You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@edgent.apache.org by Dale LaBossiere <dm...@gmail.com> on 2016/10/07 20:36:26 UTC

binary release license info - some cause for concern?

Particularly those savvy on this topic (e.g., Justin, Kathey, Dan)…

The license and notice info for the external components bundled in the binary release has has been compiled [1] and is included in a binary release image and referenced by the binary release LICENSE [2] and NOTICE [3] files.  Please review.

Are the following (or anything else you see there) cause for concern?

- javax.servlet-api-3.1.0.jar is CDDL-2 and GPL.  
  See [4] and https://glassfish.java.net/nonav/public/CDDL+GPL.html <https://glassfish.java.net/nonav/public/CDDL+GPL.html>

- javax.websocket-api-1.0.jar is CDDL-1.1 and GPL-2
  See [5] and https://glassfish.java.net/public/CDDL+GPL_1_1.html <https://glassfish.java.net/public/CDDL+GPL_1_1.html>

- pi4j-core-1.0.jar is LGPL-3.0
  See [6] and http://www.gnu.org/licenses/lgpl.txt <http://www.gnu.org/licenses/lgpl.txt>

Please advise.
— Dale

[1] https://github.com/apache/incubator-edgent/blob/master/legal/binary-release-bundled-dependencies <https://github.com/apache/incubator-edgent/blob/master/legal/binary-release-bundled-dependencies>
[2] https://github.com/apache/incubator-edgent/blob/master/legal/binary-release-license <https://github.com/apache/incubator-edgent/blob/master/legal/binary-release-license>
[3] https://github.com/apache/incubator-edgent/blob/master/legal/binary-release-notice <https://github.com/apache/incubator-edgent/blob/master/legal/binary-release-notice>
[4] https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api/3.1.0 <https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api/3.1.0>
[5] https://mvnrepository.com/artifact/javax.websocket/javax.websocket-api/1.0 <https://mvnrepository.com/artifact/javax.websocket/javax.websocket-api/1.0>
[6] https://mvnrepository.com/artifact/com.pi4j/pi4j-core/1.0 <https://mvnrepository.com/artifact/com.pi4j/pi4j-core/1.0>

Re: binary release license info - some cause for concern?

Posted by Justin Mclean <ju...@classsoftware.com>.

Hi,

The info looks good, but it’s not really in line with what is recommend to do [1] If it put up for an incubator vote, it IMO is likely to pass (given everything else is good) but is likely to get a few “please fix in next release” comments.

My minor concerns are:
- LICENSE doesn’t include the text of 3rd party licenses but points to another file.
- Some license are referred to by URL, information at that URL can change over time. It’s best to download and include a copy of that license.
- pointing to content inside a jar required the user to unpack that jar to se ether information. IMO better to copy all license files into a seperate directory where they can be clearly seen.
- May not be complying with some 3rd party license terms. While the licenses are permissive most licenses state you need to include the full text of the license in anything you distribute.
- NOTICE refers to the same external file as LICENSE. NOTICE and LICENSE are for different purposes and in general NOTICE doesn't include licensing information.
- NOTICE may be missing [2] information from bundled ASLv2 software NOTICE files. [2]

Thanks,
Justin

1. http://www.apache.org/dev/licensing-howto.html
2. http://www.apache.org/dev/licensing-howto.html#mod-notice

Re: binary release license info - some cause for concern?

Posted by Dale LaBossiere <dm...@gmail.com>.

Got it.  It’s (optional) sample code that was written to require pi4J to compile and run.
So we’ll have to adjust things so the sample is neither built nor pi4J included in the binary release.
— Dale

> On Oct 8, 2016, at 6:10 PM, Justin Mclean <ju...@classsoftware.com> wrote:
> 
> HI,
> 
>> Is it allowable to compile against the pi4j jar? 
> 
> LGPL/GPL is not allowed as a dependancy in most cases so it not allowed if we bundle it or not.
> 
> Category X [1] can be used in a few cases, if it an optional dependancy [2] or a build tools [3], but I think in this case it wouldn’t be allowed. If a user wants to use this on Pi then that library would be required right?
> 
> Thanks,
> Justin
> 
> 1. https://www.apache.org/legal/resolved.html#category-x
> 2. https://www.apache.org/legal/resolved.html#optional
> 3. https://www.apache.org/legal/resolved.html#prohibited

Re: binary release license info - some cause for concern?

Posted by Justin Mclean <ju...@classsoftware.com>.

HI,

> Is it allowable to compile against the pi4j jar? 

LGPL/GPL is not allowed as a dependancy in most cases so it not allowed if we bundle it or not.

Category X [1] can be used in a few cases, if it an optional dependancy [2] or a build tools [3], but I think in this case it wouldn’t be allowed. If a user wants to use this on Pi then that library would be required right?

Thanks,
Justin

1. https://www.apache.org/legal/resolved.html#category-x
2. https://www.apache.org/legal/resolved.html#optional
3. https://www.apache.org/legal/resolved.html#prohibited

Re: binary release license info - some cause for concern?

Posted by Dale LaBossiere <dm...@gmail.com>.

Is it allowable to compile against the pi4j jar? 
If so, it seems that simply omitting it from the binary release will suffice.

— Dale

> On Oct 7, 2016, at 7:35 PM, Justin Mclean <ju...@classsoftware.com> wrote:
>> …

>> - pi4j-core-1.0.jar is LGPL-3.0
>> See [6] and http://www.gnu.org/licenses/lgpl.txt <http://www.gnu.org/licenses/lgpl.txt>
> 
> This would not be allowed. You could ask VP legal togged permission to make a release if you going to be removed in the next incubating release.

Re: binary release license info - some cause for concern?

Posted by Justin Mclean <ju...@classsoftware.com>.

Hi,

> - javax.servlet-api-3.1.0.jar is CDDL-2 and GPL.  
>  See [4] and https://glassfish.java.net/nonav/public/CDDL+GPL.html <https://glassfish.java.net/nonav/public/CDDL+GPL.html>
> 
> - javax.websocket-api-1.0.jar is CDDL-1.1 and GPL-2
>  See [5] and https://glassfish.java.net/public/CDDL+GPL_1_1.html <https://glassfish.java.net/public/CDDL+GPL_1_1.html>
> 

The above is fine as you can select the license to use from any dual licensed software and CDDL is category B and is allowed to be used in a convenience binary.

> - pi4j-core-1.0.jar is LGPL-3.0
>  See [6] and http://www.gnu.org/licenses/lgpl.txt <http://www.gnu.org/licenses/lgpl.txt>

This would not be allowed. You could ask VP legal togged permission to make a release if you going to be removed in the next incubating release.

Thanks,
Justin