licensing issues and jars in Avalon

[Leo Simons <le...@apache.org>]

Hi peeps,

talks about this have been on the infrastructure, the community, the 
jakarta-general and the cocoon-dev list recently (and possibly other 
places as well I'm not tracking).

first of: IANAL and I hate having to worry about licensing issues. I'll 
be contacting Sun to complain about the rediculous complexity of their 
licensing.

---

recent board decree (saw it first on the infrastructure list) 
(paraphrasing): the ASF must not distribute software packages (in any 
form) licensed under LGPL, GPL or Sun Binary Code License in any way.

Licenses which have been specifically identified as okay include IBM 
Public License and MPL. I assume ASL-style and BSD-style are also okay 
(relevant for our inclusion and redistribution of qdox, mx4j). Two 
public domain packages, namely DougLea's threadutils and antlr have also 
been marked as acceptable. But all this has not been stated as strongly 
just yet. An attempt is now underway to get this sorted.

---

What is more or less clear at this point is that the current setup I 
just put in place for avalon-framework where some Sun BCL code is 
downloaded from ibiblio is in breach of license (it won't work anymore 
either, as the problematic jars have been removed, so I guess it is 
already no longer in breach), whereas the setup we use in logkit (where 
the user must actively agree to the BCL license and download the code 
themselves) /seems/ to be acceptable.

I've identified the following jars in avalon CVS repositories which seem 
like they should be removed based on the information above:
	- checkstyle (jakarta-avalon-apps/tools/checkstyle-all.jar and
	  other places) (LGPL)
	- hsqldb (jakarta-avalon-apps/hsql/lib/hsqldb.jar)
	  (custom license)
	- jsch (jakarta-avalon-excalibur/altrmi/jsch-0-0-11.jar) (LGPL)

There are lots of jars all over the avalon CVS repositories for which 
the license is perfectly acceptable but not specified, for example of 
jars which are ASL-licensed, like xerces.

I am not done checking yet, but I believe none of the avalon 
distributions provide any of these potentially problematic jars.

I've found more than a few jars under "non-standard" BSD-style or 
ASL-style licenses, like jdom, mx4j, qdox, jing and isorelax which I am 
relatively sure are okay but IANAL.

---

I think we should remove the checkstyle, hsqldb and jsch jars. We should 
also make sure all "autofetch" functionality is only provided after the 
user has agreed to the applicable license. For the Sun BCL, the user 
must download and install the files themselves. For the "non-standard" 
BSD-style and ASL-style licenses we must take part in the effort to get 
this thing sorted and receive a green light from the board.

---

The board has asked that all apache contributors act proactively on this 
matter, performing an audit of ASF distributions, and taking part in 
clarifying and removing any licensing issues. I believe the goal is to 
get things clarified and settled within two weeks, in time for the next 
board meeting. Please follow-up on community@apache.org.

---

cheers & g'night,

- Leo



---------------------------------------------------------------------
To unsubscribe, e-mail: avalon-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: avalon-dev-help@jakarta.apache.org

Re: licensing issues and jars in Avalon

[Sam Ruby <ru...@apache.org>]

Santiago Gala wrote:
> 
> Second, in jetspeed, David removed activation.jar some time ago (I think 
> because of those issues). But I have reviewed our repo just now, and we 
> still have mail.jar, which, I think, we should remove also. (Sun Binary 
> Code License).
> 
> If you confirm, I will take care that it is removed from the repository 
> (being careful to make sure we don't break build procedures, updating 
> docs, etc.)

Confirmed.

- Sam Ruby



---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org

Re: licensing issues and jars in Avalon

[Santiago Gala <sg...@hisitech.com>]

Sam Ruby wrote:
> Leo Simons wrote:
> 
>>
>> recent board decree (saw it first on the infrastructure list) 
>> (paraphrasing): the ASF must not distribute software packages (in any 
>> form) licensed under LGPL, GPL or Sun Binary Code License in any way.
> 
> 
> Sun's Binary Code license permits bundling as part of your Programs. The 
> short form of this: you can include such things in tars and zips for 
> your release, but for individually download.  In other words, users need 
> not feel the pain, but developers do.
> 

First, I understand it as *not* for individually download, just bundled 
in a single archive.

Second, in jetspeed, David removed activation.jar some time ago (I think 
because of those issues). But I have reviewed our repo just now, and we 
still have mail.jar, which, I think, we should remove also. (Sun Binary 
Code License).

If you confirm, I will take care that it is removed from the repository 
(being careful to make sure we don't break build procedures, updating 
docs, etc.)

Regards,
      Santiago


---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org

Re: licensing issues and jars in Avalon

[Leo Simons <le...@apache.org>]

Sam Ruby wrote:

> Leo Simons wrote:
>
>>
>> recent board decree (saw it first on the infrastructure list) 
>> (paraphrasing): the ASF must not distribute software packages (in any 
>> form) licensed under LGPL, GPL or Sun Binary Code License in any way.
>
>
> Sun's Binary Code license permits bundling as part of your Programs. 
> The short form of this: you can include such things in tars and zips 
> for your release, but for individually download.  In other words, 
> users need not feel the pain, but developers do. 

So, in other words, it is okay if I as a developer download a 
BCL-licensed package, compile an ASF module against it, then build a 
distribution consisting of the compiled code and the BCL-licensed 
package? For example, is a JAMES distribution allowed to be compiled 
against the BCL-licensed package (after the developer making the 
distribution has agreed to the license) and ship with the BCL-licensed 
package?

Is it also okay if my distribution instead contains the source code and 
the BCL-licensed package, and a build script for compiling the ASF 
module against the BCL-licensed package? Or is that not okay, but can I 
distribute the source code with my binary distribution? What about 
providing everything but the build script?

I'm sorry, it's not too clear to me just yet.

> Personally, if there are open source alternatives, my recommendation 
> is that they should be supported instead. 

+1.

cheers,

- Leo


---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org

Re: licensing issues and jars in Avalon

[Sam Ruby <ru...@apache.org>]

Leo Simons wrote:
> 
> recent board decree (saw it first on the infrastructure list) 
> (paraphrasing): the ASF must not distribute software packages (in any 
> form) licensed under LGPL, GPL or Sun Binary Code License in any way.

Sun's Binary Code license permits bundling as part of your Programs. 
The short form of this: you can include such things in tars and zips for 
your release, but for individually download.  In other words, users need 
not feel the pain, but developers do.

Personally, if there are open source alternatives, my recommendation is 
that they should be supported instead.

> I've identified the following jars in avalon CVS repositories which seem 
> like they should be removed based on the information above:
>     - checkstyle (jakarta-avalon-apps/tools/checkstyle-all.jar and
>       other places) (LGPL)

If available, then checkstyle can be used during a build - this should 
not be any different than using EMACs.  Preferably, the build should 
skip this step if checkstyle is not available.

- Sam Ruby


---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org

Re: licensing issues and jars in Avalon

[Leo Simons <le...@apache.org>]

Hi all,

I've just updated the setup mentioned below to do handle the licensing 
issue just a tiny bit better, up to the point
where I think (IANAL!) it is no longer in violation of any license.

http://cvs.apache.org/viewcvs.cgi/avalon/check-targets.ent
http://cvs.apache.org/viewcvs.cgi/avalon/check-targets.properties

It might make sense for other projects that are also not moving to maven 
or centipede just yet to put in place
a similar setup.

cheers,

- Leo

> What is more or less clear at this point is that the current setup I 
> just put in place for avalon-framework where some Sun BCL code is 
> downloaded from ibiblio is in breach of license (it won't work anymore 
> either, as the problematic jars have been removed, so I guess it is 
> already no longer in breach), whereas the setup we use in logkit 
> (where the user must actively agree to the BCL license and download 
> the code themselves) /seems/ to be acceptable.



---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org