You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by Mike Drob <md...@apache.org> on 2017/05/19 02:37:29 UTC
JRuby bundling LGPL prior to version 9.1.9.0
Legal,
I recently got done working with the JRuby dev team on an issue where they
were inadvertently including LGPL code in the jruby-complete jar for
versions 9.0.0.0 - 9.1.8.0.
I'm not sure if we have a good mechanism for tracking which projects are
using/bundling JRuby, but it would be good to let them know that they
should consider updating for license reasons.
Mike
Re: JRuby bundling LGPL prior to version 9.1.9.0
Posted by Joe Witt <jo...@gmail.com>.
Big thank you for flagging this Mike. Will have the Apache NiFi usage
of this sorted in short order
https://issues.apache.org/jira/browse/NIFI-3940.
On Thu, May 18, 2017 at 10:37 PM, Mike Drob <md...@apache.org> wrote:
> Legal,
>
> I recently got done working with the JRuby dev team on an issue where they
> were inadvertently including LGPL code in the jruby-complete jar for
> versions 9.0.0.0 - 9.1.8.0.
>
> I'm not sure if we have a good mechanism for tracking which projects are
> using/bundling JRuby, but it would be good to let them know that they should
> consider updating for license reasons.
>
> Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: JRuby bundling LGPL prior to version 9.1.9.0
Posted by Mike Drob <md...@apache.org>.
I spent some time and think this is minimal. Apache Bigtop, Tuscany,
Meecrowave, Pig, Camel, Zeppelin, Wicket, and Drill were all on versions
that were prior to 9.0.0.0, so were unaffected. Apache HBase was on an
older version and upgraded to a new enough version.
Apache Synapse and James-Project don't bundle their use of JRuby.
Apache Isis uses an affected version... but doesn't bundle it, I think? I
couldn't tell just by looking what they publish.
Apache Trafodion (Incubating) uses an affected version of jruby, but I
can't tell if they bundle it or not.
Apache NiFi _is_ affected, but Joe already responded to this thread and
they've addressed the issue in future releases. I didn't look to see what
they did about old releases or if there was a community announcement.
I make no promises to the completeness of this list.
Mike
On Sat, Jun 17, 2017 at 2:47 PM, Chris Mattmann <ma...@apache.org> wrote:
> Hi,
>
> I wanted to get back to this.
>
> Do you have a list of affected PMCs, and would you volunteer to
> help us contact them? I would suggest at a minimum:
>
> 1. Pull the releases if possible from the archive/dist area.
> 2. If the burden is too great to pull affected releases, then
> make clear those releases that include a dependency on
> JRuby’s LGPL version so that downstream consumers are
> aware. Make clear could involve sending a note to the
> users@ or dev@ list of the affected projects, posting a
> note on the website of the projects, etc.
>
> That would be my suggested plan of action. Feel free to share this
> email with the affected PMCs@ private lists.
>
> Thanks,
> Chris
>
>
>
> On 5/19/17, 7:16 PM, "Mattmann, Chris A (3010) on behalf of Chris
> Mattmann" <chris.a.mattmann@jpl.nasa.gov on behalf of mattmann@apache.org>
> wrote:
>
> I’ll get back to you on this, sorry I am away for the weekend. I need
> to do some research in the archives on past precedent.
>
> Cheers,
> Chris
>
>
>
>
> On 5/19/17, 6:29 PM, "Sean Busbey" <bu...@apache.org> wrote:
>
> Question for VP Legal:
>
> Do impacted PMCs need to pull releases that depend on or release
> artifacts that currently distribute the LGPL tainted versions of
> jruby?
>
> On Thu, May 18, 2017 at 7:37 PM, Mike Drob <md...@apache.org>
> wrote:
> > Legal,
> >
> > I recently got done working with the JRuby dev team on an issue
> where they
> > were inadvertently including LGPL code in the jruby-complete jar
> for
> > versions 9.0.0.0 - 9.1.8.0.
> >
> > I'm not sure if we have a good mechanism for tracking which
> projects are
> > using/bundling JRuby, but it would be good to let them know that
> they should
> > consider updating for license reasons.
> >
> > Mike
>
> ------------------------------------------------------------
> ---------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
Re: JRuby bundling LGPL prior to version 9.1.9.0
Posted by Chris Mattmann <ma...@apache.org>.
Hi,
I wanted to get back to this.
Do you have a list of affected PMCs, and would you volunteer to
help us contact them? I would suggest at a minimum:
1. Pull the releases if possible from the archive/dist area.
2. If the burden is too great to pull affected releases, then
make clear those releases that include a dependency on
JRuby’s LGPL version so that downstream consumers are
aware. Make clear could involve sending a note to the
users@ or dev@ list of the affected projects, posting a
note on the website of the projects, etc.
That would be my suggested plan of action. Feel free to share this
email with the affected PMCs@ private lists.
Thanks,
Chris
On 5/19/17, 7:16 PM, "Mattmann, Chris A (3010) on behalf of Chris Mattmann" <chris.a.mattmann@jpl.nasa.gov on behalf of mattmann@apache.org> wrote:
I’ll get back to you on this, sorry I am away for the weekend. I need
to do some research in the archives on past precedent.
Cheers,
Chris
On 5/19/17, 6:29 PM, "Sean Busbey" <bu...@apache.org> wrote:
Question for VP Legal:
Do impacted PMCs need to pull releases that depend on or release
artifacts that currently distribute the LGPL tainted versions of
jruby?
On Thu, May 18, 2017 at 7:37 PM, Mike Drob <md...@apache.org> wrote:
> Legal,
>
> I recently got done working with the JRuby dev team on an issue where they
> were inadvertently including LGPL code in the jruby-complete jar for
> versions 9.0.0.0 - 9.1.8.0.
>
> I'm not sure if we have a good mechanism for tracking which projects are
> using/bundling JRuby, but it would be good to let them know that they should
> consider updating for license reasons.
>
> Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: JRuby bundling LGPL prior to version 9.1.9.0
Posted by Chris Mattmann <ma...@apache.org>.
I’ll get back to you on this, sorry I am away for the weekend. I need
to do some research in the archives on past precedent.
Cheers,
Chris
On 5/19/17, 6:29 PM, "Sean Busbey" <bu...@apache.org> wrote:
Question for VP Legal:
Do impacted PMCs need to pull releases that depend on or release
artifacts that currently distribute the LGPL tainted versions of
jruby?
On Thu, May 18, 2017 at 7:37 PM, Mike Drob <md...@apache.org> wrote:
> Legal,
>
> I recently got done working with the JRuby dev team on an issue where they
> were inadvertently including LGPL code in the jruby-complete jar for
> versions 9.0.0.0 - 9.1.8.0.
>
> I'm not sure if we have a good mechanism for tracking which projects are
> using/bundling JRuby, but it would be good to let them know that they should
> consider updating for license reasons.
>
> Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: JRuby bundling LGPL prior to version 9.1.9.0
Posted by Ted Dunning <te...@gmail.com>.
The Jon was very different. The json.org license has a field of use
constraint that is probably unenforceable. It is still a problem because
some downstream users can't have jokes in licenses.
LGPL, in contrast, is a real license with real issues relative to
downstream use. That is much more serious.
On May 20, 2017 5:34 AM, "Greg Stein" <gs...@gmail.com> wrote:
> Recently, we had a problem with some json package licensing, and VP gave a
> waiver. Something like: no need to pull, and six months to resolve for new
> releases.
>
> On May 19, 2017 9:29 PM, "Sean Busbey" <bu...@apache.org> wrote:
>
>> Question for VP Legal:
>>
>> Do impacted PMCs need to pull releases that depend on or release
>> artifacts that currently distribute the LGPL tainted versions of
>> jruby?
>>
>> On Thu, May 18, 2017 at 7:37 PM, Mike Drob <md...@apache.org> wrote:
>> > Legal,
>> >
>> > I recently got done working with the JRuby dev team on an issue where
>> they
>> > were inadvertently including LGPL code in the jruby-complete jar for
>> > versions 9.0.0.0 - 9.1.8.0.
>> >
>> > I'm not sure if we have a good mechanism for tracking which projects are
>> > using/bundling JRuby, but it would be good to let them know that they
>> should
>> > consider updating for license reasons.
>> >
>> > Mike
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>>
Re: JRuby bundling LGPL prior to version 9.1.9.0
Posted by Greg Stein <gs...@gmail.com>.
Recently, we had a problem with some json package licensing, and VP gave a
waiver. Something like: no need to pull, and six months to resolve for new
releases.
On May 19, 2017 9:29 PM, "Sean Busbey" <bu...@apache.org> wrote:
> Question for VP Legal:
>
> Do impacted PMCs need to pull releases that depend on or release
> artifacts that currently distribute the LGPL tainted versions of
> jruby?
>
> On Thu, May 18, 2017 at 7:37 PM, Mike Drob <md...@apache.org> wrote:
> > Legal,
> >
> > I recently got done working with the JRuby dev team on an issue where
> they
> > were inadvertently including LGPL code in the jruby-complete jar for
> > versions 9.0.0.0 - 9.1.8.0.
> >
> > I'm not sure if we have a good mechanism for tracking which projects are
> > using/bundling JRuby, but it would be good to let them know that they
> should
> > consider updating for license reasons.
> >
> > Mike
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
Re: JRuby bundling LGPL prior to version 9.1.9.0
Posted by Sean Busbey <bu...@apache.org>.
Question for VP Legal:
Do impacted PMCs need to pull releases that depend on or release
artifacts that currently distribute the LGPL tainted versions of
jruby?
On Thu, May 18, 2017 at 7:37 PM, Mike Drob <md...@apache.org> wrote:
> Legal,
>
> I recently got done working with the JRuby dev team on an issue where they
> were inadvertently including LGPL code in the jruby-complete jar for
> versions 9.0.0.0 - 9.1.8.0.
>
> I'm not sure if we have a good mechanism for tracking which projects are
> using/bundling JRuby, but it would be good to let them know that they should
> consider updating for license reasons.
>
> Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org