additions to POI "Added implementation of Digital Signature support"
Posted by Dave Fisher <da...@jmlafferty.com>.
Hi Josh,
This valuable contribution needs to wait for proper clarification of
the dual-license for the feDict OOXML signer piece.
Let's wait to put it back until that is done.
Best Regards,
Dave
> I just reverted this new stuff:
> http://svn.apache.org/viewvc?view=rev&revision=825637
>
> This is not because of the concerns raised in the thread so far, but
> because the GUMP build seems to have been broken since r824836. This
> is a little confusing, because the Ant build has been working locally
> OK for me (after the fixes of r824963). I tried to troubleshoot the
> GUMP build results, but it is not obvious to me why the ooxml compile
> classpath seems to be missing several of the newly required jars of
> r824836.
>
> I apologise if I have reverted this without good cause. Up until now
> I have actually been trying to clean up this new code (reducing
> dependency drag-in).
>
> regards,
> Josh
>
> attached below is a comparison of SVN and GUMP logs.
> -----------------------------------------------------
>
> This is what I currently read at
> http://vmgump.apache.org/gump/public/poi/poi/index.html :
> ...
> Name State Start Elapsed
> build_poi_poi Failed Thu, 15 Oct 2009 07:39:05 (PDT) 2 mins 32 secs
> ...
> Current State: Failed
> Duration in state: 3
> Start of state: 2009-10-13T16:00:05
> Previous State: 2
> First Success: 2007-06-01T00:00:15
> Last Success: 2009-10-13T00:00:05
> -- --
>
> SVN log shows the following recent changes:
>
> r825294 | josh | 2009-10-14 14:32:06 -0700 | removed new dependency
> on joda
> r824972 | josh | 2009-10-13 16:24:14 -0700 | Bugzilla 47969 -
> improvements to equals() methods
> r824963 | josh | 2009-10-13 15:42:58 -0700 | Fixes for compiler errors
> and junit failures introduced by r824836
> r824836 | ugo | 2009-10-13 09:31:28 -0700 | Added implementation of
> Digital Signature ...
> r823348 | josh | 2009-10-08 15:29:41 -0700 | Bugzilla 47962 - Fixed
> some potential NPEs...
> -- --
>
> GUMP is not clear about the timezone of its timestamps but it seems
> likely that the 'Last Success' was before r824836.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
> For additional commands, e-mail: dev-help@poi.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
Re: Recent additions to POI "Added implementation of Digital
Signature support"
Posted by Josh Micich <jo...@gmail.com>.
I just reverted this new stuff:
http://svn.apache.org/viewvc?view=rev&revision=825637
This is not because of the concerns raised in the thread so far, but
because the GUMP build seems to have been broken since r824836. This
is a little confusing, because the Ant build has been working locally
OK for me (after the fixes of r824963). I tried to troubleshoot the
GUMP build results, but it is not obvious to me why the ooxml compile
classpath seems to be missing several of the newly required jars of
r824836.
I apologise if I have reverted this without good cause. Up until now
I have actually been trying to clean up this new code (reducing
dependency drag-in).
regards,
Josh
attached below is a comparison of SVN and GUMP logs.
-----------------------------------------------------
This is what I currently read at
http://vmgump.apache.org/gump/public/poi/poi/index.html :
...
Name State Start Elapsed
build_poi_poi Failed Thu, 15 Oct 2009 07:39:05 (PDT) 2 mins 32 secs
...
Current State: Failed
Duration in state: 3
Start of state: 2009-10-13T16:00:05
Previous State: 2
First Success: 2007-06-01T00:00:15
Last Success: 2009-10-13T00:00:05
-- --
SVN log shows the following recent changes:
r825294 | josh | 2009-10-14 14:32:06 -0700 | removed new dependency on joda
r824972 | josh | 2009-10-13 16:24:14 -0700 | Bugzilla 47969 -
improvements to equals() methods
r824963 | josh | 2009-10-13 15:42:58 -0700 | Fixes for compiler errors
and junit failures introduced by r824836
r824836 | ugo | 2009-10-13 09:31:28 -0700 | Added implementation of
Digital Signature ...
r823348 | josh | 2009-10-08 15:29:41 -0700 | Bugzilla 47962 - Fixed
some potential NPEs...
-- --
GUMP is not clear about the timezone of its timestamps but it seems
likely that the 'Last Success' was before r824836.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
Re: Recent additions to POI "Added implementation of Digital Signature support"
Posted by Ugo Cei <u....@sourcesense.com>.
On Oct 14, 2009, at 5:02 PM, David Fisher wrote:
> Yes, here it is.
> "This product contains parts that were originally based on the eID
> Applet project (http://code.google.com/p/eid-applet/). Copyright (C)
> 2008-2009 FedICT."
> I have a big problem with what I see when I go to that link. Someone
> who is looking at Apache POI would find the reference to LGPL and
> run away. If we provide a link in the NOTICE then it must go to a
> place that is unambiguous. My preference would be to ask the eID
> Applet project to make the dual licensing issue crystal clear on
> their home page. The alternative would be to link directly to the
> source directory from our NOTICE.
I will ask Frank if it's possible to state the double licensing
clearly in the README. I hope he has no problem with that.
Ugo
--
Ugo Cei
Sourcesense - making sense of Open Source: http://www.sourcesense.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
Re: Recent additions to POI "Added implementation of Digital Signature support"
Posted by David Fisher <df...@jmlafferty.com>.
Ugo,
>> - There may be licensing issues (I am not in a position to judge this
>> properly). The files all contain a comment "Based on the eID Applet
>> Project code. Original Copyright (C) 2008-2009 FedICT". Is there a
>> new relationship between POI and "eid-applet"? Could we at least
>> document somewhere that this code contribution is properly
>> sanctioned?
>
> Originally the code was LGPL. I asked the author if it were
> possibile to release it as AL and he agreed. Here is his reply:
>
> From: fcorneli <fr...@gmail.com>
>
> "I've discussed the license issue here at FedICT. We're willing to
> dual-
> license (LGPL/AL) the Java source code files concerning the creation
> and validation of OOXML signatures as found under the eid-applet-
> service-signer artifact. The headers on these Java source files have
> been adopted accordingly."
>
> The original files which have been copied can be found here:
>
> http://code.google.com/p/eid-applet/source/browse/trunk/eid-applet-service-signer/src/main/java/be/fedict/eid/applet/service/signer/
Yes, I see the dual licenses in the code. I think the attribution is
proper, but I am not a legal expert.
> I've put an attribution notice in the NOTICE file.
Yes, here it is.
"This product contains parts that were originally based on the eID
Applet project (http://code.google.com/p/eid-applet/). Copyright (C)
2008-2009 FedICT."
I have a big problem with what I see when I go to that link. Someone
who is looking at Apache POI would find the reference to LGPL and run
away. If we provide a link in the NOTICE then it must go to a place
that is unambiguous. My preference would be to ask the eID Applet
project to make the dual licensing issue crystal clear on their home
page. The alternative would be to link directly to the source
directory from our NOTICE.
> Anyway, we can have a discussion and vote on whether we want to keep
> this code or revert it. As you wrote, it should have happened
> beforehand, but it was not my intention to introduce it as a "fait
> accompli". I'll be OK with reverting the change if so we decide.
Let's make dual licensing crystal clear.
As far as the number of dependencies, I'll leave that for you guys
(BTW - Yegor is on vacation and I don't think we'll hear from him for
a few more days.)
Best Regards / Keep Pounding the POI,
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
Re: Recent additions to POI "Added implementation of Digital Signature support"
Posted by Ugo Cei <u....@sourcesense.com>.
On Oct 13, 2009, at 10:30 PM, Josh Micich wrote:
> - This is a big chunk of work to submit with no supporting discussion
> e.g. a bugzilla entry or dev mail thread
You are right and I apologize for this. I should have waited before
committing, but was eager to end this work and didn't consider all the
implications.
> - There are now 7 new jars that POI depends on to build (my biggest
> concern)
Good point. Let us discuss whether they are needed. I would have liked
to add this code in "contrib" or "scratchpad" but there doesn't seem
to be be an area for contrib-only or scratchpad-only libs. Maybe we
shoud add one?
> - There may be licensing issues (I am not in a position to judge this
> properly). The files all contain a comment "Based on the eID Applet
> Project code. Original Copyright (C) 2008-2009 FedICT". Is there a
> new relationship between POI and "eid-applet"? Could we at least
> document somewhere that this code contribution is properly sanctioned?
Originally the code was LGPL. I asked the author if it were possibile
to release it as AL and he agreed. Here is his reply:
From: fcorneli <fr...@gmail.com>
"I've discussed the license issue here at FedICT. We're willing to dual-
license (LGPL/AL) the Java source code files concerning the creation
and validation of OOXML signatures as found under the eid-applet-
service-signer artifact. The headers on these Java source files have
been adopted accordingly."
The original files which have been copied can be found here:
http://code.google.com/p/eid-applet/source/browse/trunk/eid-applet-service-signer/src/main/java/be/fedict/eid/applet/service/signer/
I've put an attribution notice in the NOTICE file.
> - There is a (small) compiler error introduced apparently because the
> original code was compiled against JDK 6.
Sorry again. I _thought_ I had tested it under JDK 1.5 as well, but
apparently this was before further modifications introduced some
incompatibilities again. It looks like you have already caught and
fixed those, right?
Anyway, we can have a discussion and vote on whether we want to keep
this code or revert it. As you wrote, it should have happened
beforehand, but it was not my intention to introduce it as a "fait
accompli". I'll be OK with reverting the change if so we decide.
Ugo
--
Ugo Cei
Sourcesense - making sense of Open Source: http://www.sourcesense.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org