Should license headers use https urls?

[Brian Demers <bd...@apache.org>]

Forgive me if this was asked already, I didn't see it in a quick
search of the archives.

The legal policy states[1] that headers should use the the following URL:
http://www.apache.org/licenses/LICENSE-2.0

Given the general push[2] to use https everywhere, should the official
policy be updated to use the https version of the license URL?
https://www.apache.org/licenses/LICENSE-2.0

NOTE: The former already redirects to the latter

Related, I've seen projects using the `https` version of the URL. Is
that a problem, or is it just a matter of adding an extra `s` to the
policy page [1]

[1] https://www.apache.org/legal/src-headers.html#headers
[2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Should license headers use https urls?

[Christopher <ct...@apache.org>]

On Mon, Dec 25, 2023 at 3:31 AM Roman Shaposhnik <ro...@shaposhnik.org> wrote:
>
> On Sat, Dec 23, 2023 at 6:17 PM Michael Mior <mm...@apache.org> wrote:
> >
> > I would disagree about their being no technical difference. Not using HTTPS runs a higher risk of MITM. The connection will get upgraded unless the initial HTTP request isn't intercepted and the attacker decides to serve something different. Whether that is practically a concern is of course another question.
>
> True, but such an attack vector appears to be highly theoretical.

For what it's worth, the Mozilla link the OP originally shared
provided concrete examples of non-theoretical violations of site
integrity due to http instead of https. In the section titled "But
there's nothing secret on my site! Why should I bother with
encryption?", they emphasize that integrity is an important aspect of
https, and of site security, not just the confidentiality of
encryption. The concrete examples emphasize this point.

Also, I didn't contest your previous statement, because it's not
terribly important, but since we're discussing the technical aspects,
I just wanted to point out that it's not true that we serve the
license on the http site. The only thing we serve there at the public
facing http endpoint is a 301 Permanent redirect. We serve the license
*only* on https for any internet-facing endpoint. It's only the
browser's willing behavior on the client side that causes the browser
to choose to "upgrade" the connection to https and view the license
page that we're serving. (I have no idea what's happening within ASF
internals, which could all be http, and only a proxy is used for
https, but I think that whatever is happening internally is less
important than what's internet-facing.)

In any case, I updated my PR to back out the changes to the source
header and kept http the default there, but keep the wording to
mention that https is also acceptable. I'm happy to merge it once I
get a positive approval to do so. While I was there, I noticed that
the page itself uses https to point to the license in the Markdown
file's own "license:" front matter at the top of the page. It doesn't
matter much for the default source header recommended text, but if
anybody still had any concerns that https wasn't acceptable to use to
point to the license, in general, it might be useful to know that the
page maintained by LEGAL was using it.

>
> Thanks,
> Roman.
>
> > On Sat, Dec 23, 2023, 02:31 Christopher <ct...@apache.org> wrote:
> >>
> >> Roman, based on your response (and please correct me if I'm wrong), I
> >> *think* you hold the opinion that either is fine, just as Henri said
> >> on LEGAL-265, because it's not a legal or technical difference, but
> >> just a "matter of taste", as you've said, and while you don't
> >> personally see the value in somebody changing it, you don't really
> >> care if a project changes their source headers from http to https
> >> ("-0").
> >>
> >> If I'm understanding you correctly, I think what would immediately
> >> settle the matter is to just have you say that "either is fine in the
> >> source header" more directly. I don't even think people care whether
> >> the default source header on that LEGAL page changes or not. They just
> >> want to know its okay if they use https there and need a direct
> >> response. I *think* you already hold the opinion that it's fine if
> >> they want to, but you just need to say it directly for them to accept
> >> it.
> >>
> >> As for my PR, I'd be happy to back out the changes in my PR to the
> >> default source header, and only keep a change to the note saying that
> >> either are acceptable.
> >>
> >> On Fri, Dec 22, 2023 at 6:41 AM Roman Shaposhnik <ro...@shaposhnik.org> wrote:
> >> >
> >> > Personally I'm still -0 regarding this change (since I honestly don't
> >> > see much of an argument for https in this particular case -- its not
> >> > like we actually SERVE the text via http -- the connection gets
> >> > upgraded).
> >> >
> >> > However, at this point, it ain't the end of the world either.
> >> >
> >> > All in all -- it really is a matter of taste (not technology nor law).
> >> >
> >> > So... I suggest we run a formal vote on this list and settle this
> >> > matter once and for all.
> >> >
> >> > Thanks,
> >> > Roman.
> >> >
> >> > P.S. Since I'm -0 -- obviously I won't be the one starting the VOTE thread ;-)
> >> >
> >> >
> >> > On Wed, Dec 20, 2023 at 1:31 PM Christopher <ct...@apache.org> wrote:
> >> > >
> >> > > I'm not sure who was VP Legal at the time, but since Henri closed the
> >> > > issue, I accepted their response as sufficiently authoritative for my
> >> > > own level of comfort, given that there was no objection from anybody
> >> > > identifying themselves as VP Legal on the ticket, and clearly Henri
> >> > > had been delegated at least the authority to resolve the matter in the
> >> > > issue tracker. Plus, the outcome seemed reasonable to me.
> >> > >
> >> > > If that outcome isn't good enough for your comfort, that's fine. I
> >> > > only ask that if you do continue to pursue it to your own
> >> > > satisfaction, you comment on, or link any new issue to, the existing
> >> > > https://issues.apache.org/jira/browse/LEGAL-265 , so that those of us
> >> > > following it will see any updates. You could also ask VP Legal to
> >> > > address it by responding on my PR
> >> > > https://github.com/apache/www-site/pull/331 ; if they accept that, or
> >> > > some variation of it, it can be used to update the website to resolve
> >> > > any future confusion by others.
> >> > >
> >> > > On Wed, Dec 20, 2023 at 3:05 PM Gary Gregory <ga...@gmail.com> wrote:
> >> > > >
> >> > > > I'm personally NOT comfortable changing ANYTHING in license headers until I read something like "As VP of legal (of some agreed and stated Apache authority title), it is OK to change license headers from this to that."
> >> > > >
> >> > > > Gary
> >> > > >
> >> > > > On Wed, Dec 20, 2023, 1:15 PM Julian Hyde <jh...@apache.org> wrote:
> >> > > >>
> >> > > >> The reference is https://issues.apache.org/jira/browse/LEGAL-265. Case closed.
> >> > > >>
> >> > > >> On Wed, Dec 20, 2023 at 7:53 AM Gary Gregory <ga...@gmail.com> wrote:
> >> > > >> >
> >> > > >> > "The html version of the license listed here:
> >> > > >> > https://www.apache.org/licenses/LICENSE-2.0 contains the https url _snip_"
> >> > > >> >
> >> > > >> > It does not in the boxed text which is the actual license header.
> >> > > >> >
> >> > > >> > It doesn't matter what we non-attorneys think until an (our) attorney decides IMO.
> >> > > >> >
> >> > > >> > Gary
> >> > > >> >
> >> > > >> > On Wed, Dec 20, 2023, 10:20 AM Brian Demers <br...@gmail.com> wrote:
> >> > > >> >>
> >> > > >> >> I don't see a conclusion in those threads.  Other than:
> >> > > >> >> - apache-rat was updated to accept both.
> >> > > >> >> - it's two separate topics (license headers vs license text)
> >> > > >> >>
> >> > > >> >> The html version of the license listed here:
> >> > > >> >> https://www.apache.org/licenses/LICENSE-2.0 contains the https url
> >> > > >> >> and as do the 3rd party refs on the page, SPDX and OSI do as well.
> >> > > >> >>
> >> > > >> >> IMHO, we should update the policy page header text to use `https`, and
> >> > > >> >> add a note under it stating that the `http` version can be used but
> >> > > >> >> `https` is now the recommendation
> >> > > >> >>
> >> > > >> >> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com> wrote:
> >> > > >> >> >
> >> > > >> >> > So... we need an opinion from VP legal and a new entry to a FAQ so we can stop rehashing this issue?
> >> > > >> >> >
> >> > > >> >> > Gary
> >> > > >> >> >
> >> > > >> >> > On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
> >> > > >> >> >>
> >> > > >> >> >> Here's a couple past discussions
> >> > > >> >> >>
> >> > > >> >> >> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
> >> > > >> >> >> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
> >> > > >> >> >>
> >> > > >> >> >> --
> >> > > >> >> >> Michael Mior
> >> > > >> >> >> mmior@apache.org
> >> > > >> >> >>
> >> > > >> >> >>
> >> > > >> >> >> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com> wrote:
> >> > > >> >> >>>
> >> > > >> >> >>> I think this was rejected in the past because it would requires a new version of the license itself. I don't have a reference: -(
> >> > > >> >> >>>
> >> > > >> >> >>> Gary
> >> > > >> >> >>>
> >> > > >> >> >>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
> >> > > >> >> >>>>
> >> > > >> >> >>>> I believe this has been discussed before, but I cannot find a link to
> >> > > >> >> >>>> the previous conclusion on the matter.
> >> > > >> >> >>>>
> >> > > >> >> >>>> I'm only representing my own personal opinions on this, but my
> >> > > >> >> >>>> understanding is that this is not a substantive deviation. I think you
> >> > > >> >> >>>> have several good reasons to justify the deviation:
> >> > > >> >> >>>>
> >> > > >> >> >>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
> >> > > >> >> >>>> the sentence, "You may obtain a copy of the License at ...". If that
> >> > > >> >> >>>> sentence is to hold any legal meaning in English, rather than just
> >> > > >> >> >>>> some magical static string of characters, then it means that the
> >> > > >> >> >>>> license can be found at the provided URL. It is a true fact that the
> >> > > >> >> >>>> document may be obtained by following that URL, regardless of whether
> >> > > >> >> >>>> you use http or https, so there can't really be any relevant legal
> >> > > >> >> >>>> difference between the two. The same would be true if you inserted
> >> > > >> >> >>>> line breaks between the words or indented the header differently. The
> >> > > >> >> >>>> words still hold the same meaning.
> >> > > >> >> >>>> 2. "grammar" argument - The linked document [1] says "should", which
> >> > > >> >> >>>> is a strong recommendation, rather than "must", which would be a
> >> > > >> >> >>>> requirement. If you understand *why* you're deviating from the
> >> > > >> >> >>>> "should" recommendation and are doing it for good reason, it's
> >> > > >> >> >>>> generally okay to diverge from even a strong recommendation.
> >> > > >> >> >>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
> >> > > >> >> >>>> for Maven, already support validating the header with either.
> >> > > >> >> >>>> 4. "precedent" argument - Some projects have already started doing
> >> > > >> >> >>>> this (Apache Accumulo, for example), so you would not be setting a new
> >> > > >> >> >>>> precedent.
> >> > > >> >> >>>> 5. "location of record" argument - The website itself reports that the
> >> > > >> >> >>>> document has permanently relocated to the https location by returning
> >> > > >> >> >>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
> >> > > >> >> >>>> records up-to-date.
> >> > > >> >> >>>>
> >> > > >> >> >>>> I created a PR to update the src-headers page with a suggested change
> >> > > >> >> >>>> to make it more clear that either are acceptable (and to default to
> >> > > >> >> >>>> using https in the recommended header):
> >> > > >> >> >>>> https://github.com/apache/www-site/pull/331
> >> > > >> >> >>>>
> >> > > >> >> >>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
> >> > > >> >> >>>> >
> >> > > >> >> >>>> > Forgive me if this was asked already, I didn't see it in a quick
> >> > > >> >> >>>> > search of the archives.
> >> > > >> >> >>>> >
> >> > > >> >> >>>> > The legal policy states[1] that headers should use the the following URL:
> >> > > >> >> >>>> > http://www.apache.org/licenses/LICENSE-2.0
> >> > > >> >> >>>> >
> >> > > >> >> >>>> > Given the general push[2] to use https everywhere, should the official
> >> > > >> >> >>>> > policy be updated to use the https version of the license URL?
> >> > > >> >> >>>> > https://www.apache.org/licenses/LICENSE-2.0
> >> > > >> >> >>>> >
> >> > > >> >> >>>> > NOTE: The former already redirects to the latter
> >> > > >> >> >>>> >
> >> > > >> >> >>>> > Related, I've seen projects using the `https` version of the URL. Is
> >> > > >> >> >>>> > that a problem, or is it just a matter of adding an extra `s` to the
> >> > > >> >> >>>> > policy page [1]
> >> > > >> >> >>>> >
> >> > > >> >> >>>> > [1] https://www.apache.org/legal/src-headers.html#headers
> >> > > >> >> >>>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
> >> > > >> >> >>>> >
> >> > > >> >> >>>> > ---------------------------------------------------------------------
> >> > > >> >> >>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> > > >> >> >>>> > For additional commands, e-mail: legal-discuss-help@apache.org
> >> > > >> >> >>>> >
> >> > > >> >> >>>>
> >> > > >> >> >>>> ---------------------------------------------------------------------
> >> > > >> >> >>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> > > >> >> >>>> For additional commands, e-mail: legal-discuss-help@apache.org
> >> > > >> >> >>>>
> >> > > >> >>
> >> > > >> >> ---------------------------------------------------------------------
> >> > > >> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> > > >> >> For additional commands, e-mail: legal-discuss-help@apache.org
> >> > > >> >>
> >> > > >>
> >> > > >> ---------------------------------------------------------------------
> >> > > >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> > > >> For additional commands, e-mail: legal-discuss-help@apache.org
> >> > > >>
> >> > >
> >> > > ---------------------------------------------------------------------
> >> > > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> > > For additional commands, e-mail: legal-discuss-help@apache.org
> >> > >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> > For additional commands, e-mail: legal-discuss-help@apache.org
> >> >
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> For additional commands, e-mail: legal-discuss-help@apache.org
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Should license headers use https urls?

[Matt Sicker <ma...@musigma.org>]

Plus courts and judges aren’t computers; the exact text of the Apache License (all versions) is readily available for review regardless of MITM attacks.

> On Dec 25, 2023, at 2:31 AM, Roman Shaposhnik <ro...@shaposhnik.org> wrote:
> 
> On Sat, Dec 23, 2023 at 6:17 PM Michael Mior <mmior@apache.org <ma...@apache.org>> wrote:
>> 
>> I would disagree about their being no technical difference. Not using HTTPS runs a higher risk of MITM. The connection will get upgraded unless the initial HTTP request isn't intercepted and the attacker decides to serve something different. Whether that is practically a concern is of course another question.
> 
> True, but such an attack vector appears to be highly theoretical.
> 
> Thanks,
> Roman.
> 
>> On Sat, Dec 23, 2023, 02:31 Christopher <ct...@apache.org> wrote:
>>> 
>>> Roman, based on your response (and please correct me if I'm wrong), I
>>> *think* you hold the opinion that either is fine, just as Henri said
>>> on LEGAL-265, because it's not a legal or technical difference, but
>>> just a "matter of taste", as you've said, and while you don't
>>> personally see the value in somebody changing it, you don't really
>>> care if a project changes their source headers from http to https
>>> ("-0").
>>> 
>>> If I'm understanding you correctly, I think what would immediately
>>> settle the matter is to just have you say that "either is fine in the
>>> source header" more directly. I don't even think people care whether
>>> the default source header on that LEGAL page changes or not. They just
>>> want to know its okay if they use https there and need a direct
>>> response. I *think* you already hold the opinion that it's fine if
>>> they want to, but you just need to say it directly for them to accept
>>> it.
>>> 
>>> As for my PR, I'd be happy to back out the changes in my PR to the
>>> default source header, and only keep a change to the note saying that
>>> either are acceptable.
>>> 
>>> On Fri, Dec 22, 2023 at 6:41 AM Roman Shaposhnik <ro...@shaposhnik.org> wrote:
>>>> 
>>>> Personally I'm still -0 regarding this change (since I honestly don't
>>>> see much of an argument for https in this particular case -- its not
>>>> like we actually SERVE the text via http -- the connection gets
>>>> upgraded).
>>>> 
>>>> However, at this point, it ain't the end of the world either.
>>>> 
>>>> All in all -- it really is a matter of taste (not technology nor law).
>>>> 
>>>> So... I suggest we run a formal vote on this list and settle this
>>>> matter once and for all.
>>>> 
>>>> Thanks,
>>>> Roman.
>>>> 
>>>> P.S. Since I'm -0 -- obviously I won't be the one starting the VOTE thread ;-)
>>>> 
>>>> 
>>>> On Wed, Dec 20, 2023 at 1:31 PM Christopher <ct...@apache.org> wrote:
>>>>> 
>>>>> I'm not sure who was VP Legal at the time, but since Henri closed the
>>>>> issue, I accepted their response as sufficiently authoritative for my
>>>>> own level of comfort, given that there was no objection from anybody
>>>>> identifying themselves as VP Legal on the ticket, and clearly Henri
>>>>> had been delegated at least the authority to resolve the matter in the
>>>>> issue tracker. Plus, the outcome seemed reasonable to me.
>>>>> 
>>>>> If that outcome isn't good enough for your comfort, that's fine. I
>>>>> only ask that if you do continue to pursue it to your own
>>>>> satisfaction, you comment on, or link any new issue to, the existing
>>>>> https://issues.apache.org/jira/browse/LEGAL-265 , so that those of us
>>>>> following it will see any updates. You could also ask VP Legal to
>>>>> address it by responding on my PR
>>>>> https://github.com/apache/www-site/pull/331 ; if they accept that, or
>>>>> some variation of it, it can be used to update the website to resolve
>>>>> any future confusion by others.
>>>>> 
>>>>> On Wed, Dec 20, 2023 at 3:05 PM Gary Gregory <ga...@gmail.com> wrote:
>>>>>> 
>>>>>> I'm personally NOT comfortable changing ANYTHING in license headers until I read something like "As VP of legal (of some agreed and stated Apache authority title), it is OK to change license headers from this to that."
>>>>>> 
>>>>>> Gary
>>>>>> 
>>>>>> On Wed, Dec 20, 2023, 1:15 PM Julian Hyde <jh...@apache.org> wrote:
>>>>>>> 
>>>>>>> The reference is https://issues.apache.org/jira/browse/LEGAL-265. Case closed.
>>>>>>> 
>>>>>>> On Wed, Dec 20, 2023 at 7:53 AM Gary Gregory <ga...@gmail.com> wrote:
>>>>>>>> 
>>>>>>>> "The html version of the license listed here:
>>>>>>>> https://www.apache.org/licenses/LICENSE-2.0 contains the https url _snip_"
>>>>>>>> 
>>>>>>>> It does not in the boxed text which is the actual license header.
>>>>>>>> 
>>>>>>>> It doesn't matter what we non-attorneys think until an (our) attorney decides IMO.
>>>>>>>> 
>>>>>>>> Gary
>>>>>>>> 
>>>>>>>> On Wed, Dec 20, 2023, 10:20 AM Brian Demers <br...@gmail.com> wrote:
>>>>>>>>> 
>>>>>>>>> I don't see a conclusion in those threads.  Other than:
>>>>>>>>> - apache-rat was updated to accept both.
>>>>>>>>> - it's two separate topics (license headers vs license text)
>>>>>>>>> 
>>>>>>>>> The html version of the license listed here:
>>>>>>>>> https://www.apache.org/licenses/LICENSE-2.0 contains the https url
>>>>>>>>> and as do the 3rd party refs on the page, SPDX and OSI do as well.
>>>>>>>>> 
>>>>>>>>> IMHO, we should update the policy page header text to use `https`, and
>>>>>>>>> add a note under it stating that the `http` version can be used but
>>>>>>>>> `https` is now the recommendation
>>>>>>>>> 
>>>>>>>>> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com> wrote:
>>>>>>>>>> 
>>>>>>>>>> So... we need an opinion from VP legal and a new entry to a FAQ so we can stop rehashing this issue?
>>>>>>>>>> 
>>>>>>>>>> Gary
>>>>>>>>>> 
>>>>>>>>>> On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
>>>>>>>>>>> 
>>>>>>>>>>> Here's a couple past discussions
>>>>>>>>>>> 
>>>>>>>>>>> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
>>>>>>>>>>> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
>>>>>>>>>>> 
>>>>>>>>>>> --
>>>>>>>>>>> Michael Mior
>>>>>>>>>>> mmior@apache.org
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> I think this was rejected in the past because it would requires a new version of the license itself. I don't have a reference: -(
>>>>>>>>>>>> 
>>>>>>>>>>>> Gary
>>>>>>>>>>>> 
>>>>>>>>>>>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> I believe this has been discussed before, but I cannot find a link to
>>>>>>>>>>>>> the previous conclusion on the matter.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> I'm only representing my own personal opinions on this, but my
>>>>>>>>>>>>> understanding is that this is not a substantive deviation. I think you
>>>>>>>>>>>>> have several good reasons to justify the deviation:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
>>>>>>>>>>>>> the sentence, "You may obtain a copy of the License at ...". If that
>>>>>>>>>>>>> sentence is to hold any legal meaning in English, rather than just
>>>>>>>>>>>>> some magical static string of characters, then it means that the
>>>>>>>>>>>>> license can be found at the provided URL. It is a true fact that the
>>>>>>>>>>>>> document may be obtained by following that URL, regardless of whether
>>>>>>>>>>>>> you use http or https, so there can't really be any relevant legal
>>>>>>>>>>>>> difference between the two. The same would be true if you inserted
>>>>>>>>>>>>> line breaks between the words or indented the header differently. The
>>>>>>>>>>>>> words still hold the same meaning.
>>>>>>>>>>>>> 2. "grammar" argument - The linked document [1] says "should", which
>>>>>>>>>>>>> is a strong recommendation, rather than "must", which would be a
>>>>>>>>>>>>> requirement. If you understand *why* you're deviating from the
>>>>>>>>>>>>> "should" recommendation and are doing it for good reason, it's
>>>>>>>>>>>>> generally okay to diverge from even a strong recommendation.
>>>>>>>>>>>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
>>>>>>>>>>>>> for Maven, already support validating the header with either.
>>>>>>>>>>>>> 4. "precedent" argument - Some projects have already started doing
>>>>>>>>>>>>> this (Apache Accumulo, for example), so you would not be setting a new
>>>>>>>>>>>>> precedent.
>>>>>>>>>>>>> 5. "location of record" argument - The website itself reports that the
>>>>>>>>>>>>> document has permanently relocated to the https location by returning
>>>>>>>>>>>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
>>>>>>>>>>>>> records up-to-date.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> I created a PR to update the src-headers page with a suggested change
>>>>>>>>>>>>> to make it more clear that either are acceptable (and to default to
>>>>>>>>>>>>> using https in the recommended header):
>>>>>>>>>>>>> https://github.com/apache/www-site/pull/331
>>>>>>>>>>>>> 
>>>>>>>>>>>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Forgive me if this was asked already, I didn't see it in a quick
>>>>>>>>>>>>>> search of the archives.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> The legal policy states[1] that headers should use the the following URL:
>>>>>>>>>>>>>> http://www.apache.org/licenses/LICENSE-2.0
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Given the general push[2] to use https everywhere, should the official
>>>>>>>>>>>>>> policy be updated to use the https version of the license URL?
>>>>>>>>>>>>>> https://www.apache.org/licenses/LICENSE-2.0
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> NOTE: The former already redirects to the latter
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Related, I've seen projects using the `https` version of the URL. Is
>>>>>>>>>>>>>> that a problem, or is it just a matter of adding an extra `s` to the
>>>>>>>>>>>>>> policy page [1]
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> [1] https://www.apache.org/legal/src-headers.html#headers
>>>>>>>>>>>>>> [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>>>>>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>>>>>>>>>>>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>>>>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>>>>>>>>>>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>>>>>>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>>>>>>> 
>>>>>>> 
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>>>>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>>>>> 
>>>>> 
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>>> 
>>>> 
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>> 
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org <ma...@apache.org>
> For additional commands, e-mail: legal-discuss-help@apache.org <ma...@apache.org>

Re: Should license headers use https urls?

[Roman Shaposhnik <ro...@shaposhnik.org>]

On Sat, Dec 23, 2023 at 6:17 PM Michael Mior <mm...@apache.org> wrote:
>
> I would disagree about their being no technical difference. Not using HTTPS runs a higher risk of MITM. The connection will get upgraded unless the initial HTTP request isn't intercepted and the attacker decides to serve something different. Whether that is practically a concern is of course another question.

True, but such an attack vector appears to be highly theoretical.

Thanks,
Roman.

> On Sat, Dec 23, 2023, 02:31 Christopher <ct...@apache.org> wrote:
>>
>> Roman, based on your response (and please correct me if I'm wrong), I
>> *think* you hold the opinion that either is fine, just as Henri said
>> on LEGAL-265, because it's not a legal or technical difference, but
>> just a "matter of taste", as you've said, and while you don't
>> personally see the value in somebody changing it, you don't really
>> care if a project changes their source headers from http to https
>> ("-0").
>>
>> If I'm understanding you correctly, I think what would immediately
>> settle the matter is to just have you say that "either is fine in the
>> source header" more directly. I don't even think people care whether
>> the default source header on that LEGAL page changes or not. They just
>> want to know its okay if they use https there and need a direct
>> response. I *think* you already hold the opinion that it's fine if
>> they want to, but you just need to say it directly for them to accept
>> it.
>>
>> As for my PR, I'd be happy to back out the changes in my PR to the
>> default source header, and only keep a change to the note saying that
>> either are acceptable.
>>
>> On Fri, Dec 22, 2023 at 6:41 AM Roman Shaposhnik <ro...@shaposhnik.org> wrote:
>> >
>> > Personally I'm still -0 regarding this change (since I honestly don't
>> > see much of an argument for https in this particular case -- its not
>> > like we actually SERVE the text via http -- the connection gets
>> > upgraded).
>> >
>> > However, at this point, it ain't the end of the world either.
>> >
>> > All in all -- it really is a matter of taste (not technology nor law).
>> >
>> > So... I suggest we run a formal vote on this list and settle this
>> > matter once and for all.
>> >
>> > Thanks,
>> > Roman.
>> >
>> > P.S. Since I'm -0 -- obviously I won't be the one starting the VOTE thread ;-)
>> >
>> >
>> > On Wed, Dec 20, 2023 at 1:31 PM Christopher <ct...@apache.org> wrote:
>> > >
>> > > I'm not sure who was VP Legal at the time, but since Henri closed the
>> > > issue, I accepted their response as sufficiently authoritative for my
>> > > own level of comfort, given that there was no objection from anybody
>> > > identifying themselves as VP Legal on the ticket, and clearly Henri
>> > > had been delegated at least the authority to resolve the matter in the
>> > > issue tracker. Plus, the outcome seemed reasonable to me.
>> > >
>> > > If that outcome isn't good enough for your comfort, that's fine. I
>> > > only ask that if you do continue to pursue it to your own
>> > > satisfaction, you comment on, or link any new issue to, the existing
>> > > https://issues.apache.org/jira/browse/LEGAL-265 , so that those of us
>> > > following it will see any updates. You could also ask VP Legal to
>> > > address it by responding on my PR
>> > > https://github.com/apache/www-site/pull/331 ; if they accept that, or
>> > > some variation of it, it can be used to update the website to resolve
>> > > any future confusion by others.
>> > >
>> > > On Wed, Dec 20, 2023 at 3:05 PM Gary Gregory <ga...@gmail.com> wrote:
>> > > >
>> > > > I'm personally NOT comfortable changing ANYTHING in license headers until I read something like "As VP of legal (of some agreed and stated Apache authority title), it is OK to change license headers from this to that."
>> > > >
>> > > > Gary
>> > > >
>> > > > On Wed, Dec 20, 2023, 1:15 PM Julian Hyde <jh...@apache.org> wrote:
>> > > >>
>> > > >> The reference is https://issues.apache.org/jira/browse/LEGAL-265. Case closed.
>> > > >>
>> > > >> On Wed, Dec 20, 2023 at 7:53 AM Gary Gregory <ga...@gmail.com> wrote:
>> > > >> >
>> > > >> > "The html version of the license listed here:
>> > > >> > https://www.apache.org/licenses/LICENSE-2.0 contains the https url _snip_"
>> > > >> >
>> > > >> > It does not in the boxed text which is the actual license header.
>> > > >> >
>> > > >> > It doesn't matter what we non-attorneys think until an (our) attorney decides IMO.
>> > > >> >
>> > > >> > Gary
>> > > >> >
>> > > >> > On Wed, Dec 20, 2023, 10:20 AM Brian Demers <br...@gmail.com> wrote:
>> > > >> >>
>> > > >> >> I don't see a conclusion in those threads.  Other than:
>> > > >> >> - apache-rat was updated to accept both.
>> > > >> >> - it's two separate topics (license headers vs license text)
>> > > >> >>
>> > > >> >> The html version of the license listed here:
>> > > >> >> https://www.apache.org/licenses/LICENSE-2.0 contains the https url
>> > > >> >> and as do the 3rd party refs on the page, SPDX and OSI do as well.
>> > > >> >>
>> > > >> >> IMHO, we should update the policy page header text to use `https`, and
>> > > >> >> add a note under it stating that the `http` version can be used but
>> > > >> >> `https` is now the recommendation
>> > > >> >>
>> > > >> >> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com> wrote:
>> > > >> >> >
>> > > >> >> > So... we need an opinion from VP legal and a new entry to a FAQ so we can stop rehashing this issue?
>> > > >> >> >
>> > > >> >> > Gary
>> > > >> >> >
>> > > >> >> > On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
>> > > >> >> >>
>> > > >> >> >> Here's a couple past discussions
>> > > >> >> >>
>> > > >> >> >> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
>> > > >> >> >> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
>> > > >> >> >>
>> > > >> >> >> --
>> > > >> >> >> Michael Mior
>> > > >> >> >> mmior@apache.org
>> > > >> >> >>
>> > > >> >> >>
>> > > >> >> >> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com> wrote:
>> > > >> >> >>>
>> > > >> >> >>> I think this was rejected in the past because it would requires a new version of the license itself. I don't have a reference: -(
>> > > >> >> >>>
>> > > >> >> >>> Gary
>> > > >> >> >>>
>> > > >> >> >>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
>> > > >> >> >>>>
>> > > >> >> >>>> I believe this has been discussed before, but I cannot find a link to
>> > > >> >> >>>> the previous conclusion on the matter.
>> > > >> >> >>>>
>> > > >> >> >>>> I'm only representing my own personal opinions on this, but my
>> > > >> >> >>>> understanding is that this is not a substantive deviation. I think you
>> > > >> >> >>>> have several good reasons to justify the deviation:
>> > > >> >> >>>>
>> > > >> >> >>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
>> > > >> >> >>>> the sentence, "You may obtain a copy of the License at ...". If that
>> > > >> >> >>>> sentence is to hold any legal meaning in English, rather than just
>> > > >> >> >>>> some magical static string of characters, then it means that the
>> > > >> >> >>>> license can be found at the provided URL. It is a true fact that the
>> > > >> >> >>>> document may be obtained by following that URL, regardless of whether
>> > > >> >> >>>> you use http or https, so there can't really be any relevant legal
>> > > >> >> >>>> difference between the two. The same would be true if you inserted
>> > > >> >> >>>> line breaks between the words or indented the header differently. The
>> > > >> >> >>>> words still hold the same meaning.
>> > > >> >> >>>> 2. "grammar" argument - The linked document [1] says "should", which
>> > > >> >> >>>> is a strong recommendation, rather than "must", which would be a
>> > > >> >> >>>> requirement. If you understand *why* you're deviating from the
>> > > >> >> >>>> "should" recommendation and are doing it for good reason, it's
>> > > >> >> >>>> generally okay to diverge from even a strong recommendation.
>> > > >> >> >>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
>> > > >> >> >>>> for Maven, already support validating the header with either.
>> > > >> >> >>>> 4. "precedent" argument - Some projects have already started doing
>> > > >> >> >>>> this (Apache Accumulo, for example), so you would not be setting a new
>> > > >> >> >>>> precedent.
>> > > >> >> >>>> 5. "location of record" argument - The website itself reports that the
>> > > >> >> >>>> document has permanently relocated to the https location by returning
>> > > >> >> >>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
>> > > >> >> >>>> records up-to-date.
>> > > >> >> >>>>
>> > > >> >> >>>> I created a PR to update the src-headers page with a suggested change
>> > > >> >> >>>> to make it more clear that either are acceptable (and to default to
>> > > >> >> >>>> using https in the recommended header):
>> > > >> >> >>>> https://github.com/apache/www-site/pull/331
>> > > >> >> >>>>
>> > > >> >> >>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
>> > > >> >> >>>> >
>> > > >> >> >>>> > Forgive me if this was asked already, I didn't see it in a quick
>> > > >> >> >>>> > search of the archives.
>> > > >> >> >>>> >
>> > > >> >> >>>> > The legal policy states[1] that headers should use the the following URL:
>> > > >> >> >>>> > http://www.apache.org/licenses/LICENSE-2.0
>> > > >> >> >>>> >
>> > > >> >> >>>> > Given the general push[2] to use https everywhere, should the official
>> > > >> >> >>>> > policy be updated to use the https version of the license URL?
>> > > >> >> >>>> > https://www.apache.org/licenses/LICENSE-2.0
>> > > >> >> >>>> >
>> > > >> >> >>>> > NOTE: The former already redirects to the latter
>> > > >> >> >>>> >
>> > > >> >> >>>> > Related, I've seen projects using the `https` version of the URL. Is
>> > > >> >> >>>> > that a problem, or is it just a matter of adding an extra `s` to the
>> > > >> >> >>>> > policy page [1]
>> > > >> >> >>>> >
>> > > >> >> >>>> > [1] https://www.apache.org/legal/src-headers.html#headers
>> > > >> >> >>>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
>> > > >> >> >>>> >
>> > > >> >> >>>> > ---------------------------------------------------------------------
>> > > >> >> >>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> > > >> >> >>>> > For additional commands, e-mail: legal-discuss-help@apache.org
>> > > >> >> >>>> >
>> > > >> >> >>>>
>> > > >> >> >>>> ---------------------------------------------------------------------
>> > > >> >> >>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> > > >> >> >>>> For additional commands, e-mail: legal-discuss-help@apache.org
>> > > >> >> >>>>
>> > > >> >>
>> > > >> >> ---------------------------------------------------------------------
>> > > >> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> > > >> >> For additional commands, e-mail: legal-discuss-help@apache.org
>> > > >> >>
>> > > >>
>> > > >> ---------------------------------------------------------------------
>> > > >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> > > >> For additional commands, e-mail: legal-discuss-help@apache.org
>> > > >>
>> > >
>> > > ---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> > > For additional commands, e-mail: legal-discuss-help@apache.org
>> > >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> > For additional commands, e-mail: legal-discuss-help@apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Should license headers use https urls?

[Michael Mior <mm...@apache.org>]

I would disagree about their being no technical difference. Not using HTTPS
runs a higher risk of MITM. The connection will get upgraded unless the
initial HTTP request isn't intercepted and the attacker decides to serve
something different. Whether that is practically a concern is of course
another question.

On Sat, Dec 23, 2023, 02:31 Christopher <ct...@apache.org> wrote:

> Roman, based on your response (and please correct me if I'm wrong), I
> *think* you hold the opinion that either is fine, just as Henri said
> on LEGAL-265, because it's not a legal or technical difference, but
> just a "matter of taste", as you've said, and while you don't
> personally see the value in somebody changing it, you don't really
> care if a project changes their source headers from http to https
> ("-0").
>
> If I'm understanding you correctly, I think what would immediately
> settle the matter is to just have you say that "either is fine in the
> source header" more directly. I don't even think people care whether
> the default source header on that LEGAL page changes or not. They just
> want to know its okay if they use https there and need a direct
> response. I *think* you already hold the opinion that it's fine if
> they want to, but you just need to say it directly for them to accept
> it.
>
> As for my PR, I'd be happy to back out the changes in my PR to the
> default source header, and only keep a change to the note saying that
> either are acceptable.
>
> On Fri, Dec 22, 2023 at 6:41 AM Roman Shaposhnik <ro...@shaposhnik.org>
> wrote:
> >
> > Personally I'm still -0 regarding this change (since I honestly don't
> > see much of an argument for https in this particular case -- its not
> > like we actually SERVE the text via http -- the connection gets
> > upgraded).
> >
> > However, at this point, it ain't the end of the world either.
> >
> > All in all -- it really is a matter of taste (not technology nor law).
> >
> > So... I suggest we run a formal vote on this list and settle this
> > matter once and for all.
> >
> > Thanks,
> > Roman.
> >
> > P.S. Since I'm -0 -- obviously I won't be the one starting the VOTE
> thread ;-)
> >
> >
> > On Wed, Dec 20, 2023 at 1:31 PM Christopher <ct...@apache.org> wrote:
> > >
> > > I'm not sure who was VP Legal at the time, but since Henri closed the
> > > issue, I accepted their response as sufficiently authoritative for my
> > > own level of comfort, given that there was no objection from anybody
> > > identifying themselves as VP Legal on the ticket, and clearly Henri
> > > had been delegated at least the authority to resolve the matter in the
> > > issue tracker. Plus, the outcome seemed reasonable to me.
> > >
> > > If that outcome isn't good enough for your comfort, that's fine. I
> > > only ask that if you do continue to pursue it to your own
> > > satisfaction, you comment on, or link any new issue to, the existing
> > > https://issues.apache.org/jira/browse/LEGAL-265 , so that those of us
> > > following it will see any updates. You could also ask VP Legal to
> > > address it by responding on my PR
> > > https://github.com/apache/www-site/pull/331 ; if they accept that, or
> > > some variation of it, it can be used to update the website to resolve
> > > any future confusion by others.
> > >
> > > On Wed, Dec 20, 2023 at 3:05 PM Gary Gregory <ga...@gmail.com>
> wrote:
> > > >
> > > > I'm personally NOT comfortable changing ANYTHING in license headers
> until I read something like "As VP of legal (of some agreed and stated
> Apache authority title), it is OK to change license headers from this to
> that."
> > > >
> > > > Gary
> > > >
> > > > On Wed, Dec 20, 2023, 1:15 PM Julian Hyde <jh...@apache.org> wrote:
> > > >>
> > > >> The reference is https://issues.apache.org/jira/browse/LEGAL-265.
> Case closed.
> > > >>
> > > >> On Wed, Dec 20, 2023 at 7:53 AM Gary Gregory <
> garydgregory@gmail.com> wrote:
> > > >> >
> > > >> > "The html version of the license listed here:
> > > >> > https://www.apache.org/licenses/LICENSE-2.0 contains the https
> url _snip_"
> > > >> >
> > > >> > It does not in the boxed text which is the actual license header.
> > > >> >
> > > >> > It doesn't matter what we non-attorneys think until an (our)
> attorney decides IMO.
> > > >> >
> > > >> > Gary
> > > >> >
> > > >> > On Wed, Dec 20, 2023, 10:20 AM Brian Demers <
> brian.demers@gmail.com> wrote:
> > > >> >>
> > > >> >> I don't see a conclusion in those threads.  Other than:
> > > >> >> - apache-rat was updated to accept both.
> > > >> >> - it's two separate topics (license headers vs license text)
> > > >> >>
> > > >> >> The html version of the license listed here:
> > > >> >> https://www.apache.org/licenses/LICENSE-2.0 contains the https
> url
> > > >> >> and as do the 3rd party refs on the page, SPDX and OSI do as
> well.
> > > >> >>
> > > >> >> IMHO, we should update the policy page header text to use
> `https`, and
> > > >> >> add a note under it stating that the `http` version can be used
> but
> > > >> >> `https` is now the recommendation
> > > >> >>
> > > >> >> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <
> garydgregory@gmail.com> wrote:
> > > >> >> >
> > > >> >> > So... we need an opinion from VP legal and a new entry to a
> FAQ so we can stop rehashing this issue?
> > > >> >> >
> > > >> >> > Gary
> > > >> >> >
> > > >> >> > On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org>
> wrote:
> > > >> >> >>
> > > >> >> >> Here's a couple past discussions
> > > >> >> >>
> > > >> >> >>
> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
> > > >> >> >>
> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
> > > >> >> >>
> > > >> >> >> --
> > > >> >> >> Michael Mior
> > > >> >> >> mmior@apache.org
> > > >> >> >>
> > > >> >> >>
> > > >> >> >> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <
> garydgregory@gmail.com> wrote:
> > > >> >> >>>
> > > >> >> >>> I think this was rejected in the past because it would
> requires a new version of the license itself. I don't have a reference: -(
> > > >> >> >>>
> > > >> >> >>> Gary
> > > >> >> >>>
> > > >> >> >>> On Wed, Dec 20, 2023, 1:56 AM Christopher <
> ctubbsii@apache.org> wrote:
> > > >> >> >>>>
> > > >> >> >>>> I believe this has been discussed before, but I cannot find
> a link to
> > > >> >> >>>> the previous conclusion on the matter.
> > > >> >> >>>>
> > > >> >> >>>> I'm only representing my own personal opinions on this, but
> my
> > > >> >> >>>> understanding is that this is not a substantive deviation.
> I think you
> > > >> >> >>>> have several good reasons to justify the deviation:
> > > >> >> >>>>
> > > >> >> >>>> 1. "same legal meaning" argument - The URL is used as a
> conclusion to
> > > >> >> >>>> the sentence, "You may obtain a copy of the License at
> ...". If that
> > > >> >> >>>> sentence is to hold any legal meaning in English, rather
> than just
> > > >> >> >>>> some magical static string of characters, then it means
> that the
> > > >> >> >>>> license can be found at the provided URL. It is a true fact
> that the
> > > >> >> >>>> document may be obtained by following that URL, regardless
> of whether
> > > >> >> >>>> you use http or https, so there can't really be any
> relevant legal
> > > >> >> >>>> difference between the two. The same would be true if you
> inserted
> > > >> >> >>>> line breaks between the words or indented the header
> differently. The
> > > >> >> >>>> words still hold the same meaning.
> > > >> >> >>>> 2. "grammar" argument - The linked document [1] says
> "should", which
> > > >> >> >>>> is a strong recommendation, rather than "must", which would
> be a
> > > >> >> >>>> requirement. If you understand *why* you're deviating from
> the
> > > >> >> >>>> "should" recommendation and are doing it for good reason,
> it's
> > > >> >> >>>> generally okay to diverge from even a strong recommendation.
> > > >> >> >>>> 3. "tooling" argument - Many checker tools, such as
> apache-rat-plugin
> > > >> >> >>>> for Maven, already support validating the header with
> either.
> > > >> >> >>>> 4. "precedent" argument - Some projects have already
> started doing
> > > >> >> >>>> this (Apache Accumulo, for example), so you would not be
> setting a new
> > > >> >> >>>> precedent.
> > > >> >> >>>> 5. "location of record" argument - The website itself
> reports that the
> > > >> >> >>>> document has permanently relocated to the https location by
> returning
> > > >> >> >>>> a HTTP 301 code; so, you'd have a good argument for just
> keeping your
> > > >> >> >>>> records up-to-date.
> > > >> >> >>>>
> > > >> >> >>>> I created a PR to update the src-headers page with a
> suggested change
> > > >> >> >>>> to make it more clear that either are acceptable (and to
> default to
> > > >> >> >>>> using https in the recommended header):
> > > >> >> >>>> https://github.com/apache/www-site/pull/331
> > > >> >> >>>>
> > > >> >> >>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <
> bdemers@apache.org> wrote:
> > > >> >> >>>> >
> > > >> >> >>>> > Forgive me if this was asked already, I didn't see it in
> a quick
> > > >> >> >>>> > search of the archives.
> > > >> >> >>>> >
> > > >> >> >>>> > The legal policy states[1] that headers should use the
> the following URL:
> > > >> >> >>>> > http://www.apache.org/licenses/LICENSE-2.0
> > > >> >> >>>> >
> > > >> >> >>>> > Given the general push[2] to use https everywhere, should
> the official
> > > >> >> >>>> > policy be updated to use the https version of the license
> URL?
> > > >> >> >>>> > https://www.apache.org/licenses/LICENSE-2.0
> > > >> >> >>>> >
> > > >> >> >>>> > NOTE: The former already redirects to the latter
> > > >> >> >>>> >
> > > >> >> >>>> > Related, I've seen projects using the `https` version of
> the URL. Is
> > > >> >> >>>> > that a problem, or is it just a matter of adding an extra
> `s` to the
> > > >> >> >>>> > policy page [1]
> > > >> >> >>>> >
> > > >> >> >>>> > [1] https://www.apache.org/legal/src-headers.html#headers
> > > >> >> >>>> > [2]
> https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
> > > >> >> >>>> >
> > > >> >> >>>> >
> ---------------------------------------------------------------------
> > > >> >> >>>> > To unsubscribe, e-mail:
> legal-discuss-unsubscribe@apache.org
> > > >> >> >>>> > For additional commands, e-mail:
> legal-discuss-help@apache.org
> > > >> >> >>>> >
> > > >> >> >>>>
> > > >> >> >>>>
> ---------------------------------------------------------------------
> > > >> >> >>>> To unsubscribe, e-mail:
> legal-discuss-unsubscribe@apache.org
> > > >> >> >>>> For additional commands, e-mail:
> legal-discuss-help@apache.org
> > > >> >> >>>>
> > > >> >>
> > > >> >>
> ---------------------------------------------------------------------
> > > >> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > > >> >> For additional commands, e-mail: legal-discuss-help@apache.org
> > > >> >>
> > > >>
> > > >>
> ---------------------------------------------------------------------
> > > >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > > >> For additional commands, e-mail: legal-discuss-help@apache.org
> > > >>
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > > For additional commands, e-mail: legal-discuss-help@apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > For additional commands, e-mail: legal-discuss-help@apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>

Re: Should license headers use https urls?

[Roman Shaposhnik <ro...@shaposhnik.org>]

On Fri, Dec 22, 2023 at 11:31 PM Christopher <ct...@apache.org> wrote:
>
> Roman, based on your response (and please correct me if I'm wrong), I
> *think* you hold the opinion that either is fine, just as Henri said
> on LEGAL-265, because it's not a legal or technical difference, but
> just a "matter of taste", as you've said, and while you don't
> personally see the value in somebody changing it, you don't really
> care if a project changes their source headers from http to https
> ("-0").
>
> If I'm understanding you correctly, I think what would immediately
> settle the matter is to just have you say that "either is fine in the
> source header" more directly. I don't even think people care whether
> the default source header on that LEGAL page changes or not. They just
> want to know its okay if they use https there and need a direct
> response. I *think* you already hold the opinion that it's fine if
> they want to, but you just need to say it directly for them to accept
> it.
>
> As for my PR, I'd be happy to back out the changes in my PR to the
> default source header, and only keep a change to the note saying that
> either are acceptable.

That sounds like a reasonable next step -- can you please update your PR?

Thanks,
Roman.

> On Fri, Dec 22, 2023 at 6:41 AM Roman Shaposhnik <ro...@shaposhnik.org> wrote:
> >
> > Personally I'm still -0 regarding this change (since I honestly don't
> > see much of an argument for https in this particular case -- its not
> > like we actually SERVE the text via http -- the connection gets
> > upgraded).
> >
> > However, at this point, it ain't the end of the world either.
> >
> > All in all -- it really is a matter of taste (not technology nor law).
> >
> > So... I suggest we run a formal vote on this list and settle this
> > matter once and for all.
> >
> > Thanks,
> > Roman.
> >
> > P.S. Since I'm -0 -- obviously I won't be the one starting the VOTE thread ;-)
> >
> >
> > On Wed, Dec 20, 2023 at 1:31 PM Christopher <ct...@apache.org> wrote:
> > >
> > > I'm not sure who was VP Legal at the time, but since Henri closed the
> > > issue, I accepted their response as sufficiently authoritative for my
> > > own level of comfort, given that there was no objection from anybody
> > > identifying themselves as VP Legal on the ticket, and clearly Henri
> > > had been delegated at least the authority to resolve the matter in the
> > > issue tracker. Plus, the outcome seemed reasonable to me.
> > >
> > > If that outcome isn't good enough for your comfort, that's fine. I
> > > only ask that if you do continue to pursue it to your own
> > > satisfaction, you comment on, or link any new issue to, the existing
> > > https://issues.apache.org/jira/browse/LEGAL-265 , so that those of us
> > > following it will see any updates. You could also ask VP Legal to
> > > address it by responding on my PR
> > > https://github.com/apache/www-site/pull/331 ; if they accept that, or
> > > some variation of it, it can be used to update the website to resolve
> > > any future confusion by others.
> > >
> > > On Wed, Dec 20, 2023 at 3:05 PM Gary Gregory <ga...@gmail.com> wrote:
> > > >
> > > > I'm personally NOT comfortable changing ANYTHING in license headers until I read something like "As VP of legal (of some agreed and stated Apache authority title), it is OK to change license headers from this to that."
> > > >
> > > > Gary
> > > >
> > > > On Wed, Dec 20, 2023, 1:15 PM Julian Hyde <jh...@apache.org> wrote:
> > > >>
> > > >> The reference is https://issues.apache.org/jira/browse/LEGAL-265. Case closed.
> > > >>
> > > >> On Wed, Dec 20, 2023 at 7:53 AM Gary Gregory <ga...@gmail.com> wrote:
> > > >> >
> > > >> > "The html version of the license listed here:
> > > >> > https://www.apache.org/licenses/LICENSE-2.0 contains the https url _snip_"
> > > >> >
> > > >> > It does not in the boxed text which is the actual license header.
> > > >> >
> > > >> > It doesn't matter what we non-attorneys think until an (our) attorney decides IMO.
> > > >> >
> > > >> > Gary
> > > >> >
> > > >> > On Wed, Dec 20, 2023, 10:20 AM Brian Demers <br...@gmail.com> wrote:
> > > >> >>
> > > >> >> I don't see a conclusion in those threads.  Other than:
> > > >> >> - apache-rat was updated to accept both.
> > > >> >> - it's two separate topics (license headers vs license text)
> > > >> >>
> > > >> >> The html version of the license listed here:
> > > >> >> https://www.apache.org/licenses/LICENSE-2.0 contains the https url
> > > >> >> and as do the 3rd party refs on the page, SPDX and OSI do as well.
> > > >> >>
> > > >> >> IMHO, we should update the policy page header text to use `https`, and
> > > >> >> add a note under it stating that the `http` version can be used but
> > > >> >> `https` is now the recommendation
> > > >> >>
> > > >> >> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com> wrote:
> > > >> >> >
> > > >> >> > So... we need an opinion from VP legal and a new entry to a FAQ so we can stop rehashing this issue?
> > > >> >> >
> > > >> >> > Gary
> > > >> >> >
> > > >> >> > On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
> > > >> >> >>
> > > >> >> >> Here's a couple past discussions
> > > >> >> >>
> > > >> >> >> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
> > > >> >> >> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
> > > >> >> >>
> > > >> >> >> --
> > > >> >> >> Michael Mior
> > > >> >> >> mmior@apache.org
> > > >> >> >>
> > > >> >> >>
> > > >> >> >> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com> wrote:
> > > >> >> >>>
> > > >> >> >>> I think this was rejected in the past because it would requires a new version of the license itself. I don't have a reference: -(
> > > >> >> >>>
> > > >> >> >>> Gary
> > > >> >> >>>
> > > >> >> >>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
> > > >> >> >>>>
> > > >> >> >>>> I believe this has been discussed before, but I cannot find a link to
> > > >> >> >>>> the previous conclusion on the matter.
> > > >> >> >>>>
> > > >> >> >>>> I'm only representing my own personal opinions on this, but my
> > > >> >> >>>> understanding is that this is not a substantive deviation. I think you
> > > >> >> >>>> have several good reasons to justify the deviation:
> > > >> >> >>>>
> > > >> >> >>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
> > > >> >> >>>> the sentence, "You may obtain a copy of the License at ...". If that
> > > >> >> >>>> sentence is to hold any legal meaning in English, rather than just
> > > >> >> >>>> some magical static string of characters, then it means that the
> > > >> >> >>>> license can be found at the provided URL. It is a true fact that the
> > > >> >> >>>> document may be obtained by following that URL, regardless of whether
> > > >> >> >>>> you use http or https, so there can't really be any relevant legal
> > > >> >> >>>> difference between the two. The same would be true if you inserted
> > > >> >> >>>> line breaks between the words or indented the header differently. The
> > > >> >> >>>> words still hold the same meaning.
> > > >> >> >>>> 2. "grammar" argument - The linked document [1] says "should", which
> > > >> >> >>>> is a strong recommendation, rather than "must", which would be a
> > > >> >> >>>> requirement. If you understand *why* you're deviating from the
> > > >> >> >>>> "should" recommendation and are doing it for good reason, it's
> > > >> >> >>>> generally okay to diverge from even a strong recommendation.
> > > >> >> >>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
> > > >> >> >>>> for Maven, already support validating the header with either.
> > > >> >> >>>> 4. "precedent" argument - Some projects have already started doing
> > > >> >> >>>> this (Apache Accumulo, for example), so you would not be setting a new
> > > >> >> >>>> precedent.
> > > >> >> >>>> 5. "location of record" argument - The website itself reports that the
> > > >> >> >>>> document has permanently relocated to the https location by returning
> > > >> >> >>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
> > > >> >> >>>> records up-to-date.
> > > >> >> >>>>
> > > >> >> >>>> I created a PR to update the src-headers page with a suggested change
> > > >> >> >>>> to make it more clear that either are acceptable (and to default to
> > > >> >> >>>> using https in the recommended header):
> > > >> >> >>>> https://github.com/apache/www-site/pull/331
> > > >> >> >>>>
> > > >> >> >>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
> > > >> >> >>>> >
> > > >> >> >>>> > Forgive me if this was asked already, I didn't see it in a quick
> > > >> >> >>>> > search of the archives.
> > > >> >> >>>> >
> > > >> >> >>>> > The legal policy states[1] that headers should use the the following URL:
> > > >> >> >>>> > http://www.apache.org/licenses/LICENSE-2.0
> > > >> >> >>>> >
> > > >> >> >>>> > Given the general push[2] to use https everywhere, should the official
> > > >> >> >>>> > policy be updated to use the https version of the license URL?
> > > >> >> >>>> > https://www.apache.org/licenses/LICENSE-2.0
> > > >> >> >>>> >
> > > >> >> >>>> > NOTE: The former already redirects to the latter
> > > >> >> >>>> >
> > > >> >> >>>> > Related, I've seen projects using the `https` version of the URL. Is
> > > >> >> >>>> > that a problem, or is it just a matter of adding an extra `s` to the
> > > >> >> >>>> > policy page [1]
> > > >> >> >>>> >
> > > >> >> >>>> > [1] https://www.apache.org/legal/src-headers.html#headers
> > > >> >> >>>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
> > > >> >> >>>> >
> > > >> >> >>>> > ---------------------------------------------------------------------
> > > >> >> >>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > > >> >> >>>> > For additional commands, e-mail: legal-discuss-help@apache.org
> > > >> >> >>>> >
> > > >> >> >>>>
> > > >> >> >>>> ---------------------------------------------------------------------
> > > >> >> >>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > > >> >> >>>> For additional commands, e-mail: legal-discuss-help@apache.org
> > > >> >> >>>>
> > > >> >>
> > > >> >> ---------------------------------------------------------------------
> > > >> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > > >> >> For additional commands, e-mail: legal-discuss-help@apache.org
> > > >> >>
> > > >>
> > > >> ---------------------------------------------------------------------
> > > >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > > >> For additional commands, e-mail: legal-discuss-help@apache.org
> > > >>
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > > For additional commands, e-mail: legal-discuss-help@apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > For additional commands, e-mail: legal-discuss-help@apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Should license headers use https urls?

[Christopher <ct...@apache.org>]

Roman, based on your response (and please correct me if I'm wrong), I
*think* you hold the opinion that either is fine, just as Henri said
on LEGAL-265, because it's not a legal or technical difference, but
just a "matter of taste", as you've said, and while you don't
personally see the value in somebody changing it, you don't really
care if a project changes their source headers from http to https
("-0").

If I'm understanding you correctly, I think what would immediately
settle the matter is to just have you say that "either is fine in the
source header" more directly. I don't even think people care whether
the default source header on that LEGAL page changes or not. They just
want to know its okay if they use https there and need a direct
response. I *think* you already hold the opinion that it's fine if
they want to, but you just need to say it directly for them to accept
it.

As for my PR, I'd be happy to back out the changes in my PR to the
default source header, and only keep a change to the note saying that
either are acceptable.

On Fri, Dec 22, 2023 at 6:41 AM Roman Shaposhnik <ro...@shaposhnik.org> wrote:
>
> Personally I'm still -0 regarding this change (since I honestly don't
> see much of an argument for https in this particular case -- its not
> like we actually SERVE the text via http -- the connection gets
> upgraded).
>
> However, at this point, it ain't the end of the world either.
>
> All in all -- it really is a matter of taste (not technology nor law).
>
> So... I suggest we run a formal vote on this list and settle this
> matter once and for all.
>
> Thanks,
> Roman.
>
> P.S. Since I'm -0 -- obviously I won't be the one starting the VOTE thread ;-)
>
>
> On Wed, Dec 20, 2023 at 1:31 PM Christopher <ct...@apache.org> wrote:
> >
> > I'm not sure who was VP Legal at the time, but since Henri closed the
> > issue, I accepted their response as sufficiently authoritative for my
> > own level of comfort, given that there was no objection from anybody
> > identifying themselves as VP Legal on the ticket, and clearly Henri
> > had been delegated at least the authority to resolve the matter in the
> > issue tracker. Plus, the outcome seemed reasonable to me.
> >
> > If that outcome isn't good enough for your comfort, that's fine. I
> > only ask that if you do continue to pursue it to your own
> > satisfaction, you comment on, or link any new issue to, the existing
> > https://issues.apache.org/jira/browse/LEGAL-265 , so that those of us
> > following it will see any updates. You could also ask VP Legal to
> > address it by responding on my PR
> > https://github.com/apache/www-site/pull/331 ; if they accept that, or
> > some variation of it, it can be used to update the website to resolve
> > any future confusion by others.
> >
> > On Wed, Dec 20, 2023 at 3:05 PM Gary Gregory <ga...@gmail.com> wrote:
> > >
> > > I'm personally NOT comfortable changing ANYTHING in license headers until I read something like "As VP of legal (of some agreed and stated Apache authority title), it is OK to change license headers from this to that."
> > >
> > > Gary
> > >
> > > On Wed, Dec 20, 2023, 1:15 PM Julian Hyde <jh...@apache.org> wrote:
> > >>
> > >> The reference is https://issues.apache.org/jira/browse/LEGAL-265. Case closed.
> > >>
> > >> On Wed, Dec 20, 2023 at 7:53 AM Gary Gregory <ga...@gmail.com> wrote:
> > >> >
> > >> > "The html version of the license listed here:
> > >> > https://www.apache.org/licenses/LICENSE-2.0 contains the https url _snip_"
> > >> >
> > >> > It does not in the boxed text which is the actual license header.
> > >> >
> > >> > It doesn't matter what we non-attorneys think until an (our) attorney decides IMO.
> > >> >
> > >> > Gary
> > >> >
> > >> > On Wed, Dec 20, 2023, 10:20 AM Brian Demers <br...@gmail.com> wrote:
> > >> >>
> > >> >> I don't see a conclusion in those threads.  Other than:
> > >> >> - apache-rat was updated to accept both.
> > >> >> - it's two separate topics (license headers vs license text)
> > >> >>
> > >> >> The html version of the license listed here:
> > >> >> https://www.apache.org/licenses/LICENSE-2.0 contains the https url
> > >> >> and as do the 3rd party refs on the page, SPDX and OSI do as well.
> > >> >>
> > >> >> IMHO, we should update the policy page header text to use `https`, and
> > >> >> add a note under it stating that the `http` version can be used but
> > >> >> `https` is now the recommendation
> > >> >>
> > >> >> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com> wrote:
> > >> >> >
> > >> >> > So... we need an opinion from VP legal and a new entry to a FAQ so we can stop rehashing this issue?
> > >> >> >
> > >> >> > Gary
> > >> >> >
> > >> >> > On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
> > >> >> >>
> > >> >> >> Here's a couple past discussions
> > >> >> >>
> > >> >> >> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
> > >> >> >> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
> > >> >> >>
> > >> >> >> --
> > >> >> >> Michael Mior
> > >> >> >> mmior@apache.org
> > >> >> >>
> > >> >> >>
> > >> >> >> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com> wrote:
> > >> >> >>>
> > >> >> >>> I think this was rejected in the past because it would requires a new version of the license itself. I don't have a reference: -(
> > >> >> >>>
> > >> >> >>> Gary
> > >> >> >>>
> > >> >> >>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
> > >> >> >>>>
> > >> >> >>>> I believe this has been discussed before, but I cannot find a link to
> > >> >> >>>> the previous conclusion on the matter.
> > >> >> >>>>
> > >> >> >>>> I'm only representing my own personal opinions on this, but my
> > >> >> >>>> understanding is that this is not a substantive deviation. I think you
> > >> >> >>>> have several good reasons to justify the deviation:
> > >> >> >>>>
> > >> >> >>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
> > >> >> >>>> the sentence, "You may obtain a copy of the License at ...". If that
> > >> >> >>>> sentence is to hold any legal meaning in English, rather than just
> > >> >> >>>> some magical static string of characters, then it means that the
> > >> >> >>>> license can be found at the provided URL. It is a true fact that the
> > >> >> >>>> document may be obtained by following that URL, regardless of whether
> > >> >> >>>> you use http or https, so there can't really be any relevant legal
> > >> >> >>>> difference between the two. The same would be true if you inserted
> > >> >> >>>> line breaks between the words or indented the header differently. The
> > >> >> >>>> words still hold the same meaning.
> > >> >> >>>> 2. "grammar" argument - The linked document [1] says "should", which
> > >> >> >>>> is a strong recommendation, rather than "must", which would be a
> > >> >> >>>> requirement. If you understand *why* you're deviating from the
> > >> >> >>>> "should" recommendation and are doing it for good reason, it's
> > >> >> >>>> generally okay to diverge from even a strong recommendation.
> > >> >> >>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
> > >> >> >>>> for Maven, already support validating the header with either.
> > >> >> >>>> 4. "precedent" argument - Some projects have already started doing
> > >> >> >>>> this (Apache Accumulo, for example), so you would not be setting a new
> > >> >> >>>> precedent.
> > >> >> >>>> 5. "location of record" argument - The website itself reports that the
> > >> >> >>>> document has permanently relocated to the https location by returning
> > >> >> >>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
> > >> >> >>>> records up-to-date.
> > >> >> >>>>
> > >> >> >>>> I created a PR to update the src-headers page with a suggested change
> > >> >> >>>> to make it more clear that either are acceptable (and to default to
> > >> >> >>>> using https in the recommended header):
> > >> >> >>>> https://github.com/apache/www-site/pull/331
> > >> >> >>>>
> > >> >> >>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
> > >> >> >>>> >
> > >> >> >>>> > Forgive me if this was asked already, I didn't see it in a quick
> > >> >> >>>> > search of the archives.
> > >> >> >>>> >
> > >> >> >>>> > The legal policy states[1] that headers should use the the following URL:
> > >> >> >>>> > http://www.apache.org/licenses/LICENSE-2.0
> > >> >> >>>> >
> > >> >> >>>> > Given the general push[2] to use https everywhere, should the official
> > >> >> >>>> > policy be updated to use the https version of the license URL?
> > >> >> >>>> > https://www.apache.org/licenses/LICENSE-2.0
> > >> >> >>>> >
> > >> >> >>>> > NOTE: The former already redirects to the latter
> > >> >> >>>> >
> > >> >> >>>> > Related, I've seen projects using the `https` version of the URL. Is
> > >> >> >>>> > that a problem, or is it just a matter of adding an extra `s` to the
> > >> >> >>>> > policy page [1]
> > >> >> >>>> >
> > >> >> >>>> > [1] https://www.apache.org/legal/src-headers.html#headers
> > >> >> >>>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
> > >> >> >>>> >
> > >> >> >>>> > ---------------------------------------------------------------------
> > >> >> >>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > >> >> >>>> > For additional commands, e-mail: legal-discuss-help@apache.org
> > >> >> >>>> >
> > >> >> >>>>
> > >> >> >>>> ---------------------------------------------------------------------
> > >> >> >>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > >> >> >>>> For additional commands, e-mail: legal-discuss-help@apache.org
> > >> >> >>>>
> > >> >>
> > >> >> ---------------------------------------------------------------------
> > >> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > >> >> For additional commands, e-mail: legal-discuss-help@apache.org
> > >> >>
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > >> For additional commands, e-mail: legal-discuss-help@apache.org
> > >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > For additional commands, e-mail: legal-discuss-help@apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Should license headers use https urls?

[Roman Shaposhnik <ro...@shaposhnik.org>]

Personally I'm still -0 regarding this change (since I honestly don't
see much of an argument for https in this particular case -- its not
like we actually SERVE the text via http -- the connection gets
upgraded).

However, at this point, it ain't the end of the world either.

All in all -- it really is a matter of taste (not technology nor law).

So... I suggest we run a formal vote on this list and settle this
matter once and for all.

Thanks,
Roman.

P.S. Since I'm -0 -- obviously I won't be the one starting the VOTE thread ;-)


On Wed, Dec 20, 2023 at 1:31 PM Christopher <ct...@apache.org> wrote:
>
> I'm not sure who was VP Legal at the time, but since Henri closed the
> issue, I accepted their response as sufficiently authoritative for my
> own level of comfort, given that there was no objection from anybody
> identifying themselves as VP Legal on the ticket, and clearly Henri
> had been delegated at least the authority to resolve the matter in the
> issue tracker. Plus, the outcome seemed reasonable to me.
>
> If that outcome isn't good enough for your comfort, that's fine. I
> only ask that if you do continue to pursue it to your own
> satisfaction, you comment on, or link any new issue to, the existing
> https://issues.apache.org/jira/browse/LEGAL-265 , so that those of us
> following it will see any updates. You could also ask VP Legal to
> address it by responding on my PR
> https://github.com/apache/www-site/pull/331 ; if they accept that, or
> some variation of it, it can be used to update the website to resolve
> any future confusion by others.
>
> On Wed, Dec 20, 2023 at 3:05 PM Gary Gregory <ga...@gmail.com> wrote:
> >
> > I'm personally NOT comfortable changing ANYTHING in license headers until I read something like "As VP of legal (of some agreed and stated Apache authority title), it is OK to change license headers from this to that."
> >
> > Gary
> >
> > On Wed, Dec 20, 2023, 1:15 PM Julian Hyde <jh...@apache.org> wrote:
> >>
> >> The reference is https://issues.apache.org/jira/browse/LEGAL-265. Case closed.
> >>
> >> On Wed, Dec 20, 2023 at 7:53 AM Gary Gregory <ga...@gmail.com> wrote:
> >> >
> >> > "The html version of the license listed here:
> >> > https://www.apache.org/licenses/LICENSE-2.0 contains the https url _snip_"
> >> >
> >> > It does not in the boxed text which is the actual license header.
> >> >
> >> > It doesn't matter what we non-attorneys think until an (our) attorney decides IMO.
> >> >
> >> > Gary
> >> >
> >> > On Wed, Dec 20, 2023, 10:20 AM Brian Demers <br...@gmail.com> wrote:
> >> >>
> >> >> I don't see a conclusion in those threads.  Other than:
> >> >> - apache-rat was updated to accept both.
> >> >> - it's two separate topics (license headers vs license text)
> >> >>
> >> >> The html version of the license listed here:
> >> >> https://www.apache.org/licenses/LICENSE-2.0 contains the https url
> >> >> and as do the 3rd party refs on the page, SPDX and OSI do as well.
> >> >>
> >> >> IMHO, we should update the policy page header text to use `https`, and
> >> >> add a note under it stating that the `http` version can be used but
> >> >> `https` is now the recommendation
> >> >>
> >> >> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com> wrote:
> >> >> >
> >> >> > So... we need an opinion from VP legal and a new entry to a FAQ so we can stop rehashing this issue?
> >> >> >
> >> >> > Gary
> >> >> >
> >> >> > On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
> >> >> >>
> >> >> >> Here's a couple past discussions
> >> >> >>
> >> >> >> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
> >> >> >> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
> >> >> >>
> >> >> >> --
> >> >> >> Michael Mior
> >> >> >> mmior@apache.org
> >> >> >>
> >> >> >>
> >> >> >> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com> wrote:
> >> >> >>>
> >> >> >>> I think this was rejected in the past because it would requires a new version of the license itself. I don't have a reference: -(
> >> >> >>>
> >> >> >>> Gary
> >> >> >>>
> >> >> >>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
> >> >> >>>>
> >> >> >>>> I believe this has been discussed before, but I cannot find a link to
> >> >> >>>> the previous conclusion on the matter.
> >> >> >>>>
> >> >> >>>> I'm only representing my own personal opinions on this, but my
> >> >> >>>> understanding is that this is not a substantive deviation. I think you
> >> >> >>>> have several good reasons to justify the deviation:
> >> >> >>>>
> >> >> >>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
> >> >> >>>> the sentence, "You may obtain a copy of the License at ...". If that
> >> >> >>>> sentence is to hold any legal meaning in English, rather than just
> >> >> >>>> some magical static string of characters, then it means that the
> >> >> >>>> license can be found at the provided URL. It is a true fact that the
> >> >> >>>> document may be obtained by following that URL, regardless of whether
> >> >> >>>> you use http or https, so there can't really be any relevant legal
> >> >> >>>> difference between the two. The same would be true if you inserted
> >> >> >>>> line breaks between the words or indented the header differently. The
> >> >> >>>> words still hold the same meaning.
> >> >> >>>> 2. "grammar" argument - The linked document [1] says "should", which
> >> >> >>>> is a strong recommendation, rather than "must", which would be a
> >> >> >>>> requirement. If you understand *why* you're deviating from the
> >> >> >>>> "should" recommendation and are doing it for good reason, it's
> >> >> >>>> generally okay to diverge from even a strong recommendation.
> >> >> >>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
> >> >> >>>> for Maven, already support validating the header with either.
> >> >> >>>> 4. "precedent" argument - Some projects have already started doing
> >> >> >>>> this (Apache Accumulo, for example), so you would not be setting a new
> >> >> >>>> precedent.
> >> >> >>>> 5. "location of record" argument - The website itself reports that the
> >> >> >>>> document has permanently relocated to the https location by returning
> >> >> >>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
> >> >> >>>> records up-to-date.
> >> >> >>>>
> >> >> >>>> I created a PR to update the src-headers page with a suggested change
> >> >> >>>> to make it more clear that either are acceptable (and to default to
> >> >> >>>> using https in the recommended header):
> >> >> >>>> https://github.com/apache/www-site/pull/331
> >> >> >>>>
> >> >> >>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
> >> >> >>>> >
> >> >> >>>> > Forgive me if this was asked already, I didn't see it in a quick
> >> >> >>>> > search of the archives.
> >> >> >>>> >
> >> >> >>>> > The legal policy states[1] that headers should use the the following URL:
> >> >> >>>> > http://www.apache.org/licenses/LICENSE-2.0
> >> >> >>>> >
> >> >> >>>> > Given the general push[2] to use https everywhere, should the official
> >> >> >>>> > policy be updated to use the https version of the license URL?
> >> >> >>>> > https://www.apache.org/licenses/LICENSE-2.0
> >> >> >>>> >
> >> >> >>>> > NOTE: The former already redirects to the latter
> >> >> >>>> >
> >> >> >>>> > Related, I've seen projects using the `https` version of the URL. Is
> >> >> >>>> > that a problem, or is it just a matter of adding an extra `s` to the
> >> >> >>>> > policy page [1]
> >> >> >>>> >
> >> >> >>>> > [1] https://www.apache.org/legal/src-headers.html#headers
> >> >> >>>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
> >> >> >>>> >
> >> >> >>>> > ---------------------------------------------------------------------
> >> >> >>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> >> >>>> > For additional commands, e-mail: legal-discuss-help@apache.org
> >> >> >>>> >
> >> >> >>>>
> >> >> >>>> ---------------------------------------------------------------------
> >> >> >>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> >> >>>> For additional commands, e-mail: legal-discuss-help@apache.org
> >> >> >>>>
> >> >>
> >> >> ---------------------------------------------------------------------
> >> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> >> For additional commands, e-mail: legal-discuss-help@apache.org
> >> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> For additional commands, e-mail: legal-discuss-help@apache.org
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Should license headers use https urls?

[Christopher <ct...@apache.org>]

I'm not sure who was VP Legal at the time, but since Henri closed the
issue, I accepted their response as sufficiently authoritative for my
own level of comfort, given that there was no objection from anybody
identifying themselves as VP Legal on the ticket, and clearly Henri
had been delegated at least the authority to resolve the matter in the
issue tracker. Plus, the outcome seemed reasonable to me.

If that outcome isn't good enough for your comfort, that's fine. I
only ask that if you do continue to pursue it to your own
satisfaction, you comment on, or link any new issue to, the existing
https://issues.apache.org/jira/browse/LEGAL-265 , so that those of us
following it will see any updates. You could also ask VP Legal to
address it by responding on my PR
https://github.com/apache/www-site/pull/331 ; if they accept that, or
some variation of it, it can be used to update the website to resolve
any future confusion by others.

On Wed, Dec 20, 2023 at 3:05 PM Gary Gregory <ga...@gmail.com> wrote:
>
> I'm personally NOT comfortable changing ANYTHING in license headers until I read something like "As VP of legal (of some agreed and stated Apache authority title), it is OK to change license headers from this to that."
>
> Gary
>
> On Wed, Dec 20, 2023, 1:15 PM Julian Hyde <jh...@apache.org> wrote:
>>
>> The reference is https://issues.apache.org/jira/browse/LEGAL-265. Case closed.
>>
>> On Wed, Dec 20, 2023 at 7:53 AM Gary Gregory <ga...@gmail.com> wrote:
>> >
>> > "The html version of the license listed here:
>> > https://www.apache.org/licenses/LICENSE-2.0 contains the https url _snip_"
>> >
>> > It does not in the boxed text which is the actual license header.
>> >
>> > It doesn't matter what we non-attorneys think until an (our) attorney decides IMO.
>> >
>> > Gary
>> >
>> > On Wed, Dec 20, 2023, 10:20 AM Brian Demers <br...@gmail.com> wrote:
>> >>
>> >> I don't see a conclusion in those threads.  Other than:
>> >> - apache-rat was updated to accept both.
>> >> - it's two separate topics (license headers vs license text)
>> >>
>> >> The html version of the license listed here:
>> >> https://www.apache.org/licenses/LICENSE-2.0 contains the https url
>> >> and as do the 3rd party refs on the page, SPDX and OSI do as well.
>> >>
>> >> IMHO, we should update the policy page header text to use `https`, and
>> >> add a note under it stating that the `http` version can be used but
>> >> `https` is now the recommendation
>> >>
>> >> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com> wrote:
>> >> >
>> >> > So... we need an opinion from VP legal and a new entry to a FAQ so we can stop rehashing this issue?
>> >> >
>> >> > Gary
>> >> >
>> >> > On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
>> >> >>
>> >> >> Here's a couple past discussions
>> >> >>
>> >> >> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
>> >> >> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
>> >> >>
>> >> >> --
>> >> >> Michael Mior
>> >> >> mmior@apache.org
>> >> >>
>> >> >>
>> >> >> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com> wrote:
>> >> >>>
>> >> >>> I think this was rejected in the past because it would requires a new version of the license itself. I don't have a reference: -(
>> >> >>>
>> >> >>> Gary
>> >> >>>
>> >> >>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
>> >> >>>>
>> >> >>>> I believe this has been discussed before, but I cannot find a link to
>> >> >>>> the previous conclusion on the matter.
>> >> >>>>
>> >> >>>> I'm only representing my own personal opinions on this, but my
>> >> >>>> understanding is that this is not a substantive deviation. I think you
>> >> >>>> have several good reasons to justify the deviation:
>> >> >>>>
>> >> >>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
>> >> >>>> the sentence, "You may obtain a copy of the License at ...". If that
>> >> >>>> sentence is to hold any legal meaning in English, rather than just
>> >> >>>> some magical static string of characters, then it means that the
>> >> >>>> license can be found at the provided URL. It is a true fact that the
>> >> >>>> document may be obtained by following that URL, regardless of whether
>> >> >>>> you use http or https, so there can't really be any relevant legal
>> >> >>>> difference between the two. The same would be true if you inserted
>> >> >>>> line breaks between the words or indented the header differently. The
>> >> >>>> words still hold the same meaning.
>> >> >>>> 2. "grammar" argument - The linked document [1] says "should", which
>> >> >>>> is a strong recommendation, rather than "must", which would be a
>> >> >>>> requirement. If you understand *why* you're deviating from the
>> >> >>>> "should" recommendation and are doing it for good reason, it's
>> >> >>>> generally okay to diverge from even a strong recommendation.
>> >> >>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
>> >> >>>> for Maven, already support validating the header with either.
>> >> >>>> 4. "precedent" argument - Some projects have already started doing
>> >> >>>> this (Apache Accumulo, for example), so you would not be setting a new
>> >> >>>> precedent.
>> >> >>>> 5. "location of record" argument - The website itself reports that the
>> >> >>>> document has permanently relocated to the https location by returning
>> >> >>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
>> >> >>>> records up-to-date.
>> >> >>>>
>> >> >>>> I created a PR to update the src-headers page with a suggested change
>> >> >>>> to make it more clear that either are acceptable (and to default to
>> >> >>>> using https in the recommended header):
>> >> >>>> https://github.com/apache/www-site/pull/331
>> >> >>>>
>> >> >>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
>> >> >>>> >
>> >> >>>> > Forgive me if this was asked already, I didn't see it in a quick
>> >> >>>> > search of the archives.
>> >> >>>> >
>> >> >>>> > The legal policy states[1] that headers should use the the following URL:
>> >> >>>> > http://www.apache.org/licenses/LICENSE-2.0
>> >> >>>> >
>> >> >>>> > Given the general push[2] to use https everywhere, should the official
>> >> >>>> > policy be updated to use the https version of the license URL?
>> >> >>>> > https://www.apache.org/licenses/LICENSE-2.0
>> >> >>>> >
>> >> >>>> > NOTE: The former already redirects to the latter
>> >> >>>> >
>> >> >>>> > Related, I've seen projects using the `https` version of the URL. Is
>> >> >>>> > that a problem, or is it just a matter of adding an extra `s` to the
>> >> >>>> > policy page [1]
>> >> >>>> >
>> >> >>>> > [1] https://www.apache.org/legal/src-headers.html#headers
>> >> >>>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
>> >> >>>> >
>> >> >>>> > ---------------------------------------------------------------------
>> >> >>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> >> >>>> > For additional commands, e-mail: legal-discuss-help@apache.org
>> >> >>>> >
>> >> >>>>
>> >> >>>> ---------------------------------------------------------------------
>> >> >>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> >> >>>> For additional commands, e-mail: legal-discuss-help@apache.org
>> >> >>>>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> >> For additional commands, e-mail: legal-discuss-help@apache.org
>> >>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Should license headers use https urls?

[Gary Gregory <ga...@gmail.com>]

I'm personally NOT comfortable changing ANYTHING in license headers until I
read something like "As VP of legal (of some agreed and stated Apache
authority title), it is OK to change license headers from this to that."

Gary

On Wed, Dec 20, 2023, 1:15 PM Julian Hyde <jh...@apache.org> wrote:

> The reference is https://issues.apache.org/jira/browse/LEGAL-265. Case
> closed.
>
> On Wed, Dec 20, 2023 at 7:53 AM Gary Gregory <ga...@gmail.com>
> wrote:
> >
> > "The html version of the license listed here:
> > https://www.apache.org/licenses/LICENSE-2.0 contains the https url
> _snip_"
> >
> > It does not in the boxed text which is the actual license header.
> >
> > It doesn't matter what we non-attorneys think until an (our) attorney
> decides IMO.
> >
> > Gary
> >
> > On Wed, Dec 20, 2023, 10:20 AM Brian Demers <br...@gmail.com>
> wrote:
> >>
> >> I don't see a conclusion in those threads.  Other than:
> >> - apache-rat was updated to accept both.
> >> - it's two separate topics (license headers vs license text)
> >>
> >> The html version of the license listed here:
> >> https://www.apache.org/licenses/LICENSE-2.0 contains the https url
> >> and as do the 3rd party refs on the page, SPDX and OSI do as well.
> >>
> >> IMHO, we should update the policy page header text to use `https`, and
> >> add a note under it stating that the `http` version can be used but
> >> `https` is now the recommendation
> >>
> >> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com>
> wrote:
> >> >
> >> > So... we need an opinion from VP legal and a new entry to a FAQ so we
> can stop rehashing this issue?
> >> >
> >> > Gary
> >> >
> >> > On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
> >> >>
> >> >> Here's a couple past discussions
> >> >>
> >> >> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
> >> >> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
> >> >>
> >> >> --
> >> >> Michael Mior
> >> >> mmior@apache.org
> >> >>
> >> >>
> >> >> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com>
> wrote:
> >> >>>
> >> >>> I think this was rejected in the past because it would requires a
> new version of the license itself. I don't have a reference: -(
> >> >>>
> >> >>> Gary
> >> >>>
> >> >>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org>
> wrote:
> >> >>>>
> >> >>>> I believe this has been discussed before, but I cannot find a link
> to
> >> >>>> the previous conclusion on the matter.
> >> >>>>
> >> >>>> I'm only representing my own personal opinions on this, but my
> >> >>>> understanding is that this is not a substantive deviation. I think
> you
> >> >>>> have several good reasons to justify the deviation:
> >> >>>>
> >> >>>> 1. "same legal meaning" argument - The URL is used as a conclusion
> to
> >> >>>> the sentence, "You may obtain a copy of the License at ...". If
> that
> >> >>>> sentence is to hold any legal meaning in English, rather than just
> >> >>>> some magical static string of characters, then it means that the
> >> >>>> license can be found at the provided URL. It is a true fact that
> the
> >> >>>> document may be obtained by following that URL, regardless of
> whether
> >> >>>> you use http or https, so there can't really be any relevant legal
> >> >>>> difference between the two. The same would be true if you inserted
> >> >>>> line breaks between the words or indented the header differently.
> The
> >> >>>> words still hold the same meaning.
> >> >>>> 2. "grammar" argument - The linked document [1] says "should",
> which
> >> >>>> is a strong recommendation, rather than "must", which would be a
> >> >>>> requirement. If you understand *why* you're deviating from the
> >> >>>> "should" recommendation and are doing it for good reason, it's
> >> >>>> generally okay to diverge from even a strong recommendation.
> >> >>>> 3. "tooling" argument - Many checker tools, such as
> apache-rat-plugin
> >> >>>> for Maven, already support validating the header with either.
> >> >>>> 4. "precedent" argument - Some projects have already started doing
> >> >>>> this (Apache Accumulo, for example), so you would not be setting a
> new
> >> >>>> precedent.
> >> >>>> 5. "location of record" argument - The website itself reports that
> the
> >> >>>> document has permanently relocated to the https location by
> returning
> >> >>>> a HTTP 301 code; so, you'd have a good argument for just keeping
> your
> >> >>>> records up-to-date.
> >> >>>>
> >> >>>> I created a PR to update the src-headers page with a suggested
> change
> >> >>>> to make it more clear that either are acceptable (and to default to
> >> >>>> using https in the recommended header):
> >> >>>> https://github.com/apache/www-site/pull/331
> >> >>>>
> >> >>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org>
> wrote:
> >> >>>> >
> >> >>>> > Forgive me if this was asked already, I didn't see it in a quick
> >> >>>> > search of the archives.
> >> >>>> >
> >> >>>> > The legal policy states[1] that headers should use the the
> following URL:
> >> >>>> > http://www.apache.org/licenses/LICENSE-2.0
> >> >>>> >
> >> >>>> > Given the general push[2] to use https everywhere, should the
> official
> >> >>>> > policy be updated to use the https version of the license URL?
> >> >>>> > https://www.apache.org/licenses/LICENSE-2.0
> >> >>>> >
> >> >>>> > NOTE: The former already redirects to the latter
> >> >>>> >
> >> >>>> > Related, I've seen projects using the `https` version of the
> URL. Is
> >> >>>> > that a problem, or is it just a matter of adding an extra `s` to
> the
> >> >>>> > policy page [1]
> >> >>>> >
> >> >>>> > [1] https://www.apache.org/legal/src-headers.html#headers
> >> >>>> > [2]
> https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
> >> >>>> >
> >> >>>> >
> ---------------------------------------------------------------------
> >> >>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> >>>> > For additional commands, e-mail: legal-discuss-help@apache.org
> >> >>>> >
> >> >>>>
> >> >>>>
> ---------------------------------------------------------------------
> >> >>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> >>>> For additional commands, e-mail: legal-discuss-help@apache.org
> >> >>>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> For additional commands, e-mail: legal-discuss-help@apache.org
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>

Re: Should license headers use https urls?

[Christopher <ct...@apache.org>]

Thanks! https://issues.apache.org/jira/browse/LEGAL-265 is what I was
looking for but couldn't find. The same question was asked there, and
Henri Yandell closed the issue, resolving it with the answer "All the
others are acceptable links"

As to some of the other comments, I think some people are confused
about the difference between changing the LICENSE, vs. merely using
https in the URL of the source header suggested by LEGAL for use
within the ASF that only points to the LICENSE and NOTICE files, but
is not itself the license. The question posed here was only about
whether the link in the source header could be changed, not the
LICENSE itself or its "How to apply" footer. The question about the
source header was asked and answered on LEGAL-265, forming the basis
for updating the tooling in
https://issues.apache.org/jira/browse/RAT-212


On Wed, Dec 20, 2023 at 1:35 PM Brian Demers <bd...@apache.org> wrote:
>
> Sorry if I'm being daft,
> I'm not seeing a resolution there.
>
> That issue is closed with:
> > I would say the canonical is http://www.apache.org/licenses/LICENSE-2.0 - that's what the source headers point to. All the others are acceptable links, and I don't see that we would intentionally stop supporting them.
>
> But the original question was "should the header change"
>
> On Wed, Dec 20, 2023 at 1:15 PM Julian Hyde <jh...@apache.org> wrote:
> >
> > The reference is https://issues.apache.org/jira/browse/LEGAL-265. Case closed.
> >
> > On Wed, Dec 20, 2023 at 7:53 AM Gary Gregory <ga...@gmail.com> wrote:
> > >
> > > "The html version of the license listed here:
> > > https://www.apache.org/licenses/LICENSE-2.0 contains the https url _snip_"
> > >
> > > It does not in the boxed text which is the actual license header.
> > >
> > > It doesn't matter what we non-attorneys think until an (our) attorney decides IMO.
> > >
> > > Gary
> > >
> > > On Wed, Dec 20, 2023, 10:20 AM Brian Demers <br...@gmail.com> wrote:
> > >>
> > >> I don't see a conclusion in those threads.  Other than:
> > >> - apache-rat was updated to accept both.
> > >> - it's two separate topics (license headers vs license text)
> > >>
> > >> The html version of the license listed here:
> > >> https://www.apache.org/licenses/LICENSE-2.0 contains the https url
> > >> and as do the 3rd party refs on the page, SPDX and OSI do as well.
> > >>
> > >> IMHO, we should update the policy page header text to use `https`, and
> > >> add a note under it stating that the `http` version can be used but
> > >> `https` is now the recommendation
> > >>
> > >> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com> wrote:
> > >> >
> > >> > So... we need an opinion from VP legal and a new entry to a FAQ so we can stop rehashing this issue?
> > >> >
> > >> > Gary
> > >> >
> > >> > On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
> > >> >>
> > >> >> Here's a couple past discussions
> > >> >>
> > >> >> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
> > >> >> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
> > >> >>
> > >> >> --
> > >> >> Michael Mior
> > >> >> mmior@apache.org
> > >> >>
> > >> >>
> > >> >> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com> wrote:
> > >> >>>
> > >> >>> I think this was rejected in the past because it would requires a new version of the license itself. I don't have a reference: -(
> > >> >>>
> > >> >>> Gary
> > >> >>>
> > >> >>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
> > >> >>>>
> > >> >>>> I believe this has been discussed before, but I cannot find a link to
> > >> >>>> the previous conclusion on the matter.
> > >> >>>>
> > >> >>>> I'm only representing my own personal opinions on this, but my
> > >> >>>> understanding is that this is not a substantive deviation. I think you
> > >> >>>> have several good reasons to justify the deviation:
> > >> >>>>
> > >> >>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
> > >> >>>> the sentence, "You may obtain a copy of the License at ...". If that
> > >> >>>> sentence is to hold any legal meaning in English, rather than just
> > >> >>>> some magical static string of characters, then it means that the
> > >> >>>> license can be found at the provided URL. It is a true fact that the
> > >> >>>> document may be obtained by following that URL, regardless of whether
> > >> >>>> you use http or https, so there can't really be any relevant legal
> > >> >>>> difference between the two. The same would be true if you inserted
> > >> >>>> line breaks between the words or indented the header differently. The
> > >> >>>> words still hold the same meaning.
> > >> >>>> 2. "grammar" argument - The linked document [1] says "should", which
> > >> >>>> is a strong recommendation, rather than "must", which would be a
> > >> >>>> requirement. If you understand *why* you're deviating from the
> > >> >>>> "should" recommendation and are doing it for good reason, it's
> > >> >>>> generally okay to diverge from even a strong recommendation.
> > >> >>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
> > >> >>>> for Maven, already support validating the header with either.
> > >> >>>> 4. "precedent" argument - Some projects have already started doing
> > >> >>>> this (Apache Accumulo, for example), so you would not be setting a new
> > >> >>>> precedent.
> > >> >>>> 5. "location of record" argument - The website itself reports that the
> > >> >>>> document has permanently relocated to the https location by returning
> > >> >>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
> > >> >>>> records up-to-date.
> > >> >>>>
> > >> >>>> I created a PR to update the src-headers page with a suggested change
> > >> >>>> to make it more clear that either are acceptable (and to default to
> > >> >>>> using https in the recommended header):
> > >> >>>> https://github.com/apache/www-site/pull/331
> > >> >>>>
> > >> >>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
> > >> >>>> >
> > >> >>>> > Forgive me if this was asked already, I didn't see it in a quick
> > >> >>>> > search of the archives.
> > >> >>>> >
> > >> >>>> > The legal policy states[1] that headers should use the the following URL:
> > >> >>>> > http://www.apache.org/licenses/LICENSE-2.0
> > >> >>>> >
> > >> >>>> > Given the general push[2] to use https everywhere, should the official
> > >> >>>> > policy be updated to use the https version of the license URL?
> > >> >>>> > https://www.apache.org/licenses/LICENSE-2.0
> > >> >>>> >
> > >> >>>> > NOTE: The former already redirects to the latter
> > >> >>>> >
> > >> >>>> > Related, I've seen projects using the `https` version of the URL. Is
> > >> >>>> > that a problem, or is it just a matter of adding an extra `s` to the
> > >> >>>> > policy page [1]
> > >> >>>> >
> > >> >>>> > [1] https://www.apache.org/legal/src-headers.html#headers
> > >> >>>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
> > >> >>>> >
> > >> >>>> > ---------------------------------------------------------------------
> > >> >>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > >> >>>> > For additional commands, e-mail: legal-discuss-help@apache.org
> > >> >>>> >
> > >> >>>>
> > >> >>>> ---------------------------------------------------------------------
> > >> >>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > >> >>>> For additional commands, e-mail: legal-discuss-help@apache.org
> > >> >>>>
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > >> For additional commands, e-mail: legal-discuss-help@apache.org
> > >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > For additional commands, e-mail: legal-discuss-help@apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Should license headers use https urls?

[Brian Demers <bd...@apache.org>]

Sorry if I'm being daft,
I'm not seeing a resolution there.

That issue is closed with:
> I would say the canonical is http://www.apache.org/licenses/LICENSE-2.0 - that's what the source headers point to. All the others are acceptable links, and I don't see that we would intentionally stop supporting them.

But the original question was "should the header change"

On Wed, Dec 20, 2023 at 1:15 PM Julian Hyde <jh...@apache.org> wrote:
>
> The reference is https://issues.apache.org/jira/browse/LEGAL-265. Case closed.
>
> On Wed, Dec 20, 2023 at 7:53 AM Gary Gregory <ga...@gmail.com> wrote:
> >
> > "The html version of the license listed here:
> > https://www.apache.org/licenses/LICENSE-2.0 contains the https url _snip_"
> >
> > It does not in the boxed text which is the actual license header.
> >
> > It doesn't matter what we non-attorneys think until an (our) attorney decides IMO.
> >
> > Gary
> >
> > On Wed, Dec 20, 2023, 10:20 AM Brian Demers <br...@gmail.com> wrote:
> >>
> >> I don't see a conclusion in those threads.  Other than:
> >> - apache-rat was updated to accept both.
> >> - it's two separate topics (license headers vs license text)
> >>
> >> The html version of the license listed here:
> >> https://www.apache.org/licenses/LICENSE-2.0 contains the https url
> >> and as do the 3rd party refs on the page, SPDX and OSI do as well.
> >>
> >> IMHO, we should update the policy page header text to use `https`, and
> >> add a note under it stating that the `http` version can be used but
> >> `https` is now the recommendation
> >>
> >> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com> wrote:
> >> >
> >> > So... we need an opinion from VP legal and a new entry to a FAQ so we can stop rehashing this issue?
> >> >
> >> > Gary
> >> >
> >> > On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
> >> >>
> >> >> Here's a couple past discussions
> >> >>
> >> >> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
> >> >> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
> >> >>
> >> >> --
> >> >> Michael Mior
> >> >> mmior@apache.org
> >> >>
> >> >>
> >> >> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com> wrote:
> >> >>>
> >> >>> I think this was rejected in the past because it would requires a new version of the license itself. I don't have a reference: -(
> >> >>>
> >> >>> Gary
> >> >>>
> >> >>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
> >> >>>>
> >> >>>> I believe this has been discussed before, but I cannot find a link to
> >> >>>> the previous conclusion on the matter.
> >> >>>>
> >> >>>> I'm only representing my own personal opinions on this, but my
> >> >>>> understanding is that this is not a substantive deviation. I think you
> >> >>>> have several good reasons to justify the deviation:
> >> >>>>
> >> >>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
> >> >>>> the sentence, "You may obtain a copy of the License at ...". If that
> >> >>>> sentence is to hold any legal meaning in English, rather than just
> >> >>>> some magical static string of characters, then it means that the
> >> >>>> license can be found at the provided URL. It is a true fact that the
> >> >>>> document may be obtained by following that URL, regardless of whether
> >> >>>> you use http or https, so there can't really be any relevant legal
> >> >>>> difference between the two. The same would be true if you inserted
> >> >>>> line breaks between the words or indented the header differently. The
> >> >>>> words still hold the same meaning.
> >> >>>> 2. "grammar" argument - The linked document [1] says "should", which
> >> >>>> is a strong recommendation, rather than "must", which would be a
> >> >>>> requirement. If you understand *why* you're deviating from the
> >> >>>> "should" recommendation and are doing it for good reason, it's
> >> >>>> generally okay to diverge from even a strong recommendation.
> >> >>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
> >> >>>> for Maven, already support validating the header with either.
> >> >>>> 4. "precedent" argument - Some projects have already started doing
> >> >>>> this (Apache Accumulo, for example), so you would not be setting a new
> >> >>>> precedent.
> >> >>>> 5. "location of record" argument - The website itself reports that the
> >> >>>> document has permanently relocated to the https location by returning
> >> >>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
> >> >>>> records up-to-date.
> >> >>>>
> >> >>>> I created a PR to update the src-headers page with a suggested change
> >> >>>> to make it more clear that either are acceptable (and to default to
> >> >>>> using https in the recommended header):
> >> >>>> https://github.com/apache/www-site/pull/331
> >> >>>>
> >> >>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
> >> >>>> >
> >> >>>> > Forgive me if this was asked already, I didn't see it in a quick
> >> >>>> > search of the archives.
> >> >>>> >
> >> >>>> > The legal policy states[1] that headers should use the the following URL:
> >> >>>> > http://www.apache.org/licenses/LICENSE-2.0
> >> >>>> >
> >> >>>> > Given the general push[2] to use https everywhere, should the official
> >> >>>> > policy be updated to use the https version of the license URL?
> >> >>>> > https://www.apache.org/licenses/LICENSE-2.0
> >> >>>> >
> >> >>>> > NOTE: The former already redirects to the latter
> >> >>>> >
> >> >>>> > Related, I've seen projects using the `https` version of the URL. Is
> >> >>>> > that a problem, or is it just a matter of adding an extra `s` to the
> >> >>>> > policy page [1]
> >> >>>> >
> >> >>>> > [1] https://www.apache.org/legal/src-headers.html#headers
> >> >>>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
> >> >>>> >
> >> >>>> > ---------------------------------------------------------------------
> >> >>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> >>>> > For additional commands, e-mail: legal-discuss-help@apache.org
> >> >>>> >
> >> >>>>
> >> >>>> ---------------------------------------------------------------------
> >> >>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> >>>> For additional commands, e-mail: legal-discuss-help@apache.org
> >> >>>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> For additional commands, e-mail: legal-discuss-help@apache.org
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Should license headers use https urls?

[Julian Hyde <jh...@apache.org>]

The reference is https://issues.apache.org/jira/browse/LEGAL-265. Case closed.

On Wed, Dec 20, 2023 at 7:53 AM Gary Gregory <ga...@gmail.com> wrote:
>
> "The html version of the license listed here:
> https://www.apache.org/licenses/LICENSE-2.0 contains the https url _snip_"
>
> It does not in the boxed text which is the actual license header.
>
> It doesn't matter what we non-attorneys think until an (our) attorney decides IMO.
>
> Gary
>
> On Wed, Dec 20, 2023, 10:20 AM Brian Demers <br...@gmail.com> wrote:
>>
>> I don't see a conclusion in those threads.  Other than:
>> - apache-rat was updated to accept both.
>> - it's two separate topics (license headers vs license text)
>>
>> The html version of the license listed here:
>> https://www.apache.org/licenses/LICENSE-2.0 contains the https url
>> and as do the 3rd party refs on the page, SPDX and OSI do as well.
>>
>> IMHO, we should update the policy page header text to use `https`, and
>> add a note under it stating that the `http` version can be used but
>> `https` is now the recommendation
>>
>> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com> wrote:
>> >
>> > So... we need an opinion from VP legal and a new entry to a FAQ so we can stop rehashing this issue?
>> >
>> > Gary
>> >
>> > On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
>> >>
>> >> Here's a couple past discussions
>> >>
>> >> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
>> >> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
>> >>
>> >> --
>> >> Michael Mior
>> >> mmior@apache.org
>> >>
>> >>
>> >> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com> wrote:
>> >>>
>> >>> I think this was rejected in the past because it would requires a new version of the license itself. I don't have a reference: -(
>> >>>
>> >>> Gary
>> >>>
>> >>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
>> >>>>
>> >>>> I believe this has been discussed before, but I cannot find a link to
>> >>>> the previous conclusion on the matter.
>> >>>>
>> >>>> I'm only representing my own personal opinions on this, but my
>> >>>> understanding is that this is not a substantive deviation. I think you
>> >>>> have several good reasons to justify the deviation:
>> >>>>
>> >>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
>> >>>> the sentence, "You may obtain a copy of the License at ...". If that
>> >>>> sentence is to hold any legal meaning in English, rather than just
>> >>>> some magical static string of characters, then it means that the
>> >>>> license can be found at the provided URL. It is a true fact that the
>> >>>> document may be obtained by following that URL, regardless of whether
>> >>>> you use http or https, so there can't really be any relevant legal
>> >>>> difference between the two. The same would be true if you inserted
>> >>>> line breaks between the words or indented the header differently. The
>> >>>> words still hold the same meaning.
>> >>>> 2. "grammar" argument - The linked document [1] says "should", which
>> >>>> is a strong recommendation, rather than "must", which would be a
>> >>>> requirement. If you understand *why* you're deviating from the
>> >>>> "should" recommendation and are doing it for good reason, it's
>> >>>> generally okay to diverge from even a strong recommendation.
>> >>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
>> >>>> for Maven, already support validating the header with either.
>> >>>> 4. "precedent" argument - Some projects have already started doing
>> >>>> this (Apache Accumulo, for example), so you would not be setting a new
>> >>>> precedent.
>> >>>> 5. "location of record" argument - The website itself reports that the
>> >>>> document has permanently relocated to the https location by returning
>> >>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
>> >>>> records up-to-date.
>> >>>>
>> >>>> I created a PR to update the src-headers page with a suggested change
>> >>>> to make it more clear that either are acceptable (and to default to
>> >>>> using https in the recommended header):
>> >>>> https://github.com/apache/www-site/pull/331
>> >>>>
>> >>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
>> >>>> >
>> >>>> > Forgive me if this was asked already, I didn't see it in a quick
>> >>>> > search of the archives.
>> >>>> >
>> >>>> > The legal policy states[1] that headers should use the the following URL:
>> >>>> > http://www.apache.org/licenses/LICENSE-2.0
>> >>>> >
>> >>>> > Given the general push[2] to use https everywhere, should the official
>> >>>> > policy be updated to use the https version of the license URL?
>> >>>> > https://www.apache.org/licenses/LICENSE-2.0
>> >>>> >
>> >>>> > NOTE: The former already redirects to the latter
>> >>>> >
>> >>>> > Related, I've seen projects using the `https` version of the URL. Is
>> >>>> > that a problem, or is it just a matter of adding an extra `s` to the
>> >>>> > policy page [1]
>> >>>> >
>> >>>> > [1] https://www.apache.org/legal/src-headers.html#headers
>> >>>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
>> >>>> >
>> >>>> > ---------------------------------------------------------------------
>> >>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> >>>> > For additional commands, e-mail: legal-discuss-help@apache.org
>> >>>> >
>> >>>>
>> >>>> ---------------------------------------------------------------------
>> >>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> >>>> For additional commands, e-mail: legal-discuss-help@apache.org
>> >>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Should license headers use https urls?

[Gary Gregory <ga...@gmail.com>]

"The html version of the license listed here:
https://www.apache.org/licenses/LICENSE-2.0 contains the https url _snip_"

It does not in the boxed text which is the actual license header.

It doesn't matter what we non-attorneys think until an (our) attorney
decides IMO.

Gary

On Wed, Dec 20, 2023, 10:20 AM Brian Demers <br...@gmail.com> wrote:

> I don't see a conclusion in those threads.  Other than:
> - apache-rat was updated to accept both.
> - it's two separate topics (license headers vs license text)
>
> The html version of the license listed here:
> https://www.apache.org/licenses/LICENSE-2.0 contains the https url
> and as do the 3rd party refs on the page, SPDX and OSI do as well.
>
> IMHO, we should update the policy page header text to use `https`, and
> add a note under it stating that the `http` version can be used but
> `https` is now the recommendation
>
> On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com>
> wrote:
> >
> > So... we need an opinion from VP legal and a new entry to a FAQ so we
> can stop rehashing this issue?
> >
> > Gary
> >
> > On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
> >>
> >> Here's a couple past discussions
> >>
> >> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
> >> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
> >>
> >> --
> >> Michael Mior
> >> mmior@apache.org
> >>
> >>
> >> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com>
> wrote:
> >>>
> >>> I think this was rejected in the past because it would requires a new
> version of the license itself. I don't have a reference: -(
> >>>
> >>> Gary
> >>>
> >>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
> >>>>
> >>>> I believe this has been discussed before, but I cannot find a link to
> >>>> the previous conclusion on the matter.
> >>>>
> >>>> I'm only representing my own personal opinions on this, but my
> >>>> understanding is that this is not a substantive deviation. I think you
> >>>> have several good reasons to justify the deviation:
> >>>>
> >>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
> >>>> the sentence, "You may obtain a copy of the License at ...". If that
> >>>> sentence is to hold any legal meaning in English, rather than just
> >>>> some magical static string of characters, then it means that the
> >>>> license can be found at the provided URL. It is a true fact that the
> >>>> document may be obtained by following that URL, regardless of whether
> >>>> you use http or https, so there can't really be any relevant legal
> >>>> difference between the two. The same would be true if you inserted
> >>>> line breaks between the words or indented the header differently. The
> >>>> words still hold the same meaning.
> >>>> 2. "grammar" argument - The linked document [1] says "should", which
> >>>> is a strong recommendation, rather than "must", which would be a
> >>>> requirement. If you understand *why* you're deviating from the
> >>>> "should" recommendation and are doing it for good reason, it's
> >>>> generally okay to diverge from even a strong recommendation.
> >>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
> >>>> for Maven, already support validating the header with either.
> >>>> 4. "precedent" argument - Some projects have already started doing
> >>>> this (Apache Accumulo, for example), so you would not be setting a new
> >>>> precedent.
> >>>> 5. "location of record" argument - The website itself reports that the
> >>>> document has permanently relocated to the https location by returning
> >>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
> >>>> records up-to-date.
> >>>>
> >>>> I created a PR to update the src-headers page with a suggested change
> >>>> to make it more clear that either are acceptable (and to default to
> >>>> using https in the recommended header):
> >>>> https://github.com/apache/www-site/pull/331
> >>>>
> >>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org>
> wrote:
> >>>> >
> >>>> > Forgive me if this was asked already, I didn't see it in a quick
> >>>> > search of the archives.
> >>>> >
> >>>> > The legal policy states[1] that headers should use the the
> following URL:
> >>>> > http://www.apache.org/licenses/LICENSE-2.0
> >>>> >
> >>>> > Given the general push[2] to use https everywhere, should the
> official
> >>>> > policy be updated to use the https version of the license URL?
> >>>> > https://www.apache.org/licenses/LICENSE-2.0
> >>>> >
> >>>> > NOTE: The former already redirects to the latter
> >>>> >
> >>>> > Related, I've seen projects using the `https` version of the URL. Is
> >>>> > that a problem, or is it just a matter of adding an extra `s` to the
> >>>> > policy page [1]
> >>>> >
> >>>> > [1] https://www.apache.org/legal/src-headers.html#headers
> >>>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
> >>>> >
> >>>> >
> ---------------------------------------------------------------------
> >>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >>>> > For additional commands, e-mail: legal-discuss-help@apache.org
> >>>> >
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >>>> For additional commands, e-mail: legal-discuss-help@apache.org
> >>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>

Re: Should license headers use https urls?

[Brian Demers <br...@gmail.com>]

I don't see a conclusion in those threads.  Other than:
- apache-rat was updated to accept both.
- it's two separate topics (license headers vs license text)

The html version of the license listed here:
https://www.apache.org/licenses/LICENSE-2.0 contains the https url
and as do the 3rd party refs on the page, SPDX and OSI do as well.

IMHO, we should update the policy page header text to use `https`, and
add a note under it stating that the `http` version can be used but
`https` is now the recommendation

On Wed, Dec 20, 2023 at 8:06 AM Gary Gregory <ga...@gmail.com> wrote:
>
> So... we need an opinion from VP legal and a new entry to a FAQ so we can stop rehashing this issue?
>
> Gary
>
> On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:
>>
>> Here's a couple past discussions
>>
>> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
>> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
>>
>> --
>> Michael Mior
>> mmior@apache.org
>>
>>
>> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com> wrote:
>>>
>>> I think this was rejected in the past because it would requires a new version of the license itself. I don't have a reference: -(
>>>
>>> Gary
>>>
>>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
>>>>
>>>> I believe this has been discussed before, but I cannot find a link to
>>>> the previous conclusion on the matter.
>>>>
>>>> I'm only representing my own personal opinions on this, but my
>>>> understanding is that this is not a substantive deviation. I think you
>>>> have several good reasons to justify the deviation:
>>>>
>>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
>>>> the sentence, "You may obtain a copy of the License at ...". If that
>>>> sentence is to hold any legal meaning in English, rather than just
>>>> some magical static string of characters, then it means that the
>>>> license can be found at the provided URL. It is a true fact that the
>>>> document may be obtained by following that URL, regardless of whether
>>>> you use http or https, so there can't really be any relevant legal
>>>> difference between the two. The same would be true if you inserted
>>>> line breaks between the words or indented the header differently. The
>>>> words still hold the same meaning.
>>>> 2. "grammar" argument - The linked document [1] says "should", which
>>>> is a strong recommendation, rather than "must", which would be a
>>>> requirement. If you understand *why* you're deviating from the
>>>> "should" recommendation and are doing it for good reason, it's
>>>> generally okay to diverge from even a strong recommendation.
>>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
>>>> for Maven, already support validating the header with either.
>>>> 4. "precedent" argument - Some projects have already started doing
>>>> this (Apache Accumulo, for example), so you would not be setting a new
>>>> precedent.
>>>> 5. "location of record" argument - The website itself reports that the
>>>> document has permanently relocated to the https location by returning
>>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
>>>> records up-to-date.
>>>>
>>>> I created a PR to update the src-headers page with a suggested change
>>>> to make it more clear that either are acceptable (and to default to
>>>> using https in the recommended header):
>>>> https://github.com/apache/www-site/pull/331
>>>>
>>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
>>>> >
>>>> > Forgive me if this was asked already, I didn't see it in a quick
>>>> > search of the archives.
>>>> >
>>>> > The legal policy states[1] that headers should use the the following URL:
>>>> > http://www.apache.org/licenses/LICENSE-2.0
>>>> >
>>>> > Given the general push[2] to use https everywhere, should the official
>>>> > policy be updated to use the https version of the license URL?
>>>> > https://www.apache.org/licenses/LICENSE-2.0
>>>> >
>>>> > NOTE: The former already redirects to the latter
>>>> >
>>>> > Related, I've seen projects using the `https` version of the URL. Is
>>>> > that a problem, or is it just a matter of adding an extra `s` to the
>>>> > policy page [1]
>>>> >
>>>> > [1] https://www.apache.org/legal/src-headers.html#headers
>>>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
>>>> >
>>>> > ---------------------------------------------------------------------
>>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>>> > For additional commands, e-mail: legal-discuss-help@apache.org
>>>> >
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Should license headers use https urls?

[Gary Gregory <ga...@gmail.com>]

So... we need an opinion from VP legal and a new entry to a FAQ so we can
stop rehashing this issue?

Gary

On Wed, Dec 20, 2023, 7:55 AM Michael Mior <mm...@apache.org> wrote:

> Here's a couple past discussions
>
> https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
> https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23
>
> --
> Michael Mior
> mmior@apache.org
>
>
> On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com>
> wrote:
>
>> I think this was rejected in the past because it would requires a new
>> version of the license itself. I don't have a reference: -(
>>
>> Gary
>>
>> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
>>
>>> I believe this has been discussed before, but I cannot find a link to
>>> the previous conclusion on the matter.
>>>
>>> I'm only representing my own personal opinions on this, but my
>>> understanding is that this is not a substantive deviation. I think you
>>> have several good reasons to justify the deviation:
>>>
>>> 1. "same legal meaning" argument - The URL is used as a conclusion to
>>> the sentence, "You may obtain a copy of the License at ...". If that
>>> sentence is to hold any legal meaning in English, rather than just
>>> some magical static string of characters, then it means that the
>>> license can be found at the provided URL. It is a true fact that the
>>> document may be obtained by following that URL, regardless of whether
>>> you use http or https, so there can't really be any relevant legal
>>> difference between the two. The same would be true if you inserted
>>> line breaks between the words or indented the header differently. The
>>> words still hold the same meaning.
>>> 2. "grammar" argument - The linked document [1] says "should", which
>>> is a strong recommendation, rather than "must", which would be a
>>> requirement. If you understand *why* you're deviating from the
>>> "should" recommendation and are doing it for good reason, it's
>>> generally okay to diverge from even a strong recommendation.
>>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
>>> for Maven, already support validating the header with either.
>>> 4. "precedent" argument - Some projects have already started doing
>>> this (Apache Accumulo, for example), so you would not be setting a new
>>> precedent.
>>> 5. "location of record" argument - The website itself reports that the
>>> document has permanently relocated to the https location by returning
>>> a HTTP 301 code; so, you'd have a good argument for just keeping your
>>> records up-to-date.
>>>
>>> I created a PR to update the src-headers page with a suggested change
>>> to make it more clear that either are acceptable (and to default to
>>> using https in the recommended header):
>>> https://github.com/apache/www-site/pull/331
>>>
>>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
>>> >
>>> > Forgive me if this was asked already, I didn't see it in a quick
>>> > search of the archives.
>>> >
>>> > The legal policy states[1] that headers should use the the following
>>> URL:
>>> > http://www.apache.org/licenses/LICENSE-2.0
>>> >
>>> > Given the general push[2] to use https everywhere, should the official
>>> > policy be updated to use the https version of the license URL?
>>> > https://www.apache.org/licenses/LICENSE-2.0
>>> >
>>> > NOTE: The former already redirects to the latter
>>> >
>>> > Related, I've seen projects using the `https` version of the URL. Is
>>> > that a problem, or is it just a matter of adding an extra `s` to the
>>> > policy page [1]
>>> >
>>> > [1] https://www.apache.org/legal/src-headers.html#headers
>>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
>>> >
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> > For additional commands, e-mail: legal-discuss-help@apache.org
>>> >
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>
>>>

Re: Should license headers use https urls?

[Michael Mior <mm...@apache.org>]

Here's a couple past discussions

https://lists.apache.org/thread/5cg50bfr0tqt29s001snlyltkmxmbrqw
https://lists.apache.org/thread/8c81ml85dotf07lq7s0psqww4owjvl23

--
Michael Mior
mmior@apache.org


On Wed, Dec 20, 2023 at 7:50 AM Gary Gregory <ga...@gmail.com> wrote:

> I think this was rejected in the past because it would requires a new
> version of the license itself. I don't have a reference: -(
>
> Gary
>
> On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:
>
>> I believe this has been discussed before, but I cannot find a link to
>> the previous conclusion on the matter.
>>
>> I'm only representing my own personal opinions on this, but my
>> understanding is that this is not a substantive deviation. I think you
>> have several good reasons to justify the deviation:
>>
>> 1. "same legal meaning" argument - The URL is used as a conclusion to
>> the sentence, "You may obtain a copy of the License at ...". If that
>> sentence is to hold any legal meaning in English, rather than just
>> some magical static string of characters, then it means that the
>> license can be found at the provided URL. It is a true fact that the
>> document may be obtained by following that URL, regardless of whether
>> you use http or https, so there can't really be any relevant legal
>> difference between the two. The same would be true if you inserted
>> line breaks between the words or indented the header differently. The
>> words still hold the same meaning.
>> 2. "grammar" argument - The linked document [1] says "should", which
>> is a strong recommendation, rather than "must", which would be a
>> requirement. If you understand *why* you're deviating from the
>> "should" recommendation and are doing it for good reason, it's
>> generally okay to diverge from even a strong recommendation.
>> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
>> for Maven, already support validating the header with either.
>> 4. "precedent" argument - Some projects have already started doing
>> this (Apache Accumulo, for example), so you would not be setting a new
>> precedent.
>> 5. "location of record" argument - The website itself reports that the
>> document has permanently relocated to the https location by returning
>> a HTTP 301 code; so, you'd have a good argument for just keeping your
>> records up-to-date.
>>
>> I created a PR to update the src-headers page with a suggested change
>> to make it more clear that either are acceptable (and to default to
>> using https in the recommended header):
>> https://github.com/apache/www-site/pull/331
>>
>> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
>> >
>> > Forgive me if this was asked already, I didn't see it in a quick
>> > search of the archives.
>> >
>> > The legal policy states[1] that headers should use the the following
>> URL:
>> > http://www.apache.org/licenses/LICENSE-2.0
>> >
>> > Given the general push[2] to use https everywhere, should the official
>> > policy be updated to use the https version of the license URL?
>> > https://www.apache.org/licenses/LICENSE-2.0
>> >
>> > NOTE: The former already redirects to the latter
>> >
>> > Related, I've seen projects using the `https` version of the URL. Is
>> > that a problem, or is it just a matter of adding an extra `s` to the
>> > policy page [1]
>> >
>> > [1] https://www.apache.org/legal/src-headers.html#headers
>> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> > For additional commands, e-mail: legal-discuss-help@apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>>

Re: Should license headers use https urls?

[Gary Gregory <ga...@gmail.com>]

I think this was rejected in the past because it would requires a new
version of the license itself. I don't have a reference: -(

Gary

On Wed, Dec 20, 2023, 1:56 AM Christopher <ct...@apache.org> wrote:

> I believe this has been discussed before, but I cannot find a link to
> the previous conclusion on the matter.
>
> I'm only representing my own personal opinions on this, but my
> understanding is that this is not a substantive deviation. I think you
> have several good reasons to justify the deviation:
>
> 1. "same legal meaning" argument - The URL is used as a conclusion to
> the sentence, "You may obtain a copy of the License at ...". If that
> sentence is to hold any legal meaning in English, rather than just
> some magical static string of characters, then it means that the
> license can be found at the provided URL. It is a true fact that the
> document may be obtained by following that URL, regardless of whether
> you use http or https, so there can't really be any relevant legal
> difference between the two. The same would be true if you inserted
> line breaks between the words or indented the header differently. The
> words still hold the same meaning.
> 2. "grammar" argument - The linked document [1] says "should", which
> is a strong recommendation, rather than "must", which would be a
> requirement. If you understand *why* you're deviating from the
> "should" recommendation and are doing it for good reason, it's
> generally okay to diverge from even a strong recommendation.
> 3. "tooling" argument - Many checker tools, such as apache-rat-plugin
> for Maven, already support validating the header with either.
> 4. "precedent" argument - Some projects have already started doing
> this (Apache Accumulo, for example), so you would not be setting a new
> precedent.
> 5. "location of record" argument - The website itself reports that the
> document has permanently relocated to the https location by returning
> a HTTP 301 code; so, you'd have a good argument for just keeping your
> records up-to-date.
>
> I created a PR to update the src-headers page with a suggested change
> to make it more clear that either are acceptable (and to default to
> using https in the recommended header):
> https://github.com/apache/www-site/pull/331
>
> On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
> >
> > Forgive me if this was asked already, I didn't see it in a quick
> > search of the archives.
> >
> > The legal policy states[1] that headers should use the the following URL:
> > http://www.apache.org/licenses/LICENSE-2.0
> >
> > Given the general push[2] to use https everywhere, should the official
> > policy be updated to use the https version of the license URL?
> > https://www.apache.org/licenses/LICENSE-2.0
> >
> > NOTE: The former already redirects to the latter
> >
> > Related, I've seen projects using the `https` version of the URL. Is
> > that a problem, or is it just a matter of adding an extra `s` to the
> > policy page [1]
> >
> > [1] https://www.apache.org/legal/src-headers.html#headers
> > [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > For additional commands, e-mail: legal-discuss-help@apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>

Re: Should license headers use https urls?

[Christopher <ct...@apache.org>]

I believe this has been discussed before, but I cannot find a link to
the previous conclusion on the matter.

I'm only representing my own personal opinions on this, but my
understanding is that this is not a substantive deviation. I think you
have several good reasons to justify the deviation:

1. "same legal meaning" argument - The URL is used as a conclusion to
the sentence, "You may obtain a copy of the License at ...". If that
sentence is to hold any legal meaning in English, rather than just
some magical static string of characters, then it means that the
license can be found at the provided URL. It is a true fact that the
document may be obtained by following that URL, regardless of whether
you use http or https, so there can't really be any relevant legal
difference between the two. The same would be true if you inserted
line breaks between the words or indented the header differently. The
words still hold the same meaning.
2. "grammar" argument - The linked document [1] says "should", which
is a strong recommendation, rather than "must", which would be a
requirement. If you understand *why* you're deviating from the
"should" recommendation and are doing it for good reason, it's
generally okay to diverge from even a strong recommendation.
3. "tooling" argument - Many checker tools, such as apache-rat-plugin
for Maven, already support validating the header with either.
4. "precedent" argument - Some projects have already started doing
this (Apache Accumulo, for example), so you would not be setting a new
precedent.
5. "location of record" argument - The website itself reports that the
document has permanently relocated to the https location by returning
a HTTP 301 code; so, you'd have a good argument for just keeping your
records up-to-date.

I created a PR to update the src-headers page with a suggested change
to make it more clear that either are acceptable (and to default to
using https in the recommended header):
https://github.com/apache/www-site/pull/331

On Tue, Dec 19, 2023 at 7:50 PM Brian Demers <bd...@apache.org> wrote:
>
> Forgive me if this was asked already, I didn't see it in a quick
> search of the archives.
>
> The legal policy states[1] that headers should use the the following URL:
> http://www.apache.org/licenses/LICENSE-2.0
>
> Given the general push[2] to use https everywhere, should the official
> policy be updated to use the https version of the license URL?
> https://www.apache.org/licenses/LICENSE-2.0
>
> NOTE: The former already redirects to the latter
>
> Related, I've seen projects using the `https` version of the URL. Is
> that a problem, or is it just a matter of adding an extra `s` to the
> policy page [1]
>
> [1] https://www.apache.org/legal/src-headers.html#headers
> [2] https://blog.mozilla.org/security/files/2015/05/HTTPS-FAQ.pdf
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org