Re: dependencies on third party software

[Josh Thompson <jo...@ncsu.edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bump.

Anyone?

On Thursday October 29, 2009, Josh Thompson wrote:
> Legal advisers,
>
> We at the Apache VCL project are trying to get our first release out.  VCL
> is a cloud management framework.  It is written in perl and php.
>
> While there is no third party software bundled with VCL, there are two
> types of third party software dependencies we have questions about.
>
> The first, required perl modules, may not even be considered third party. 
> For the perl code, we have a script that will install all required
> additional perl modules.  There's about 14 such modules (with the
> possibility that some of them may already be installed).  Most of those
> modules say they are licensed under the same terms as perl itself.  A few
> of them explicitly state they are licensed under one of "Artistic License",
> GPL, or LGPL.  How should we go about listing these licenses?  Should they
> be listed out in the README file, the NOTICE file, or somewhere else?  The
> script that installs them displays a message stating that it will install
> some items licensed under "Artistic License", GPL, and LGPL and requires
> that you type YES to proceed with installing them.
>
> The second type of third party software depends on how you want to use VCL.
> VCL can manage physical machines using xCAT (which must be set up
> separately and is outside the scope of installing VCL), or VCL can manage
> VMWare based systems, with other hypervisors to be added in later.  Also,
> there is some experimental work being done to support intelligent storage,
> starting with NetApp filers.  Here's where things get a little more
> complicated.  If using xCAT to deploy linux on any hardware, or to deploy
> windows on identical hardware, there is no third party software required
> (other than the perl modules already discussed).  However, if deploying
> windows to different types of hardware, you must download Sysprep from
> Microsoft, along with any drivers to support the different types of
> hardware.
>
> If using VCL to manage VMWare systems, you need VMWare's perl libraries.
> Similarly, if managing a NetApp filer, you need NetApp's perl libraries.
>
> How do we need to list out/explain these dependencies?
>
> Thanks for your help,
> Josh Thompson
- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University

Josh_Thompson@ncsu.edu
919-515-5323

my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFK8cKUV/LQcNdtPQMRAmbdAJ93gXJ/pQs3GjE7mJHBWCCL9wBhxQCfZaKE
nVGNZDTRGElbKX4cMkBzVBo=
=RzFZ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: dependencies on third party software

[Josh Thompson <jo...@ncsu.edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday November 10, 2009, Alan D. Cabrera wrote:
> On Nov 5, 2009, at 8:13 AM, Josh Thompson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Ralph,
> >
> > Thanks for the feedback - more discussion inline.
> >
> > On Wednesday November 04, 2009, Ralph Goers wrote:
> >> Usual qualifications - I am not on the legal committee so this is
> >> just
> >> my personal opinion.
> >>
> >> On Nov 4, 2009, at 10:06 AM, Josh Thompson wrote:
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> Bump.
> >>>
> >>> Anyone?
> >>>
> >>> On Thursday October 29, 2009, Josh Thompson wrote:
> >>>> Legal advisers,
> >>>>
> >>>> We at the Apache VCL project are trying to get our first release
> >>>> out.  VCL
> >>>> is a cloud management framework.  It is written in perl and php.
> >>>>
> >>>> While there is no third party software bundled with VCL, there are
> >>>> two
> >>>> types of third party software dependencies we have questions about.
> >>>>
> >>>> The first, required perl modules, may not even be considered third
> >>>> party.
> >>>> For the perl code, we have a script that will install all required
> >>>> additional perl modules.  There's about 14 such modules (with the
> >>>> possibility that some of them may already be installed).  Most of
> >>>> those
> >>>> modules say they are licensed under the same terms as perl itself.
> >>>> A few
> >>>> of them explicitly state they are licensed under one of "Artistic
> >>>> License",
> >>>> GPL, or LGPL.  How should we go about listing these licenses?
> >>>> Should they
> >>>> be listed out in the README file, the NOTICE file, or somewhere
> >>>> else?  The
> >>>> script that installs them displays a message stating that it will
> >>>> install
> >>>> some items licensed under "Artistic License", GPL, and LGPL and
> >>>> requires
> >>>> that you type YES to proceed with installing them.
> >>
> >> http://www.apache.org/legal/src-headers.html should provide the
> >> answers to where the attributions should appear. I like that you have
> >> a script to install them.
> >>
> >> My biggest concern is the one you didn't ask about. ASF policy is
> >> that
> >> you can't have a required dependency on something with a category X
> >> license (see http://www.apache.org/legal/resolved.html#category-x),
> >> so
> >> you cannot distribute VCL until all the dependencies on these are
> >> optional or are replaced with something with a compatible license. I
> >> am also concerned with the GPL dependencies because of the FSF's
> >> definition of what a derivative work is. If you have a required
> >> dependency on something with a GPL license your code must also be
> >> licensed under the GPL, not the Apace license (which is why it isn't
> >> allowed).
> >
> > There's one part of VCL (notifications via Jabber) that's not really
> > used that
> > is the cause of a chunk of the additional perl modules.  We'll
> > remove that
> > and see if there are any modules left that are not released under
> > perl's
> > license.
> >
> > However, even given that, since the code is written in perl and PHP,
> > those
> > interpreters are required to run VCL.  PHP's license is listed as
> > okay on the
> > page you linked to above.  perl is released under the Artistic
> > License, which
> > is not listed on that page at all.
> >
> > Is ASF okay with the Artistic License?  If not, things are looking
> > pretty
> > bleak for our project...
> >
> >>>> The second type of third party software depends on how you want to
> >>>> use VCL.
> >>>> VCL can manage physical machines using xCAT (which must be set up
> >>>> separately and is outside the scope of installing VCL), or VCL can
> >>>> manage
> >>>> VMWare based systems, with other hypervisors to be added in later.
> >>>> Also,
> >>>> there is some experimental work being done to support intelligent
> >>>> storage,
> >>>> starting with NetApp filers.  Here's where things get a little more
> >>>> complicated.  If using xCAT to deploy linux on any hardware, or to
> >>>> deploy
> >>>> windows on identical hardware, there is no third party software
> >>>> required
> >>>> (other than the perl modules already discussed).  However, if
> >>>> deploying
> >>>> windows to different types of hardware, you must download Sysprep
> >>>> from
> >>>> Microsoft, along with any drivers to support the different types of
> >>>> hardware.
> >>>>
> >>>> If using VCL to manage VMWare systems, you need VMWare's perl
> >>>> libraries.
> >>>> Similarly, if managing a NetApp filer, you need NetApp's perl
> >>>> libraries.
> >>>>
> >>>> How do we need to list out/explain these dependencies?
> >>
> >> Dependencies required for a specific platform are generally OK.  See
> >> http://www.apache.org/legal/resolved.html#platform . This doesn't
> >> document
> >> how to explain them. I would presume this
> >> should go in the NOTICE file.
> >>
> >> Ralph
> >
> > Okay - we'll list them in the NOTICE file.
>
> Josh, just so we are on the same page in terms of what still needs to
> be done, can you create Jira issues that list what needs to be done on
> this front for the release?
>
>
> Regards,
> Alan

I've created VCL-264 to list what needs to be done.

Andy pointed out the "System Requirements" section a little more than halfway 
down this page:

http://www.apache.org/legal/3party.html

Based on that, we're restating that all of the perl and mysql requirements 
are "System Requirements".  That will handle the bits that are GPL/LGPL 
licensed.

Josh

- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University

Josh_Thompson@ncsu.edu
919-515-5323

my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFK+ttuV/LQcNdtPQMRAmITAJ4+pF+4rCGG1d5BAP31jsYxJ+8TkACfZ3BO
cGmO8lIVqoDxaAb7imRnSyg=
=TlUX
-----END PGP SIGNATURE-----

Re: dependencies on third party software

[Josh Thompson <jo...@ncsu.edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday November 10, 2009, Alan D. Cabrera wrote:
> On Nov 5, 2009, at 8:13 AM, Josh Thompson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Ralph,
> >
> > Thanks for the feedback - more discussion inline.
> >
> > On Wednesday November 04, 2009, Ralph Goers wrote:
> >> Usual qualifications - I am not on the legal committee so this is
> >> just
> >> my personal opinion.
> >>
> >> On Nov 4, 2009, at 10:06 AM, Josh Thompson wrote:
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> Bump.
> >>>
> >>> Anyone?
> >>>
> >>> On Thursday October 29, 2009, Josh Thompson wrote:
> >>>> Legal advisers,
> >>>>
> >>>> We at the Apache VCL project are trying to get our first release
> >>>> out.  VCL
> >>>> is a cloud management framework.  It is written in perl and php.
> >>>>
> >>>> While there is no third party software bundled with VCL, there are
> >>>> two
> >>>> types of third party software dependencies we have questions about.
> >>>>
> >>>> The first, required perl modules, may not even be considered third
> >>>> party.
> >>>> For the perl code, we have a script that will install all required
> >>>> additional perl modules.  There's about 14 such modules (with the
> >>>> possibility that some of them may already be installed).  Most of
> >>>> those
> >>>> modules say they are licensed under the same terms as perl itself.
> >>>> A few
> >>>> of them explicitly state they are licensed under one of "Artistic
> >>>> License",
> >>>> GPL, or LGPL.  How should we go about listing these licenses?
> >>>> Should they
> >>>> be listed out in the README file, the NOTICE file, or somewhere
> >>>> else?  The
> >>>> script that installs them displays a message stating that it will
> >>>> install
> >>>> some items licensed under "Artistic License", GPL, and LGPL and
> >>>> requires
> >>>> that you type YES to proceed with installing them.
> >>
> >> http://www.apache.org/legal/src-headers.html should provide the
> >> answers to where the attributions should appear. I like that you have
> >> a script to install them.
> >>
> >> My biggest concern is the one you didn't ask about. ASF policy is
> >> that
> >> you can't have a required dependency on something with a category X
> >> license (see http://www.apache.org/legal/resolved.html#category-x),
> >> so
> >> you cannot distribute VCL until all the dependencies on these are
> >> optional or are replaced with something with a compatible license. I
> >> am also concerned with the GPL dependencies because of the FSF's
> >> definition of what a derivative work is. If you have a required
> >> dependency on something with a GPL license your code must also be
> >> licensed under the GPL, not the Apace license (which is why it isn't
> >> allowed).
> >
> > There's one part of VCL (notifications via Jabber) that's not really
> > used that
> > is the cause of a chunk of the additional perl modules.  We'll
> > remove that
> > and see if there are any modules left that are not released under
> > perl's
> > license.
> >
> > However, even given that, since the code is written in perl and PHP,
> > those
> > interpreters are required to run VCL.  PHP's license is listed as
> > okay on the
> > page you linked to above.  perl is released under the Artistic
> > License, which
> > is not listed on that page at all.
> >
> > Is ASF okay with the Artistic License?  If not, things are looking
> > pretty
> > bleak for our project...
> >
> >>>> The second type of third party software depends on how you want to
> >>>> use VCL.
> >>>> VCL can manage physical machines using xCAT (which must be set up
> >>>> separately and is outside the scope of installing VCL), or VCL can
> >>>> manage
> >>>> VMWare based systems, with other hypervisors to be added in later.
> >>>> Also,
> >>>> there is some experimental work being done to support intelligent
> >>>> storage,
> >>>> starting with NetApp filers.  Here's where things get a little more
> >>>> complicated.  If using xCAT to deploy linux on any hardware, or to
> >>>> deploy
> >>>> windows on identical hardware, there is no third party software
> >>>> required
> >>>> (other than the perl modules already discussed).  However, if
> >>>> deploying
> >>>> windows to different types of hardware, you must download Sysprep
> >>>> from
> >>>> Microsoft, along with any drivers to support the different types of
> >>>> hardware.
> >>>>
> >>>> If using VCL to manage VMWare systems, you need VMWare's perl
> >>>> libraries.
> >>>> Similarly, if managing a NetApp filer, you need NetApp's perl
> >>>> libraries.
> >>>>
> >>>> How do we need to list out/explain these dependencies?
> >>
> >> Dependencies required for a specific platform are generally OK.  See
> >> http://www.apache.org/legal/resolved.html#platform . This doesn't
> >> document
> >> how to explain them. I would presume this
> >> should go in the NOTICE file.
> >>
> >> Ralph
> >
> > Okay - we'll list them in the NOTICE file.
>
> Josh, just so we are on the same page in terms of what still needs to
> be done, can you create Jira issues that list what needs to be done on
> this front for the release?
>
>
> Regards,
> Alan

I've created VCL-264 to list what needs to be done.

Andy pointed out the "System Requirements" section a little more than halfway 
down this page:

http://www.apache.org/legal/3party.html

Based on that, we're restating that all of the perl and mysql requirements 
are "System Requirements".  That will handle the bits that are GPL/LGPL 
licensed.

Josh

- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University

Josh_Thompson@ncsu.edu
919-515-5323

my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFK+ttuV/LQcNdtPQMRAmITAJ4+pF+4rCGG1d5BAP31jsYxJ+8TkACfZ3BO
cGmO8lIVqoDxaAb7imRnSyg=
=TlUX
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: dependencies on third party software

["Alan D. Cabrera" <li...@toolazydogs.com>]

On Nov 5, 2009, at 8:13 AM, Josh Thompson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ralph,
>
> Thanks for the feedback - more discussion inline.
>
> On Wednesday November 04, 2009, Ralph Goers wrote:
>> Usual qualifications - I am not on the legal committee so this is  
>> just
>> my personal opinion.
>>
>> On Nov 4, 2009, at 10:06 AM, Josh Thompson wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Bump.
>>>
>>> Anyone?
>>>
>>> On Thursday October 29, 2009, Josh Thompson wrote:
>>>> Legal advisers,
>>>>
>>>> We at the Apache VCL project are trying to get our first release
>>>> out.  VCL
>>>> is a cloud management framework.  It is written in perl and php.
>>>>
>>>> While there is no third party software bundled with VCL, there are
>>>> two
>>>> types of third party software dependencies we have questions about.
>>>>
>>>> The first, required perl modules, may not even be considered third
>>>> party.
>>>> For the perl code, we have a script that will install all required
>>>> additional perl modules.  There's about 14 such modules (with the
>>>> possibility that some of them may already be installed).  Most of
>>>> those
>>>> modules say they are licensed under the same terms as perl itself.
>>>> A few
>>>> of them explicitly state they are licensed under one of "Artistic
>>>> License",
>>>> GPL, or LGPL.  How should we go about listing these licenses?
>>>> Should they
>>>> be listed out in the README file, the NOTICE file, or somewhere
>>>> else?  The
>>>> script that installs them displays a message stating that it will
>>>> install
>>>> some items licensed under "Artistic License", GPL, and LGPL and
>>>> requires
>>>> that you type YES to proceed with installing them.
>>
>> http://www.apache.org/legal/src-headers.html should provide the
>> answers to where the attributions should appear. I like that you have
>> a script to install them.
>>
>> My biggest concern is the one you didn't ask about. ASF policy is  
>> that
>> you can't have a required dependency on something with a category X
>> license (see http://www.apache.org/legal/resolved.html#category-x),  
>> so
>> you cannot distribute VCL until all the dependencies on these are
>> optional or are replaced with something with a compatible license. I
>> am also concerned with the GPL dependencies because of the FSF's
>> definition of what a derivative work is. If you have a required
>> dependency on something with a GPL license your code must also be
>> licensed under the GPL, not the Apace license (which is why it isn't
>> allowed).
>
> There's one part of VCL (notifications via Jabber) that's not really  
> used that
> is the cause of a chunk of the additional perl modules.  We'll  
> remove that
> and see if there are any modules left that are not released under  
> perl's
> license.
>
> However, even given that, since the code is written in perl and PHP,  
> those
> interpreters are required to run VCL.  PHP's license is listed as  
> okay on the
> page you linked to above.  perl is released under the Artistic  
> License, which
> is not listed on that page at all.
>
> Is ASF okay with the Artistic License?  If not, things are looking  
> pretty
> bleak for our project...
>
>>>> The second type of third party software depends on how you want to
>>>> use VCL.
>>>> VCL can manage physical machines using xCAT (which must be set up
>>>> separately and is outside the scope of installing VCL), or VCL can
>>>> manage
>>>> VMWare based systems, with other hypervisors to be added in later.
>>>> Also,
>>>> there is some experimental work being done to support intelligent
>>>> storage,
>>>> starting with NetApp filers.  Here's where things get a little more
>>>> complicated.  If using xCAT to deploy linux on any hardware, or to
>>>> deploy
>>>> windows on identical hardware, there is no third party software
>>>> required
>>>> (other than the perl modules already discussed).  However, if
>>>> deploying
>>>> windows to different types of hardware, you must download Sysprep
>>>> from
>>>> Microsoft, along with any drivers to support the different types of
>>>> hardware.
>>>>
>>>> If using VCL to manage VMWare systems, you need VMWare's perl
>>>> libraries.
>>>> Similarly, if managing a NetApp filer, you need NetApp's perl
>>>> libraries.
>>>>
>>>> How do we need to list out/explain these dependencies?
>>
>> Dependencies required for a specific platform are generally OK.  See
>> http://www.apache.org/legal/resolved.html#platform . This doesn't  
>> document
>> how to explain them. I would presume this
>> should go in the NOTICE file.
>>
>> Ralph
>
> Okay - we'll list them in the NOTICE file.
>

Josh, just so we are on the same page in terms of what still needs to  
be done, can you create Jira issues that list what needs to be done on  
this front for the release?


Regards,
Alan

Re: dependencies on third party software

["Alan D. Cabrera" <li...@toolazydogs.com>]

On Nov 5, 2009, at 8:13 AM, Josh Thompson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ralph,
>
> Thanks for the feedback - more discussion inline.
>
> On Wednesday November 04, 2009, Ralph Goers wrote:
>> Usual qualifications - I am not on the legal committee so this is  
>> just
>> my personal opinion.
>>
>> On Nov 4, 2009, at 10:06 AM, Josh Thompson wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Bump.
>>>
>>> Anyone?
>>>
>>> On Thursday October 29, 2009, Josh Thompson wrote:
>>>> Legal advisers,
>>>>
>>>> We at the Apache VCL project are trying to get our first release
>>>> out.  VCL
>>>> is a cloud management framework.  It is written in perl and php.
>>>>
>>>> While there is no third party software bundled with VCL, there are
>>>> two
>>>> types of third party software dependencies we have questions about.
>>>>
>>>> The first, required perl modules, may not even be considered third
>>>> party.
>>>> For the perl code, we have a script that will install all required
>>>> additional perl modules.  There's about 14 such modules (with the
>>>> possibility that some of them may already be installed).  Most of
>>>> those
>>>> modules say they are licensed under the same terms as perl itself.
>>>> A few
>>>> of them explicitly state they are licensed under one of "Artistic
>>>> License",
>>>> GPL, or LGPL.  How should we go about listing these licenses?
>>>> Should they
>>>> be listed out in the README file, the NOTICE file, or somewhere
>>>> else?  The
>>>> script that installs them displays a message stating that it will
>>>> install
>>>> some items licensed under "Artistic License", GPL, and LGPL and
>>>> requires
>>>> that you type YES to proceed with installing them.
>>
>> http://www.apache.org/legal/src-headers.html should provide the
>> answers to where the attributions should appear. I like that you have
>> a script to install them.
>>
>> My biggest concern is the one you didn't ask about. ASF policy is  
>> that
>> you can't have a required dependency on something with a category X
>> license (see http://www.apache.org/legal/resolved.html#category-x),  
>> so
>> you cannot distribute VCL until all the dependencies on these are
>> optional or are replaced with something with a compatible license. I
>> am also concerned with the GPL dependencies because of the FSF's
>> definition of what a derivative work is. If you have a required
>> dependency on something with a GPL license your code must also be
>> licensed under the GPL, not the Apace license (which is why it isn't
>> allowed).
>
> There's one part of VCL (notifications via Jabber) that's not really  
> used that
> is the cause of a chunk of the additional perl modules.  We'll  
> remove that
> and see if there are any modules left that are not released under  
> perl's
> license.
>
> However, even given that, since the code is written in perl and PHP,  
> those
> interpreters are required to run VCL.  PHP's license is listed as  
> okay on the
> page you linked to above.  perl is released under the Artistic  
> License, which
> is not listed on that page at all.
>
> Is ASF okay with the Artistic License?  If not, things are looking  
> pretty
> bleak for our project...
>
>>>> The second type of third party software depends on how you want to
>>>> use VCL.
>>>> VCL can manage physical machines using xCAT (which must be set up
>>>> separately and is outside the scope of installing VCL), or VCL can
>>>> manage
>>>> VMWare based systems, with other hypervisors to be added in later.
>>>> Also,
>>>> there is some experimental work being done to support intelligent
>>>> storage,
>>>> starting with NetApp filers.  Here's where things get a little more
>>>> complicated.  If using xCAT to deploy linux on any hardware, or to
>>>> deploy
>>>> windows on identical hardware, there is no third party software
>>>> required
>>>> (other than the perl modules already discussed).  However, if
>>>> deploying
>>>> windows to different types of hardware, you must download Sysprep
>>>> from
>>>> Microsoft, along with any drivers to support the different types of
>>>> hardware.
>>>>
>>>> If using VCL to manage VMWare systems, you need VMWare's perl
>>>> libraries.
>>>> Similarly, if managing a NetApp filer, you need NetApp's perl
>>>> libraries.
>>>>
>>>> How do we need to list out/explain these dependencies?
>>
>> Dependencies required for a specific platform are generally OK.  See
>> http://www.apache.org/legal/resolved.html#platform . This doesn't  
>> document
>> how to explain them. I would presume this
>> should go in the NOTICE file.
>>
>> Ralph
>
> Okay - we'll list them in the NOTICE file.
>

Josh, just so we are on the same page in terms of what still needs to  
be done, can you create Jira issues that list what needs to be done on  
this front for the release?


Regards,
Alan


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: dependencies on third party software

[Josh Thompson <jo...@ncsu.edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ralph,

Thanks for the feedback - more discussion inline.

On Wednesday November 04, 2009, Ralph Goers wrote:
> Usual qualifications - I am not on the legal committee so this is just
> my personal opinion.
>
> On Nov 4, 2009, at 10:06 AM, Josh Thompson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Bump.
> >
> > Anyone?
> >
> > On Thursday October 29, 2009, Josh Thompson wrote:
> >> Legal advisers,
> >>
> >> We at the Apache VCL project are trying to get our first release
> >> out.  VCL
> >> is a cloud management framework.  It is written in perl and php.
> >>
> >> While there is no third party software bundled with VCL, there are
> >> two
> >> types of third party software dependencies we have questions about.
> >>
> >> The first, required perl modules, may not even be considered third
> >> party.
> >> For the perl code, we have a script that will install all required
> >> additional perl modules.  There's about 14 such modules (with the
> >> possibility that some of them may already be installed).  Most of
> >> those
> >> modules say they are licensed under the same terms as perl itself.
> >> A few
> >> of them explicitly state they are licensed under one of "Artistic
> >> License",
> >> GPL, or LGPL.  How should we go about listing these licenses?
> >> Should they
> >> be listed out in the README file, the NOTICE file, or somewhere
> >> else?  The
> >> script that installs them displays a message stating that it will
> >> install
> >> some items licensed under "Artistic License", GPL, and LGPL and
> >> requires
> >> that you type YES to proceed with installing them.
>
> http://www.apache.org/legal/src-headers.html should provide the
> answers to where the attributions should appear. I like that you have
> a script to install them.
>
> My biggest concern is the one you didn't ask about. ASF policy is that
> you can't have a required dependency on something with a category X
> license (see http://www.apache.org/legal/resolved.html#category-x), so
> you cannot distribute VCL until all the dependencies on these are
> optional or are replaced with something with a compatible license. I
> am also concerned with the GPL dependencies because of the FSF's
> definition of what a derivative work is. If you have a required
> dependency on something with a GPL license your code must also be
> licensed under the GPL, not the Apace license (which is why it isn't
> allowed).

There's one part of VCL (notifications via Jabber) that's not really used that 
is the cause of a chunk of the additional perl modules.  We'll remove that 
and see if there are any modules left that are not released under perl's 
license.

However, even given that, since the code is written in perl and PHP, those 
interpreters are required to run VCL.  PHP's license is listed as okay on the 
page you linked to above.  perl is released under the Artistic License, which 
is not listed on that page at all.

Is ASF okay with the Artistic License?  If not, things are looking pretty 
bleak for our project...

> >> The second type of third party software depends on how you want to
> >> use VCL.
> >> VCL can manage physical machines using xCAT (which must be set up
> >> separately and is outside the scope of installing VCL), or VCL can
> >> manage
> >> VMWare based systems, with other hypervisors to be added in later.
> >> Also,
> >> there is some experimental work being done to support intelligent
> >> storage,
> >> starting with NetApp filers.  Here's where things get a little more
> >> complicated.  If using xCAT to deploy linux on any hardware, or to
> >> deploy
> >> windows on identical hardware, there is no third party software
> >> required
> >> (other than the perl modules already discussed).  However, if
> >> deploying
> >> windows to different types of hardware, you must download Sysprep
> >> from
> >> Microsoft, along with any drivers to support the different types of
> >> hardware.
> >>
> >> If using VCL to manage VMWare systems, you need VMWare's perl
> >> libraries.
> >> Similarly, if managing a NetApp filer, you need NetApp's perl
> >> libraries.
> >>
> >> How do we need to list out/explain these dependencies?
>
> Dependencies required for a specific platform are generally OK.  See
> http://www.apache.org/legal/resolved.html#platform . This doesn't document
> how to explain them. I would presume this
> should go in the NOTICE file.
>
> Ralph

Okay - we'll list them in the NOTICE file.

Josh
- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University

Josh_Thompson@ncsu.edu
919-515-5323

my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFK8vmfV/LQcNdtPQMRAjMSAJ0Qvlp3mG0NES4pE+s/h2hmtsr2dACfQsTO
aQLPsWO79BTLTwswnkl4raQ=
=0lmW
-----END PGP SIGNATURE-----

Re: dependencies on third party software

[Josh Thompson <jo...@ncsu.edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ralph,

Thanks for the feedback - more discussion inline.

On Wednesday November 04, 2009, Ralph Goers wrote:
> Usual qualifications - I am not on the legal committee so this is just
> my personal opinion.
>
> On Nov 4, 2009, at 10:06 AM, Josh Thompson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Bump.
> >
> > Anyone?
> >
> > On Thursday October 29, 2009, Josh Thompson wrote:
> >> Legal advisers,
> >>
> >> We at the Apache VCL project are trying to get our first release
> >> out.  VCL
> >> is a cloud management framework.  It is written in perl and php.
> >>
> >> While there is no third party software bundled with VCL, there are
> >> two
> >> types of third party software dependencies we have questions about.
> >>
> >> The first, required perl modules, may not even be considered third
> >> party.
> >> For the perl code, we have a script that will install all required
> >> additional perl modules.  There's about 14 such modules (with the
> >> possibility that some of them may already be installed).  Most of
> >> those
> >> modules say they are licensed under the same terms as perl itself.
> >> A few
> >> of them explicitly state they are licensed under one of "Artistic
> >> License",
> >> GPL, or LGPL.  How should we go about listing these licenses?
> >> Should they
> >> be listed out in the README file, the NOTICE file, or somewhere
> >> else?  The
> >> script that installs them displays a message stating that it will
> >> install
> >> some items licensed under "Artistic License", GPL, and LGPL and
> >> requires
> >> that you type YES to proceed with installing them.
>
> http://www.apache.org/legal/src-headers.html should provide the
> answers to where the attributions should appear. I like that you have
> a script to install them.
>
> My biggest concern is the one you didn't ask about. ASF policy is that
> you can't have a required dependency on something with a category X
> license (see http://www.apache.org/legal/resolved.html#category-x), so
> you cannot distribute VCL until all the dependencies on these are
> optional or are replaced with something with a compatible license. I
> am also concerned with the GPL dependencies because of the FSF's
> definition of what a derivative work is. If you have a required
> dependency on something with a GPL license your code must also be
> licensed under the GPL, not the Apace license (which is why it isn't
> allowed).

There's one part of VCL (notifications via Jabber) that's not really used that 
is the cause of a chunk of the additional perl modules.  We'll remove that 
and see if there are any modules left that are not released under perl's 
license.

However, even given that, since the code is written in perl and PHP, those 
interpreters are required to run VCL.  PHP's license is listed as okay on the 
page you linked to above.  perl is released under the Artistic License, which 
is not listed on that page at all.

Is ASF okay with the Artistic License?  If not, things are looking pretty 
bleak for our project...

> >> The second type of third party software depends on how you want to
> >> use VCL.
> >> VCL can manage physical machines using xCAT (which must be set up
> >> separately and is outside the scope of installing VCL), or VCL can
> >> manage
> >> VMWare based systems, with other hypervisors to be added in later.
> >> Also,
> >> there is some experimental work being done to support intelligent
> >> storage,
> >> starting with NetApp filers.  Here's where things get a little more
> >> complicated.  If using xCAT to deploy linux on any hardware, or to
> >> deploy
> >> windows on identical hardware, there is no third party software
> >> required
> >> (other than the perl modules already discussed).  However, if
> >> deploying
> >> windows to different types of hardware, you must download Sysprep
> >> from
> >> Microsoft, along with any drivers to support the different types of
> >> hardware.
> >>
> >> If using VCL to manage VMWare systems, you need VMWare's perl
> >> libraries.
> >> Similarly, if managing a NetApp filer, you need NetApp's perl
> >> libraries.
> >>
> >> How do we need to list out/explain these dependencies?
>
> Dependencies required for a specific platform are generally OK.  See
> http://www.apache.org/legal/resolved.html#platform . This doesn't document
> how to explain them. I would presume this
> should go in the NOTICE file.
>
> Ralph

Okay - we'll list them in the NOTICE file.

Josh
- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University

Josh_Thompson@ncsu.edu
919-515-5323

my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFK8vmfV/LQcNdtPQMRAjMSAJ0Qvlp3mG0NES4pE+s/h2hmtsr2dACfQsTO
aQLPsWO79BTLTwswnkl4raQ=
=0lmW
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: dependencies on third party software

[Ralph Goers <ra...@dslextreme.com>]

Usual qualifications - I am not on the legal committee so this is just  
my personal opinion.

On Nov 4, 2009, at 10:06 AM, Josh Thompson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Bump.
>
> Anyone?
>
> On Thursday October 29, 2009, Josh Thompson wrote:
>> Legal advisers,
>>
>> We at the Apache VCL project are trying to get our first release  
>> out.  VCL
>> is a cloud management framework.  It is written in perl and php.
>>
>> While there is no third party software bundled with VCL, there are  
>> two
>> types of third party software dependencies we have questions about.
>>
>> The first, required perl modules, may not even be considered third  
>> party.
>> For the perl code, we have a script that will install all required
>> additional perl modules.  There's about 14 such modules (with the
>> possibility that some of them may already be installed).  Most of  
>> those
>> modules say they are licensed under the same terms as perl itself.   
>> A few
>> of them explicitly state they are licensed under one of "Artistic  
>> License",
>> GPL, or LGPL.  How should we go about listing these licenses?   
>> Should they
>> be listed out in the README file, the NOTICE file, or somewhere  
>> else?  The
>> script that installs them displays a message stating that it will  
>> install
>> some items licensed under "Artistic License", GPL, and LGPL and  
>> requires
>> that you type YES to proceed with installing them.

http://www.apache.org/legal/src-headers.html should provide the  
answers to where the attributions should appear. I like that you have  
a script to install them.

My biggest concern is the one you didn't ask about. ASF policy is that  
you can't have a required dependency on something with a category X  
license (see http://www.apache.org/legal/resolved.html#category-x), so  
you cannot distribute VCL until all the dependencies on these are  
optional or are replaced with something with a compatible license. I  
am also concerned with the GPL dependencies because of the FSF's  
definition of what a derivative work is. If you have a required  
dependency on something with a GPL license your code must also be  
licensed under the GPL, not the Apace license (which is why it isn't  
allowed).

>>
>> The second type of third party software depends on how you want to  
>> use VCL.
>> VCL can manage physical machines using xCAT (which must be set up
>> separately and is outside the scope of installing VCL), or VCL can  
>> manage
>> VMWare based systems, with other hypervisors to be added in later.   
>> Also,
>> there is some experimental work being done to support intelligent  
>> storage,
>> starting with NetApp filers.  Here's where things get a little more
>> complicated.  If using xCAT to deploy linux on any hardware, or to  
>> deploy
>> windows on identical hardware, there is no third party software  
>> required
>> (other than the perl modules already discussed).  However, if  
>> deploying
>> windows to different types of hardware, you must download Sysprep  
>> from
>> Microsoft, along with any drivers to support the different types of
>> hardware.
>>
>> If using VCL to manage VMWare systems, you need VMWare's perl  
>> libraries.
>> Similarly, if managing a NetApp filer, you need NetApp's perl  
>> libraries.
>>
>> How do we need to list out/explain these dependencies?
Dependencies required for a specific platform are generally OK.  See http://www.apache.org/legal/resolved.html#platform 
. This doesn't document how to explain them. I would presume this  
should go in the NOTICE file.

Ralph

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org