RAT scans: Re: What rights are given in an SGA

[Pedro Giffuni <pf...@apache.org>]

Somewhat off-topic, ma non troppo ...

It would be good to tun a RAT scan over the website. We have not done anything to clean the content licensewise and we probably carry copyleft content, including code, there!

Pedro.

Re: RAT scans: Re: What rights are given in an SGA

[Dave Fisher <da...@comcast.net>]

On Jan 22, 2013, at 10:13 AM, Andrea Pescetti wrote:

> Pedro Giffuni wrote:
>> It would be good to tun a RAT scan over the website. We have not done
>> anything to clean the content licensewise and we probably carry
>> copyleft content, including code, there!
> 
> The website contains gigabytes of materials for which we are probably unable to trace detailed history and licensing, since they come from multiple CVS repositories, then lost and migrated to multiple SVN repositories, then lost and migrated to the current tree.
> 
> So a RAT scan wouldn't probably yield anything actionable.
> 
> The only thing we know for sure is that all those materials were contributed to be put on the openoffice.org website and that we are continuing to keep them online. Even if there is copyleft content or code I believe it will be fine so long as we don't put it in a release (and it won't happen that some site contents go into a release without a thorough check).

Very well written. This is my understanding as well.

It is an opposite problem from the IBM Symphony SGA where we know these will be fine but we just haven't done the relicensing and copyright adjustment to the files as of yet.

Regards,
Dave


> 
> Regards,
>  Andrea.

Re: RAT scans: Re: What rights are given in an SGA

[Pedro Giffuni <pf...@apache.org>]

----- Messaggio originale -----
> Da: Dave Fisher 
...
> 
> On Jan 23, 2013, at 7:12 AM, Pedro Giffuni wrote:
> 
>>  Hello;
>> 
>> 
>>  ----- Messaggio originale -----
>>>  Da: Jürgen Schmidt 
>> 
>>>> 
>>>>  If we are distributing code there it is our responsibility. 
>>>> 
>>>> 
>>>>  I am afraid there are also tarballs that deserve special 
> consideration.
>>>>  I recall we were carrying a GPL'd slovenian dictionary (not 
> sure if I 
>>>  finally
>>>>  got rid of it). Some content like the SDK should be verified for 
> licensing
>>>>  content and updated.
>>> 
>>>  what do you mean with SDK? Our OpenOffice SDK is part of the normal
>>>  source tree and doesn't contain anything critical.
>>>   
>> 
>>  I just looked and it appears we are pointing to the latest source indeed.
>> 
>>  I was afraid that there might be pages pointing to older releases
>> 
>>  http://www.openoffice.org/dev_docs/source/sdk/
>> 
>> 
>>  I cleaned out older versions of dmake and a GPL'd dictionary that we 
> were
>>  carrying but without an audit we have no certainty about what may be left.
>> 
>>  And no, I don't have time to hunt for specific cases so that's the 
> reason why
>>  I am suggesting a rat scan. There's no hurry though, just something to
>>  consider for a TODO list.
> 
> I think that rather than a RAT scan, a checkout of the web tree plus find/greps 
> would uncover issues.
> 
> Do you have search strings (other than GPL) to suggest?
>

I would focus around binary files (.zip, tar.*, .jar and oxt.)

Pedro.
  
> Regards,
> Dave
> 
>> 
>>  Pedro.
> 

Re: RAT scans: Re: What rights are given in an SGA

[Dave Fisher <da...@comcast.net>]

On Jan 23, 2013, at 7:12 AM, Pedro Giffuni wrote:

> Hello;
> 
> 
> ----- Messaggio originale -----
>> Da: Jürgen Schmidt 
> 
>>> 
>>> If we are distributing code there it is our responsibility. 
>>> 
>>> 
>>> I am afraid there are also tarballs that deserve special consideration.
>>> I recall we were carrying a GPL'd slovenian dictionary (not sure if I 
>> finally
>>> got rid of it). Some content like the SDK should be verified for licensing
>>> content and updated.
>> 
>> what do you mean with SDK? Our OpenOffice SDK is part of the normal
>> source tree and doesn't contain anything critical.
>>  
> 
> I just looked and it appears we are pointing to the latest source indeed.
> 
> I was afraid that there might be pages pointing to older releases
> 
> http://www.openoffice.org/dev_docs/source/sdk/
> 
> 
> I cleaned out older versions of dmake and a GPL'd dictionary that we were
> carrying but without an audit we have no certainty about what may be left.
> 
> And no, I don't have time to hunt for specific cases so that's the reason why
> I am suggesting a rat scan. There's no hurry though, just something to
> consider for a TODO list.

I think that rather than a RAT scan, a checkout of the web tree plus find/greps would uncover issues.

Do you have search strings (other than GPL) to suggest?

Regards,
Dave

> 
> Pedro.

Re: RAT scans: Re: What rights are given in an SGA

[Pedro Giffuni <pf...@apache.org>]

Hello;


----- Messaggio originale -----
> Da: Jürgen Schmidt 

>> 
>>  If we are distributing code there it is our responsibility. 
>> 
>> 
>>  I am afraid there are also tarballs that deserve special consideration.
>>  I recall we were carrying a GPL'd slovenian dictionary (not sure if I 
> finally
>>  got rid of it). Some content like the SDK should be verified for licensing
>>  content and updated.
> 
> what do you mean with SDK? Our OpenOffice SDK is part of the normal
> source tree and doesn't contain anything critical.
> 

I just looked and it appears we are pointing to the latest source indeed.

I was afraid that there might be pages pointing to older releases

http://www.openoffice.org/dev_docs/source/sdk/


I cleaned out older versions of dmake and a GPL'd dictionary that we were
carrying but without an audit we have no certainty about what may be left.

And no, I don't have time to hunt for specific cases so that's the reason why
I am suggesting a rat scan. There's no hurry though, just something to
consider for a TODO list.

Pedro.

Re: RAT scans: Re: What rights are given in an SGA

[Jürgen Schmidt <jo...@gmail.com>]

On 1/22/13 11:58 PM, Pedro Giffuni wrote:
> ----- Messaggio originale -----
> 
>> Da: Andrea Pescetti 
> 
>>
>> Pedro Giffuni wrote:
>>>  It would be good to tun a RAT scan over the website. We have not done
>>>  anything to clean the content licensewise and we probably carry
>>>  copyleft content, including code, there!
>>
>> The website contains gigabytes of materials for which we are probably unable to 
>> trace detailed history and licensing, since they come from multiple CVS 
>> repositories, then lost and migrated to multiple SVN repositories, then lost and 
>> migrated to the current tree.
>>
>> So a RAT scan wouldn't probably yield anything actionable.
>>
>> The only thing we know for sure is that all those materials were contributed to 
>> be put on the openoffice.org website and that we are continuing to keep them 
>> online. Even if there is copyleft content or code I believe it will be fine so 
>> long as we don't put it in a release (and it won't happen that some site 
>> contents go into a release without a thorough check).
>>  
> 
> If we are distributing code there it is our responsibility. 
> 
> 
> I am afraid there are also tarballs that deserve special consideration.
> I recall we were carrying a GPL'd slovenian dictionary (not sure if I finally
> got rid of it). Some content like the SDK should be verified for licensing
> content and updated.

what do you mean with SDK? Our OpenOffice SDK is part of the normal
source tree and doesn't contain anything critical.

Juergen

> 
> The fact that information was transfered through CVS and SVN or whatever
> is irrelevant we should know what we have and ultimately after any cleanup
> SVN will remember what we had in there.
> 
> I understand we are underpowered to fix all that but the biggest problem is
> that we don't have any accounting over the content there, so it's a can of
> worms waiting to be opened.
> 
> Pedro.
> 

Re: RAT scans: Re: What rights are given in an SGA

[Rob Weir <ro...@apache.org>]

On Tue, Jan 22, 2013 at 5:58 PM, Pedro Giffuni <pf...@apache.org> wrote:
> ----- Messaggio originale -----
>
>> Da: Andrea Pescetti
>
>>
>> Pedro Giffuni wrote:
>>>  It would be good to tun a RAT scan over the website. We have not done
>>>  anything to clean the content licensewise and we probably carry
>>>  copyleft content, including code, there!
>>
>> The website contains gigabytes of materials for which we are probably unable to
>> trace detailed history and licensing, since they come from multiple CVS
>> repositories, then lost and migrated to multiple SVN repositories, then lost and
>> migrated to the current tree.
>>
>> So a RAT scan wouldn't probably yield anything actionable.
>>
>> The only thing we know for sure is that all those materials were contributed to
>> be put on the openoffice.org website and that we are continuing to keep them
>> online. Even if there is copyleft content or code I believe it will be fine so
>> long as we don't put it in a release (and it won't happen that some site
>> contents go into a release without a thorough check).
>>
>
> If we are distributing code there it is our responsibility.
>
>
> I am afraid there are also tarballs that deserve special consideration.
> I recall we were carrying a GPL'd slovenian dictionary (not sure if I finally
> got rid of it). Some content like the SDK should be verified for licensing
> content and updated.
>

If you have specific examples, that would be great.  I thin a RAT scan
on the website would be too noisy, and it only gets the static pages,
not the content on the wiki.

> The fact that information was transfered through CVS and SVN or whatever
> is irrelevant we should know what we have and ultimately after any cleanup
> SVN will remember what we had in there.
>
> I understand we are underpowered to fix all that but the biggest problem is
> that we don't have any accounting over the content there, so it's a can of
> worms waiting to be opened.
>

There are a range of potential issues, of varying severity:

1) Something hosted where we have no legal permission to host it.
That would be bad.

2) Something hosted where there is suggestion that it is an
Apache-approved release but it isn't.  That is a policy issue, not a
legal one.  We could decide to add a disclaimer, or remove the
content.  I'd take this on a case-by-case basis.  There are parts of
the website, such as the forums and the wiki, where user content has
traditionally been hosted, under a variety of licences.

3) Distribution of significant files directly from the website, with
resulting bandwidth impact.  This is an Infrastructure policy
violation, and the content would need to be moved.

Perhaps other potential issues, but we'd really need to talk
specifics,  In any case, I'd hope that all committers feel empowered
to fix such issues when they arise.

-Rob

> Pedro.
>

Re: RAT scans: Re: What rights are given in an SGA

[Pedro Giffuni <pf...@apache.org>]

----- Messaggio originale -----

> Da: Andrea Pescetti 

> 
> Pedro Giffuni wrote:
>>  It would be good to tun a RAT scan over the website. We have not done
>>  anything to clean the content licensewise and we probably carry
>>  copyleft content, including code, there!
> 
> The website contains gigabytes of materials for which we are probably unable to 
> trace detailed history and licensing, since they come from multiple CVS 
> repositories, then lost and migrated to multiple SVN repositories, then lost and 
> migrated to the current tree.
> 
> So a RAT scan wouldn't probably yield anything actionable.
> 
> The only thing we know for sure is that all those materials were contributed to 
> be put on the openoffice.org website and that we are continuing to keep them 
> online. Even if there is copyleft content or code I believe it will be fine so 
> long as we don't put it in a release (and it won't happen that some site 
> contents go into a release without a thorough check).
> 

If we are distributing code there it is our responsibility. 


I am afraid there are also tarballs that deserve special consideration.
I recall we were carrying a GPL'd slovenian dictionary (not sure if I finally
got rid of it). Some content like the SDK should be verified for licensing
content and updated.

The fact that information was transfered through CVS and SVN or whatever
is irrelevant we should know what we have and ultimately after any cleanup
SVN will remember what we had in there.

I understand we are underpowered to fix all that but the biggest problem is
that we don't have any accounting over the content there, so it's a can of
worms waiting to be opened.

Pedro.

Re: RAT scans: Re: What rights are given in an SGA

[Andrea Pescetti <pe...@apache.org>]

Pedro Giffuni wrote:
> It would be good to tun a RAT scan over the website. We have not done
> anything to clean the content licensewise and we probably carry
> copyleft content, including code, there!

The website contains gigabytes of materials for which we are probably 
unable to trace detailed history and licensing, since they come from 
multiple CVS repositories, then lost and migrated to multiple SVN 
repositories, then lost and migrated to the current tree.

So a RAT scan wouldn't probably yield anything actionable.

The only thing we know for sure is that all those materials were 
contributed to be put on the openoffice.org website and that we are 
continuing to keep them online. Even if there is copyleft content or 
code I believe it will be fine so long as we don't put it in a release 
(and it won't happen that some site contents go into a release without a 
thorough check).

Regards,
   Andrea.