You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by "Sean Busbey (JIRA)" <ji...@apache.org> on 2016/05/01 05:15:13 UTC
[jira] [Commented] (LEGAL-251) Can an Apache Project depend upon a
binary-only dependencies available under a permissible license
[ https://issues.apache.org/jira/browse/LEGAL-251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15265588#comment-15265588 ]
Sean Busbey commented on LEGAL-251:
-----------------------------------
I'm not a part of the OP's question, but I have a related issue that came up in HBASE-14085. HBase relies on Jetty 6.1.26, and as a part of the LICENSE/NOTICE review for HBASE-14085 I needed to find the source (or at least its detailed license/notice information).
Jetty 6 is extremely EOL. It is in maven central still (http://repo1.maven.org/maven2/org/mortbay/jetty/jetty/6.1.26/) but the jars there do not include any LICENSE or NOTICE information. They *do* point to parent poms that say ASLv2 / EPL v1, so the PMC was reasonably sure they were under an acceptable license. There is a source jar there on central, but it's incomplete (wrt having the whole jetty 6.1.26 project) and all of the pointers to source repositories in the poms are dead links.
Jetty 6 is sufficiently EOL that it does not appear in the archived releases of the current Jetty project ( http://archive.eclipse.org/jetty/index.html ) nor is it tracked at all in their source repository ( http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git ).
I ended up finding a purported copy of the source in the Fedora archive, as well as a tag in a source mirror maintained by a user on github (who happens to be an ASF Member). In HBase's case I accepted these two sources (and that they matched) as sufficient verification. I used the NOTICE information present in them and left pointers to each in the part of our project that creates the relevant NOTICE file.
I'd say the HBase project got lucky in this case, but it does demonstrate how time can make it easier to lose access to the source of a non-ASF dependency. I'm sure there are projects on github that don't publish source artifacts in central, with individual maintainers that may choose to close up shop at any point in time. Can we use those? Should we be republishing a copy of their source when we do so?
> Can an Apache Project depend upon a binary-only dependencies available under a permissible license
> --------------------------------------------------------------------------------------------------
>
> Key: LEGAL-251
> URL: https://issues.apache.org/jira/browse/LEGAL-251
> Project: Legal Discuss
> Issue Type: Question
> Reporter: Aditya Kishore
>
> While researching on this, ran into many related queries and their answers but could not find one which address this specifically.
> In one place, LEGAL-230, it appears it is okay to depend on a binary whose source code is not published but is available under a permissible license.
> To ask it specifically, let's say if there is a binary version of a library, 'foo', available under one of the permissible license but no source is available.
> In such case, can an Apache project
> # Have a compile time dependency on such binary?
> # Include this binary in its distribution?
> Thanks for your help!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org