Maven repository issues [Was: Creative Commons Attribution License]

[Henri Yandell <ba...@apache.org>]

On Thu, May 29, 2008 at 12:58 AM, Stefano Bagnara <ap...@bago.org> wrote:
> Craig L Russell ha scritto:
>>
>> I don't have any problem with depending on a CC licensed artifact, but I'm
>> troubled by the notion that an artifact would be installed into a Maven
>> repository by "not the author".
>
> I had big issues with the fact that pom.xml in maven repository have no
> license headers. Our PMC voted down redistributing some of them because of
> this.
>
> It should be enforced that any uploaded pom.xml include a license header to
> specify the license for the pom itself.
>
> Unfortunately most pom.xml in the current repository do not have the license
> header and we don't even know who hold the copyright for that files, AFAIK.

Apart from the description of the project, which is usually copied
from the project website if it's even there, I wonder how much
copyright there is in a pom.xml. All of the xml tags and attributes
are a standard enforced by the Maven tool, so that leaves the data in
between the xml - namely urls, people's names, project name/versions
and some small level of configuration (ie: numbers and file paths).

A different world than even a build.xml where basic building blocks
are used as a set of instructions.

Hen

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Maven repository issues [Was: Creative Commons Attribution License]

[Craig L Russell <Cr...@Sun.COM>]

On May 29, 2008, at 1:06 AM, Henri Yandell wrote:

> On Thu, May 29, 2008 at 12:58 AM, Stefano Bagnara <ap...@bago.org>  
> wrote:
>> Craig L Russell ha scritto:
>>>
>>> I don't have any problem with depending on a CC licensed artifact,  
>>> but I'm
>>> troubled by the notion that an artifact would be installed into a  
>>> Maven
>>> repository by "not the author".
>>
>> I had big issues with the fact that pom.xml in maven repository  
>> have no
>> license headers. Our PMC voted down redistributing some of them  
>> because of
>> this.
>>
>> It should be enforced that any uploaded pom.xml include a license  
>> header to
>> specify the license for the pom itself.
>>
>> Unfortunately most pom.xml in the current repository do not have  
>> the license
>> header and we don't even know who hold the copyright for that  
>> files, AFAIK.
>
> Apart from the description of the project, which is usually copied
> from the project website if it's even there, I wonder how much
> copyright there is in a pom.xml. All of the xml tags and attributes
> are a standard enforced by the Maven tool, so that leaves the data in
> between the xml - namely urls, people's names, project name/versions
> and some small level of configuration (ie: numbers and file paths).
>
> A different world than even a build.xml where basic building blocks
> are used as a set of instructions.

If a project ProjectA creates a pom for a different project ProjectB  
in order to publish it in a Maven repository, ProjectA can license the  
pom in any way it wants to (presumably the Apache license if one of  
our own projects does it) and the contents of the pom tell the user  
what the license is for the artifact from ProjectB.

Plus, the artifact will often contain LICENSE and NOTICE files. If  
there is a license for the pom itself, it's under the control of  
whoever published the artifact.

This area is one reason I think it's best for the author of an  
artifact to explicitly publish it to a Maven repository, so we don't  
get "dueling publishers" with their own versions of poms etc.

Craig
>
>
> Hen
>
> ---------------------------------------------------------------------
> DISCLAIMER: Discussions on this list are informational and educational
> only.  Statements made on this list are not privileged, do not
> constitute legal advice, and do not necessarily reflect the opinions
> and policies of the ASF.  See <http://www.apache.org/licenses/> for
> official ASF policies and documents.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>

Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!

Re: Maven repository issues [Was: Creative Commons Attribution License]

[Assaf Arkin <ar...@intalio.com>]

On Fri, May 30, 2008 at 3:34 AM, Stefano Bagnara <ap...@bago.org> wrote:
> I agree. Can't we identify a set of "tags" that do not imply creativity
> so to be able to paint a line?
>
> IMHO (IANAL) the simplest pom having only a groupId/artifactId/version
> (so the one automatically generated by maven is not a creative work:
> does anyone disagree on this?
>
> The name, url, issueManagement, inceptionYear, organization and license
> tags are "facts" about the described artifact, IMHO there is nothing
> creative there, do you agree?

Caveat.  For all you know, the issueManagement element might contain
the next great American novel.  I don't think you can make that blank
statement on every element in the POM just because the intent is for
that element to contain trivial facts.

Assaf

> Like the "description" also the "dependency" tag is sometimes (*some
> times*) simple to guess, but this involve a creative process to choose
> the right versions. (Choosing the scope is not a creative work, IMHO).
>
> About pratical examples (some artifact I use):
>
> dnsjava pom, IMHO, is *not* the result of a creative work:
> http://repo1.maven.org/maven2/dnsjava/dnsjava/2.0.1/dnsjava-2.0.1.pom
>
> javamail can be found in 2 repositories:
> https://maven-repository.dev.java.net/nonav/repository/javax.mail/poms/mail-1.4.pom
> http://repo1.maven.org/maven2/javax/mail/mail/1.4/mail-1.4.pom
> both of them includes the javax.activation dependency, so it is
> questionable. What do you think?
>
> what about junit.pom? Is that descriptor the result of something creative?
> http://repo1.maven.org/maven2/junit/junit/3.8.1/junit-3.8.1.pom
>
> My main issue is that junit is used by almost any project around, this
> pom does not include a license header and we cannot guess it is
> redistributed under the same license of the junit itself (because it is
> not part of the junit redistributable). So someone wrote it or copied it
> somewhere and uploaded to central. For what we know it could be
> something written by someone else and having all right reserved to the
> original author (that we don't know). For what we know we don't even
> have the right to automatically let maven download it to build a single
> project, right? "Central" is used by default by maven. Maven should warn
> the user that simply running "mvn" against any project could make him
> violate the copyright for some file automatically downloaded without his
> consensus?
>
> Stefano
>
>
>
> ---------------------------------------------------------------------
> DISCLAIMER: Discussions on this list are informational and educational
> only.  Statements made on this list are not privileged, do not
> constitute legal advice, and do not necessarily reflect the opinions
> and policies of the ASF.  See <http://www.apache.org/licenses/> for
> official ASF policies and documents.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Maven repository issues [Was: Creative Commons Attribution License]

[Stefano Bagnara <ap...@bago.org>]

Gilles Scokart ha scritto:
> 2008/5/29 Assaf Arkin <ar...@intalio.com>:
>> Except, not everything is copyrightable, it has to have some creativity in it.
>>
>> This particular case is not copyrightable, and slapping a copyright
>> statement on it won't change that.
> 
> I can't disagree more.  Writing a pom requires a lot of creativity.
> You have to carrefully choose the libraries with sometimes multiple
> possibilities, you need to choose the right versions, you have to put
> a scope on each one, you have to choose which one you want to inherit
> transitevely and which one you want to specify at first level
> dependencies, you will have to choose if you want to use a
> dependencyManagment block or not, if you want to use a prent pom or
> not, and I didn't talked about the profiles...
> 
> Why do you think that there is so many bad designed pom on the maven
> repositories ?  It simply because to write a good pom you must be an
> artist ;-) !
> 
> Anyway, it requires creativity.  For quiet a lot of project, 2 persons
> would probably produce 2 different pom.

I agree. Can't we identify a set of "tags" that do not imply creativity
so to be able to paint a line?

IMHO (IANAL) the simplest pom having only a groupId/artifactId/version
(so the one automatically generated by maven is not a creative work:
does anyone disagree on this?

The name, url, issueManagement, inceptionYear, organization and license
tags are "facts" about the described artifact, IMHO there is nothing
creative there, do you agree?

I agree that dependencyManagement/build/reporting are the result of a
creative process, but we have to notice that most poms do not include
this tags, so it would be fine for me to say "this is on the other side
of the line".

What about "description" ? Often it is a copy&paste from the project
webpage, but this is probably a creative work, sadly.

Like the "description" also the "dependency" tag is sometimes (*some
times*) simple to guess, but this involve a creative process to choose
the right versions. (Choosing the scope is not a creative work, IMHO).

About pratical examples (some artifact I use):

dnsjava pom, IMHO, is *not* the result of a creative work:
http://repo1.maven.org/maven2/dnsjava/dnsjava/2.0.1/dnsjava-2.0.1.pom

javamail can be found in 2 repositories:
https://maven-repository.dev.java.net/nonav/repository/javax.mail/poms/mail-1.4.pom
http://repo1.maven.org/maven2/javax/mail/mail/1.4/mail-1.4.pom
both of them includes the javax.activation dependency, so it is
questionable. What do you think?

what about junit.pom? Is that descriptor the result of something creative?
http://repo1.maven.org/maven2/junit/junit/3.8.1/junit-3.8.1.pom

My main issue is that junit is used by almost any project around, this
pom does not include a license header and we cannot guess it is
redistributed under the same license of the junit itself (because it is
not part of the junit redistributable). So someone wrote it or copied it
somewhere and uploaded to central. For what we know it could be
something written by someone else and having all right reserved to the
original author (that we don't know). For what we know we don't even
have the right to automatically let maven download it to build a single
project, right? "Central" is used by default by maven. Maven should warn
the user that simply running "mvn" against any project could make him
violate the copyright for some file automatically downloaded without his
consensus?

Stefano



---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Maven repository issues [Was: Creative Commons Attribution License]

[Assaf Arkin <ar...@intalio.com>]

On Fri, May 30, 2008 at 1:04 AM, Gilles Scokart <gs...@gmail.com> wrote:
> 2008/5/29 Assaf Arkin <ar...@intalio.com>:
>> Except, not everything is copyrightable, it has to have some creativity in it.
>>
>> This particular case is not copyrightable, and slapping a copyright
>> statement on it won't change that.
>>
>
> I can't disagree more.  Writing a pom requires a lot of creativity.
> You have to carrefully choose the libraries with sometimes multiple
> possibilities, you need to choose the right versions, you have to put
> a scope on each one, you have to choose which one you want to inherit
> transitevely and which one you want to specify at first level
> dependencies, you will have to choose if you want to use a
> dependencyManagment block or not, if you want to use a prent pom or
> not, and I didn't talked about the profiles...

The case presented by Stefano, which I was referring to:

"that even the most simple pom automatically generated by
maven when installing an artifact with no pom (so that it only contains
the artifactId, groupId and version) is copyrightable."

> Why do you think that there is so many bad designed pom on the maven
> repositories ?  It simply because to write a good pom you must be an
> artist ;-) !
>
> Anyway, it requires creativity.  For quiet a lot of project, 2 persons
> would probably produce 2 different pom.

When it comes to trademarks and patents, first to make a successful
claims owns it, anyone else has to obtain a license.

Copyright doesn't have that form of exclusivity.  If you and I both
create identical files, then both of us own copyright to identical
content, doesn't matter who did it first.  It's infringing when I copy
your work copyrightable, not when I create the same thing.

You are right that there are POMs out there that definitely constitute
original work and I wouldn't be able to recreate those in a million
years (not enough monkeys).  But the distinction would boil down to
things like description, which mailing lists you put there, how you
use properties, etc.

When it comes to a dummy POM, or one that lists the right incantation
of magic dependencies (which I believe falls under discovery, itself
not copyrightable), nothing original about it.

Assaf

>
> --
> Gilles Scokart

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Maven repository issues [Was: Creative Commons Attribution License]

[sebb <se...@gmail.com>]

On 30/05/2008, Gilles Scokart <gs...@gmail.com> wrote:
> 2008/5/29 Assaf Arkin <ar...@intalio.com>:
>
> > Except, not everything is copyrightable, it has to have some creativity in it.
>  >
>  > This particular case is not copyrightable, and slapping a copyright
>  > statement on it won't change that.
>  >
>
>
> I can't disagree more.  Writing a pom requires a lot of creativity.

That really depends on the jar that is being uploaded. A number of the
.pom files have only a few lines in them which merely describe the
jar, and perhaps point to the licence and svn etc.

IMO, these don't need a license.

This is the sort of pom that generally accompanies 3rd party libraries
such as JUnit.

>  You have to carrefully choose the libraries with sometimes multiple
>  possibilities, you need to choose the right versions, you have to put
>  a scope on each one, you have to choose which one you want to inherit
>  transitevely and which one you want to specify at first level
>  dependencies, you will have to choose if you want to use a
>  dependencyManagment block or not, if you want to use a prent pom or
>  not, and I didn't talked about the profiles...
>
>  Why do you think that there is so many bad designed pom on the maven
>  repositories ?  It simply because to write a good pom you must be an
>  artist ;-) !
>
>  Anyway, it requires creativity.  For quiet a lot of project, 2 persons
>  would probably produce 2 different pom.
>
>  --
>
> Gilles Scokart
>
>
>  ---------------------------------------------------------------------
>  DISCLAIMER: Discussions on this list are informational and educational
>  only.  Statements made on this list are not privileged, do not
>  constitute legal advice, and do not necessarily reflect the opinions
>  and policies of the ASF.  See <http://www.apache.org/licenses/> for
>  official ASF policies and documents.
>  ---------------------------------------------------------------------
>  To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>  For additional commands, e-mail: legal-discuss-help@apache.org
>
>

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Maven repository issues [Was: Creative Commons Attribution License]

[Gilles Scokart <gs...@gmail.com>]

2008/5/30 Stefano Bagnara <ap...@bago.org>:

> IMHO (IANAL) the simplest pom having only a groupId/artifactId/version (so
> the one automatically generated by maven is not a creative work: does anyone
> disagree on this?
>

Maybe... maybe not.  Even this doesn't seems to be always so trivial.

As an example, look at the pom of jaxb.  Different people made
different choices for the name [1].
Also I have already read quiet a lot of discussion about which name to
choose (sorry, I don't have time to search for a link).

In both case, that means there are choices.

I don't know if that imply creativity.  A lawer should answer that.
But I guess that it is safer to consider that it does.



[1] http://markmail.org/message/v5522sndfcnx47sh

-- 
Gilles Scokart

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Maven repository issues [Was: Creative Commons Attribution License]

[Gilles Scokart <gs...@gmail.com>]

2008/5/29 Assaf Arkin <ar...@intalio.com>:
> Except, not everything is copyrightable, it has to have some creativity in it.
>
> This particular case is not copyrightable, and slapping a copyright
> statement on it won't change that.
>

I can't disagree more.  Writing a pom requires a lot of creativity.
You have to carrefully choose the libraries with sometimes multiple
possibilities, you need to choose the right versions, you have to put
a scope on each one, you have to choose which one you want to inherit
transitevely and which one you want to specify at first level
dependencies, you will have to choose if you want to use a
dependencyManagment block or not, if you want to use a prent pom or
not, and I didn't talked about the profiles...

Why do you think that there is so many bad designed pom on the maven
repositories ?  It simply because to write a good pom you must be an
artist ;-) !

Anyway, it requires creativity.  For quiet a lot of project, 2 persons
would probably produce 2 different pom.

-- 
Gilles Scokart

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Maven repository issues [Was: Creative Commons Attribution License]

[Stefano Bagnara <ap...@bago.org>]

David Jencks ha scritto:
> On May 29, 2008, at 12:35 PM, Stefano Bagnara wrote:
>> The problem is that 99% of poms descriptor in maven central do not 
>> provide a license header and so we have to take them as "all right 
>> reserved" and ASF does not allow us to redistribute similar files.
> 
> so...
> 1. maybe we could encourage maven to include a "generated" comment in  
> the poms it generates.  These are surely not copyrightable, they are 
> machine generated.  

Until recent versions maven was removing the license header from the pom 
published (release plugin). Now it seems this issue is fixed, but this 
was a big problem with a late solution.

> For non-generated poms presumably the pom is under 
> the same license as the rest of the project, and the license should be 
> mentioned in the pom licenses element.

The problem with licensing is that "Presumably" is not an appropriate 
word to use in a court ;-)

We should encourage maven central administrators to stop uploading poms 
with no license header or too restrictive licenses. Otherwise maven 
central is useless (not only for our case of redistribution, but also 
for the "standard" automatic *use* of the file).

IMHO what we can do is first of all evangelize and explain people that 
this *is* an issue.

A statement about this from the ASF legal team / board would be much 
more credible than me writing messages to the maven/repository lists (I 
already unsuccesfully tried).

> 2. I think what you are doing is somewhat questionable practice as far 
> as maven goes.  Would mvn dependency:go-offline provide sufficient 
> offline build support?

I know that the "local stage repository" is a questionable practice, but 
this was a requirement from my PMC and maven did not offer a solution to 
this. The only alternative to this was stick to ant :-(
We need to redistribute a single package that allow a maven user with no 
internet access to build the project with a single commmand.
So dependency:go-offline is not a solution.

Stefano


---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Maven repository issues [Was: Creative Commons Attribution License]

[David Jencks <da...@yahoo.com>]

On May 29, 2008, at 12:35 PM, Stefano Bagnara wrote:

> Henri Yandell ha scritto:
>> The issue, I think, is the next step in that - if it is  
>> copyrightable,
>> then we need to license that. At least I'm reading this as the JAMES
>> PMC having discussion about publishing their own poms, not whether
>> they will depend on 3rd party jars without a license on the top.  
>> Maybe
>> I'm wrong though :)
>
> No, we include the standard ASF header in our poms.
> The problem is that we use a technique that I call "local stage  
> repository". This is a maven repository (legacy structure) having a  
> relative path to the project root itself. This way we can  
> redistribute a package that can be built with maven with no internet  
> access because we also provide any dependency in our "local stage  
> repository". This is lie the "old" lib folder for ant based  
> projects, simply structured by groupId/artifactId.
> If we only put there jars then maven will automatically create  
> simple poms when installing them and this is not good because the  
> new poms would differ from the "official" pom and this would break  
> transitive dependencies for other projects built in the same machine  
> (sharing the same local repository, this time it is the .m2 folder  
> in the user home and not our "stage repository").
> So we have to also put the original poms in this stage folder to  
> make everything work fine.
> The problem is that 99% of poms descriptor in maven central do not  
> provide a license header and so we have to take them as "all right  
> reserved" and ASF does not allow us to redistribute similar files.

so...
1. maybe we could encourage maven to include a "generated" comment in   
the poms it generates.  These are surely not copyrightable, they are  
machine generated.   For non-generated poms presumably the pom is  
under the same license as the rest of the project, and the license  
should be mentioned in the pom licenses element.
2. I think what you are doing is somewhat questionable practice as far  
as maven goes.  Would mvn dependency:go-offline provide sufficient  
offline build support?

thanks
david jencks

>
>
>> That's a general problem for any user - how to determine the license
>> of their 3rd party works. There are solutions out there - commercial
>> and open source.
>> With the Maven repository, the jar files often contain LICENSE and
>> NOTICE files now - I always check the META-INF of an unknown jar for
>> its licensing nowadays (to the point of having a script for it :) ).
>
> As you say the JAR includes the LICENSE/NOTICE, but my problem is  
> that the pom is not inside the JAR and more often than not it has  
> not been created by the JAR author. So there is no way to know the  
> license for the pom itself unless it has an header (and 99% of poms  
> in central do not have a license header).
>
> This could even mean that people has no right to use the poms as  
> part of an automated process (a maven/ivy build) because I didn't  
> find any documentation in central about what usage rights I have for  
> the poms they redistribute.
>
> Stefano
>
>
> ---------------------------------------------------------------------
> DISCLAIMER: Discussions on this list are informational and educational
> only.  Statements made on this list are not privileged, do not
> constitute legal advice, and do not necessarily reflect the opinions
> and policies of the ASF.  See <http://www.apache.org/licenses/> for
> official ASF policies and documents.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>


---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Maven repository issues [Was: Creative Commons Attribution License]

[Stefano Bagnara <ap...@bago.org>]

Henri Yandell ha scritto:
> The issue, I think, is the next step in that - if it is copyrightable,
> then we need to license that. At least I'm reading this as the JAMES
> PMC having discussion about publishing their own poms, not whether
> they will depend on 3rd party jars without a license on the top. Maybe
> I'm wrong though :)

No, we include the standard ASF header in our poms.
The problem is that we use a technique that I call "local stage 
repository". This is a maven repository (legacy structure) having a 
relative path to the project root itself. This way we can redistribute a 
package that can be built with maven with no internet access because we 
also provide any dependency in our "local stage repository". This is lie 
the "old" lib folder for ant based projects, simply structured by 
groupId/artifactId.
If we only put there jars then maven will automatically create simple 
poms when installing them and this is not good because the new poms 
would differ from the "official" pom and this would break transitive 
dependencies for other projects built in the same machine (sharing the 
same local repository, this time it is the .m2 folder in the user home 
and not our "stage repository").
So we have to also put the original poms in this stage folder to make 
everything work fine.
The problem is that 99% of poms descriptor in maven central do not 
provide a license header and so we have to take them as "all right 
reserved" and ASF does not allow us to redistribute similar files.

> That's a general problem for any user - how to determine the license
> of their 3rd party works. There are solutions out there - commercial
> and open source.
> 
> With the Maven repository, the jar files often contain LICENSE and
> NOTICE files now - I always check the META-INF of an unknown jar for
> its licensing nowadays (to the point of having a script for it :) ).

As you say the JAR includes the LICENSE/NOTICE, but my problem is that 
the pom is not inside the JAR and more often than not it has not been 
created by the JAR author. So there is no way to know the license for 
the pom itself unless it has an header (and 99% of poms in central do 
not have a license header).

This could even mean that people has no right to use the poms as part of 
an automated process (a maven/ivy build) because I didn't find any 
documentation in central about what usage rights I have for the poms 
they redistribute.

Stefano


---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Maven repository issues [Was: Creative Commons Attribution License]

[Henri Yandell <ba...@apache.org>]

On Thu, May 29, 2008 at 10:53 AM, Assaf Arkin <ar...@intalio.com> wrote:
> On Thu, May 29, 2008 at 1:18 AM, Stefano Bagnara <ap...@bago.org> wrote:

>> An official statement from the ASF that says that we can safely include
>> pom.xml with no license headers (from the maven central repository or
>> even any repository) in our redistributable would really help our next
>> releases (Apache JAMES PMC).
>> Some of our PMC member are convinced (and I don't have knowledge to say
>> they are wrong) that even the most simple pom automatically generated by
>> maven when installing an artifact with no pom (so that it only contains
>> the artifactId, groupId and version) is copyrightable.
>
> A lot of people trip on that.  You don't have to file for copyright on
> a work, you get it by merely creating the work, which almost sounds
> like everything you create would be protected by copyright.

The issue, I think, is the next step in that - if it is copyrightable,
then we need to license that. At least I'm reading this as the JAMES
PMC having discussion about publishing their own poms, not whether
they will depend on 3rd party jars without a license on the top. Maybe
I'm wrong though :)

> Except, not everything is copyrightable, it has to have some creativity in it.
>
> This particular case is not copyrightable, and slapping a copyright
> statement on it won't change that.

I'm hesitant to say "it's not copyrightable" as I don't think I'm
qualified to determine that. It doesn't seem like there's a lot of
creativity in the normal pom file (I'm not sure if you can embed any
kind of scripting in it... maybe Ant scripts?).

> But there's a separate issue to consider.  If I'm serving you a large
> collection of files, how would you know all the files there are either
> under an agreeable license or not copyrighted to being with?  Manually
> checking every file is tedious, and automated tools don't have good
> judgment call as to what is or is not copyrighted.
>
> So the issue is not just legal but also technical.

That's a general problem for any user - how to determine the license
of their 3rd party works. There are solutions out there - commercial
and open source.

With the Maven repository, the jar files often contain LICENSE and
NOTICE files now - I always check the META-INF of an unknown jar for
its licensing nowadays (to the point of having a script for it :) ).

Hen

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Maven repository issues [Was: Creative Commons Attribution License]

[Assaf Arkin <ar...@intalio.com>]

On Thu, May 29, 2008 at 1:18 AM, Stefano Bagnara <ap...@bago.org> wrote:
> Henri Yandell ha scritto:
>>
>> On Thu, May 29, 2008 at 12:58 AM, Stefano Bagnara <ap...@bago.org> wrote:
>>>
>>> Craig L Russell ha scritto:
>>>>
>>>> I don't have any problem with depending on a CC licensed artifact, but
>>>> I'm
>>>> troubled by the notion that an artifact would be installed into a Maven
>>>> repository by "not the author".
>>>
>>> I had big issues with the fact that pom.xml in maven repository have no
>>> license headers. Our PMC voted down redistributing some of them because
>>> of
>>> this.
>>>
>>> It should be enforced that any uploaded pom.xml include a license header
>>> to
>>> specify the license for the pom itself.
>>>
>>> Unfortunately most pom.xml in the current repository do not have the
>>> license
>>> header and we don't even know who hold the copyright for that files,
>>> AFAIK.
>>
>> Apart from the description of the project, which is usually copied
>> from the project website if it's even there, I wonder how much
>> copyright there is in a pom.xml. All of the xml tags and attributes
>> are a standard enforced by the Maven tool, so that leaves the data in
>> between the xml - namely urls, people's names, project name/versions
>> and some small level of configuration (ie: numbers and file paths).
>>
>> A different world than even a build.xml where basic building blocks
>> are used as a set of instructions.
>>
>> Hen
>
> An official statement from the ASF that says that we can safely include
> pom.xml with no license headers (from the maven central repository or
> even any repository) in our redistributable would really help our next
> releases (Apache JAMES PMC).
> Some of our PMC member are convinced (and I don't have knowledge to say
> they are wrong) that even the most simple pom automatically generated by
> maven when installing an artifact with no pom (so that it only contains
> the artifactId, groupId and version) is copyrightable.

A lot of people trip on that.  You don't have to file for copyright on
a work, you get it by merely creating the work, which almost sounds
like everything you create would be protected by copyright.

Except, not everything is copyrightable, it has to have some creativity in it.

This particular case is not copyrightable, and slapping a copyright
statement on it won't change that.

But there's a separate issue to consider.  If I'm serving you a large
collection of files, how would you know all the files there are either
under an agreeable license or not copyrighted to being with?  Manually
checking every file is tedious, and automated tools don't have good
judgment call as to what is or is not copyrighted.

So the issue is not just legal but also technical.

Assaf


>
> Stefano

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Maven repository issues [Was: Creative Commons Attribution License]

[Stefano Bagnara <ap...@bago.org>]

Henri Yandell ha scritto:
> On Thu, May 29, 2008 at 12:58 AM, Stefano Bagnara <ap...@bago.org> wrote:
>> Craig L Russell ha scritto:
>>> I don't have any problem with depending on a CC licensed artifact, but I'm
>>> troubled by the notion that an artifact would be installed into a Maven
>>> repository by "not the author".
>> I had big issues with the fact that pom.xml in maven repository have no
>> license headers. Our PMC voted down redistributing some of them because of
>> this.
>>
>> It should be enforced that any uploaded pom.xml include a license header to
>> specify the license for the pom itself.
>>
>> Unfortunately most pom.xml in the current repository do not have the license
>> header and we don't even know who hold the copyright for that files, AFAIK.
> 
> Apart from the description of the project, which is usually copied
> from the project website if it's even there, I wonder how much
> copyright there is in a pom.xml. All of the xml tags and attributes
> are a standard enforced by the Maven tool, so that leaves the data in
> between the xml - namely urls, people's names, project name/versions
> and some small level of configuration (ie: numbers and file paths).
> 
> A different world than even a build.xml where basic building blocks
> are used as a set of instructions.
> 
> Hen

An official statement from the ASF that says that we can safely include
pom.xml with no license headers (from the maven central repository or
even any repository) in our redistributable would really help our next
releases (Apache JAMES PMC).
Some of our PMC member are convinced (and I don't have knowledge to say
they are wrong) that even the most simple pom automatically generated by
maven when installing an artifact with no pom (so that it only contains
the artifactId, groupId and version) is copyrightable.

Stefano



---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org