You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by Christopher <ct...@apache.org> on 2018/08/08 18:24:13 UTC
Maven Central terms of service
Hi Legal-Discuss,
(NOTE: This is about Maven Central terms of service. I realize that Maven
Central is serviced by Sonatype, but since it is using a trademark of the
ASF, and because it is so closely associated with the Apache Maven PMC and
software, I'm wondering if this might be something of concern to ASF Legal
Affairs.)
It has recently come to my attention that the Maven Central general terms
of service[1] and the producer terms of service[2] are not [U.S.]
"government-compatible". This is in contrast to the Apache License, which
is very friendly to government and business. This is important, because
users of Apache Maven may not realize that it is configured by default to
utilize a website which is provided under different terms than one might
expect when using an Apache licensed product. I can see parallels between
this and the ASF policy regarding incompatible project dependencies: the
expectation is that when you are using an Apache product, you generally
don't need to agree to terms and conditions any more restrictive than the
Apache License, Version 2. However, this is not the case when using Apache
Maven out-of-the-box, configured by default to use Maven Central.
I know it's not exactly the same (website terms of service are not the same
as software licenses), but I think there's a similar expectation from users
of Apache Maven as there is with dependencies in other Apache software;
that is to say, users aren't expecting to have agreed to terms beyond ALv2
in order to use Apache software.
Specifically, I'm told that the government cannot agree to the
indemnification clauses, because that would violate the Antideficiency Act.
I found a decent explanation of this here[3]. Further, I'm told that the
government cannot agree to be bound by the laws of Maryland and
jurisdiction clause or the 1-year limitation for lawsuits in the general
terms.
Question 1: What is the ASF's position regarding Maven Central's terms of
service, and its relationship to the Apache Maven's software license terms
and user expectations? Is the ASF okay with Sonatype providing Maven
Central service under these additional terms, which one might argue are
less "friendly" than the ALv2?
Question 2: Is anybody aware of Maven Central "government-compatible" terms
of service already in existence?
Thanks.
(CC'd private@ Maven as FYI so as not to spam their dev@, but this message
should not be considered private)
[1]: https://repo1.maven.org/terms.html
[2]:
https://central.sonatype.org/pages/central-repository-producer-terms.html
[3]:
https://scholarship.shu.edu/cgi/viewcontent.cgi?httpsredir=1&article=1279&context=student_scholarship
Re: Maven Central terms of service
Posted by Christopher <ct...@apache.org>.
Yes, that JIRA issue is related (it's basically a rewording of the same
info leading to "Question 2"). However, I think the questions I've raised
have wider applicability than that one specific request.
On Wed, Aug 8, 2018 at 2:39 PM Brian Fox <br...@infinity.nu> wrote:
> Related: https://issues.sonatype.org/browse/OSSRH-35945
>
> On Wed, Aug 8, 2018 at 2:30 PM, Jim Wright <ji...@oracle.com> wrote:
> > I’m happy to forward to their General Counsel for comment once anyone
> weighs
> > in on the ASF position/questions here.
> >
> > Best,
> > Jim
> >
> >
> >
> >
> > On Aug 8, 2018, at 11:24 AM, Christopher <ct...@apache.org> wrote:
> >
> > Hi Legal-Discuss,
> >
> > (NOTE: This is about Maven Central terms of service. I realize that Maven
> > Central is serviced by Sonatype, but since it is using a trademark of the
> > ASF, and because it is so closely associated with the Apache Maven PMC
> and
> > software, I'm wondering if this might be something of concern to ASF
> Legal
> > Affairs.)
> >
> > It has recently come to my attention that the Maven Central general
> terms of
> > service[1] and the producer terms of service[2] are not [U.S.]
> > "government-compatible". This is in contrast to the Apache License,
> which is
> > very friendly to government and business. This is important, because
> users
> > of Apache Maven may not realize that it is configured by default to
> utilize
> > a website which is provided under different terms than one might expect
> when
> > using an Apache licensed product. I can see parallels between this and
> the
> > ASF policy regarding incompatible project dependencies: the expectation
> is
> > that when you are using an Apache product, you generally don't need to
> agree
> > to terms and conditions any more restrictive than the Apache License,
> > Version 2. However, this is not the case when using Apache Maven
> > out-of-the-box, configured by default to use Maven Central.
> >
> > I know it's not exactly the same (website terms of service are not the
> same
> > as software licenses), but I think there's a similar expectation from
> users
> > of Apache Maven as there is with dependencies in other Apache software;
> that
> > is to say, users aren't expecting to have agreed to terms beyond ALv2 in
> > order to use Apache software.
> >
> > Specifically, I'm told that the government cannot agree to the
> > indemnification clauses, because that would violate the Antideficiency
> Act.
> > I found a decent explanation of this here[3]. Further, I'm told that the
> > government cannot agree to be bound by the laws of Maryland and
> jurisdiction
> > clause or the 1-year limitation for lawsuits in the general terms.
> >
> > Question 1: What is the ASF's position regarding Maven Central's terms of
> > service, and its relationship to the Apache Maven's software license
> terms
> > and user expectations? Is the ASF okay with Sonatype providing Maven
> Central
> > service under these additional terms, which one might argue are less
> > "friendly" than the ALv2?
> >
> > Question 2: Is anybody aware of Maven Central "government-compatible"
> terms
> > of service already in existence?
> >
> > Thanks.
> >
> > (CC'd private@ Maven as FYI so as not to spam their dev@, but this
> message
> > should not be considered private)
> >
> > [1]: https://repo1.maven.org/terms.html
> > [2]:
> >
> https://central.sonatype.org/pages/central-repository-producer-terms.html
> > [3]:
> >
> https://scholarship.shu.edu/cgi/viewcontent.cgi?httpsredir=1&article=1279&context=student_scholarship
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
Re: Maven Central terms of service
Posted by Brian Fox <br...@infinity.nu>.
This is an interesting parallel. https://openoffice.apache.org/terms.html I
can't find TOS for other Apache.org properties, but the general structure
here is very similar. Specifically 4a
THINGS YOU SUBMIT TO THE SITE. This Site offers many opportunities for You
> to contribute Materials to the on this site. In addition to the other terms
> found here, the following terms apply to any Submissions made by You ("Your
> Submissions").
>
> a. You Take Responsibility for Your Submissions. You warrant that You have
> all rights needed to provide Your Submissions to the Host for posting to
> the Site in accordance with the Terms and to grant the licenses set forth
> in sections 4.b and 4.c. You agree that You will make all reasonable
> efforts to ensure that Your Submissions: do not infringe, misappropriate or
> violate the intellectual property rights or privacy interests of others;
> (ii) are not confidential or trade secret information, or subject to
> anyone's privacy interests; (iii) are not inaccurate, harmful, obscene,
> pornographic, defamatory, racist, or otherwise objectionable to a
> reasonable User; and (iv) do not violate any law, ordinance, or regulation
> of any country, state or locality. YOU AGREE THAT YOU, AND NOT THE HOST,
> ARE FULLY RESPONSIBLE FOR YOUR SUBMISSIONS AND THAT YOU, AND NOT THE HOST,
> ARE LIABLE FOR ANY AND ALL CLAIMS ARISING OUT OF THEM.
>
and
5f
> f. Governing Law. These Terms of Use are governed by the substantive and
> procedural laws of Delaware.
In this light, the Maven Central TOS are structurally the same challenge as
e.g. OpenOffice.
The terms to use a hosted service are by definition different from a
software license. While the ASL license is mostly do what you want... even
Apache doesn't let users do what they want with our services. We for
example ban abusers, don't take responsibility for submissions etc.
On Wed, Aug 8, 2018 at 2:39 PM, Brian Fox <br...@infinity.nu> wrote:
> Related: https://issues.sonatype.org/browse/OSSRH-35945
>
> On Wed, Aug 8, 2018 at 2:30 PM, Jim Wright <ji...@oracle.com> wrote:
> > I’m happy to forward to their General Counsel for comment once anyone
> weighs
> > in on the ASF position/questions here.
> >
> > Best,
> > Jim
> >
> >
> >
> >
> > On Aug 8, 2018, at 11:24 AM, Christopher <ct...@apache.org> wrote:
> >
> > Hi Legal-Discuss,
> >
> > (NOTE: This is about Maven Central terms of service. I realize that Maven
> > Central is serviced by Sonatype, but since it is using a trademark of the
> > ASF, and because it is so closely associated with the Apache Maven PMC
> and
> > software, I'm wondering if this might be something of concern to ASF
> Legal
> > Affairs.)
> >
> > It has recently come to my attention that the Maven Central general
> terms of
> > service[1] and the producer terms of service[2] are not [U.S.]
> > "government-compatible". This is in contrast to the Apache License,
> which is
> > very friendly to government and business. This is important, because
> users
> > of Apache Maven may not realize that it is configured by default to
> utilize
> > a website which is provided under different terms than one might expect
> when
> > using an Apache licensed product. I can see parallels between this and
> the
> > ASF policy regarding incompatible project dependencies: the expectation
> is
> > that when you are using an Apache product, you generally don't need to
> agree
> > to terms and conditions any more restrictive than the Apache License,
> > Version 2. However, this is not the case when using Apache Maven
> > out-of-the-box, configured by default to use Maven Central.
> >
> > I know it's not exactly the same (website terms of service are not the
> same
> > as software licenses), but I think there's a similar expectation from
> users
> > of Apache Maven as there is with dependencies in other Apache software;
> that
> > is to say, users aren't expecting to have agreed to terms beyond ALv2 in
> > order to use Apache software.
> >
> > Specifically, I'm told that the government cannot agree to the
> > indemnification clauses, because that would violate the Antideficiency
> Act.
> > I found a decent explanation of this here[3]. Further, I'm told that the
> > government cannot agree to be bound by the laws of Maryland and
> jurisdiction
> > clause or the 1-year limitation for lawsuits in the general terms.
> >
> > Question 1: What is the ASF's position regarding Maven Central's terms of
> > service, and its relationship to the Apache Maven's software license
> terms
> > and user expectations? Is the ASF okay with Sonatype providing Maven
> Central
> > service under these additional terms, which one might argue are less
> > "friendly" than the ALv2?
> >
> > Question 2: Is anybody aware of Maven Central "government-compatible"
> terms
> > of service already in existence?
> >
> > Thanks.
> >
> > (CC'd private@ Maven as FYI so as not to spam their dev@, but this
> message
> > should not be considered private)
> >
> > [1]: https://repo1.maven.org/terms.html
> > [2]:
> > https://central.sonatype.org/pages/central-repository-
> producer-terms.html
> > [3]:
> > https://scholarship.shu.edu/cgi/viewcontent.cgi?
> httpsredir=1&article=1279&context=student_scholarship
> >
>
Re: Maven Central terms of service
Posted by Brian Fox <br...@infinity.nu>.
Related: https://issues.sonatype.org/browse/OSSRH-35945
On Wed, Aug 8, 2018 at 2:30 PM, Jim Wright <ji...@oracle.com> wrote:
> I’m happy to forward to their General Counsel for comment once anyone weighs
> in on the ASF position/questions here.
>
> Best,
> Jim
>
>
>
>
> On Aug 8, 2018, at 11:24 AM, Christopher <ct...@apache.org> wrote:
>
> Hi Legal-Discuss,
>
> (NOTE: This is about Maven Central terms of service. I realize that Maven
> Central is serviced by Sonatype, but since it is using a trademark of the
> ASF, and because it is so closely associated with the Apache Maven PMC and
> software, I'm wondering if this might be something of concern to ASF Legal
> Affairs.)
>
> It has recently come to my attention that the Maven Central general terms of
> service[1] and the producer terms of service[2] are not [U.S.]
> "government-compatible". This is in contrast to the Apache License, which is
> very friendly to government and business. This is important, because users
> of Apache Maven may not realize that it is configured by default to utilize
> a website which is provided under different terms than one might expect when
> using an Apache licensed product. I can see parallels between this and the
> ASF policy regarding incompatible project dependencies: the expectation is
> that when you are using an Apache product, you generally don't need to agree
> to terms and conditions any more restrictive than the Apache License,
> Version 2. However, this is not the case when using Apache Maven
> out-of-the-box, configured by default to use Maven Central.
>
> I know it's not exactly the same (website terms of service are not the same
> as software licenses), but I think there's a similar expectation from users
> of Apache Maven as there is with dependencies in other Apache software; that
> is to say, users aren't expecting to have agreed to terms beyond ALv2 in
> order to use Apache software.
>
> Specifically, I'm told that the government cannot agree to the
> indemnification clauses, because that would violate the Antideficiency Act.
> I found a decent explanation of this here[3]. Further, I'm told that the
> government cannot agree to be bound by the laws of Maryland and jurisdiction
> clause or the 1-year limitation for lawsuits in the general terms.
>
> Question 1: What is the ASF's position regarding Maven Central's terms of
> service, and its relationship to the Apache Maven's software license terms
> and user expectations? Is the ASF okay with Sonatype providing Maven Central
> service under these additional terms, which one might argue are less
> "friendly" than the ALv2?
>
> Question 2: Is anybody aware of Maven Central "government-compatible" terms
> of service already in existence?
>
> Thanks.
>
> (CC'd private@ Maven as FYI so as not to spam their dev@, but this message
> should not be considered private)
>
> [1]: https://repo1.maven.org/terms.html
> [2]:
> https://central.sonatype.org/pages/central-repository-producer-terms.html
> [3]:
> https://scholarship.shu.edu/cgi/viewcontent.cgi?httpsredir=1&article=1279&context=student_scholarship
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Maven Central terms of service
Posted by Jim Wright <ji...@oracle.com>.
I’m happy to forward to their General Counsel for comment once anyone weighs in on the ASF position/questions here.
Best,
Jim
> On Aug 8, 2018, at 11:24 AM, Christopher <ct...@apache.org> wrote:
>
> Hi Legal-Discuss,
>
> (NOTE: This is about Maven Central terms of service. I realize that Maven Central is serviced by Sonatype, but since it is using a trademark of the ASF, and because it is so closely associated with the Apache Maven PMC and software, I'm wondering if this might be something of concern to ASF Legal Affairs.)
>
> It has recently come to my attention that the Maven Central general terms of service[1] and the producer terms of service[2] are not [U.S.] "government-compatible". This is in contrast to the Apache License, which is very friendly to government and business. This is important, because users of Apache Maven may not realize that it is configured by default to utilize a website which is provided under different terms than one might expect when using an Apache licensed product. I can see parallels between this and the ASF policy regarding incompatible project dependencies: the expectation is that when you are using an Apache product, you generally don't need to agree to terms and conditions any more restrictive than the Apache License, Version 2. However, this is not the case when using Apache Maven out-of-the-box, configured by default to use Maven Central.
>
> I know it's not exactly the same (website terms of service are not the same as software licenses), but I think there's a similar expectation from users of Apache Maven as there is with dependencies in other Apache software; that is to say, users aren't expecting to have agreed to terms beyond ALv2 in order to use Apache software.
>
> Specifically, I'm told that the government cannot agree to the indemnification clauses, because that would violate the Antideficiency Act. I found a decent explanation of this here[3]. Further, I'm told that the government cannot agree to be bound by the laws of Maryland and jurisdiction clause or the 1-year limitation for lawsuits in the general terms.
>
> Question 1: What is the ASF's position regarding Maven Central's terms of service, and its relationship to the Apache Maven's software license terms and user expectations? Is the ASF okay with Sonatype providing Maven Central service under these additional terms, which one might argue are less "friendly" than the ALv2?
>
> Question 2: Is anybody aware of Maven Central "government-compatible" terms of service already in existence?
>
> Thanks.
>
> (CC'd private@ Maven as FYI so as not to spam their dev@, but this message should not be considered private)
>
> [1]: https://repo1.maven.org/terms.html
> [2]: https://central.sonatype.org/pages/central-repository-producer-terms.html
> [3]: https://scholarship.shu.edu/cgi/viewcontent.cgi?httpsredir=1&article=1279&context=student_scholarship
>
Re: Maven Central terms of service
Posted by Hen <ba...@apache.org>.
I've not seen this documented, but I would assume there is a strong
position that it (trademark use and default Maven repository in Apache
Maven software) is contingent on the behaviour of Maven Central.
I would expect our position is that Sonatype is providing Maven Central for
the public good, and is working diligently with its users whenever there
are issues. The more users who cannot use Maven Central, the less
attractive Maven Central is to Apache Maven.
I think some of the government's complaints are 'meh'. Jurisdiction in
Maryland - meh. Indemnity (for the items listed) - probably-meh.
Others seem valid. For example I think this is not in the public good:
"YOU AGREE THAT IF YOU WANT TO SUE US, YOU MUST FILE YOUR LAWSUIT WITHIN
ONE YEAR AFTER THE EVENT THAT GAVE RISE TO YOUR LAWSUIT. OTHERWISE, YOUR
LAWSUIT WILL BE PERMANENTLY BARRED."
That clause concerns me and I don't think any of our users would think that
is good.
Hen
On Wed, Aug 8, 2018 at 12:50 PM, Brian Fox <br...@infinity.nu> wrote:
>
>
> On Wed, Aug 8, 2018 at 3:46 PM, Christopher <ct...@apache.org> wrote:
>
>> Hi Brian,
>>
>> The problematic conditions (for example, indemnification clauses) exist
>> in both.
>>
>> My first question about ASF's position could apply to either terms,
>> because ASF may have a position on the use of their trademark in
>> association with either.
>>
>
> The association, specifically the usage of the maven.org domain has long
> been settled.
>
>
>> However, the break in user expectations for what they are agreeing to
>> primarily affects the general terms, for consuming artifacts from Maven
>> Central.
>>
>
> The ASLv2 defines what people can do with the software. (remember only
> source is a release at Apache). How it's used when running seems fairly out
> of scope, which seems to be the connection you're making here.
>
>
>>
>> My second question does not relate to any specific request for the
>> government to distribute via Maven Central (or consume from it), and
>> certainly not to any specific request for Sonatype to take on any specific
>> risks. It's just a general question about whether government-compatible
>> terms of service already exist (for both consuming and for producing), in
>> case anybody knows if such a thing exists.
>>
>
> There are no alternate TOS, no. There are plenty of organizations that
> choose to run their own repositories (Atlassian, java.net, jboss, etc)
> that presumably may have their own TOS. Certainly that's an avenue for the
> government to use to distribute artifacts.
>
>
>
>>
>> These are really two separate questions. They are only related in the
>> broad sense that the Maven Central terms I've found are slightly less
>> government "friendly" (and possibly less commercially friendly) than what
>> I've seen in the Apache license terms, and ASF might have a position on
>> that.
>>
>
> It seems like the terms are at least generally consistent with other
> existing ASF terms so that seems like a stretch to me.
>
>
>>
>>
>> On Wed, Aug 8, 2018 at 2:29 PM Brian Fox <br...@infinity.nu> wrote:
>>
>>> Hi Christopher,
>>>
>>> I think it's help clarifying that the terms you refer to that the
>>> government can't accept are related to -publishing- content to
>>> Central, not consuming from Central. Is that a correct interpretation?
>>> From what I know, the government is asking for the right to distribute
>>> things via Central and that Sonatype take on the full risk for
>>> distributing that content. I don't think the terms related to the use
>>> of Central for -publishing- is something that directly affects the
>>> default usage for -consumption-.
>>>
>>> --Brian
>>>
>>> On Wed, Aug 8, 2018 at 2:24 PM, Christopher <ct...@apache.org> wrote:
>>> > Hi Legal-Discuss,
>>> >
>>> > (NOTE: This is about Maven Central terms of service. I realize that
>>> Maven
>>> > Central is serviced by Sonatype, but since it is using a trademark of
>>> the
>>> > ASF, and because it is so closely associated with the Apache Maven PMC
>>> and
>>> > software, I'm wondering if this might be something of concern to ASF
>>> Legal
>>> > Affairs.)
>>> >
>>> > It has recently come to my attention that the Maven Central general
>>> terms of
>>> > service[1] and the producer terms of service[2] are not [U.S.]
>>> > "government-compatible". This is in contrast to the Apache License,
>>> which is
>>> > very friendly to government and business. This is important, because
>>> users
>>> > of Apache Maven may not realize that it is configured by default to
>>> utilize
>>> > a website which is provided under different terms than one might
>>> expect when
>>> > using an Apache licensed product. I can see parallels between this and
>>> the
>>> > ASF policy regarding incompatible project dependencies: the
>>> expectation is
>>> > that when you are using an Apache product, you generally don't need to
>>> agree
>>> > to terms and conditions any more restrictive than the Apache License,
>>> > Version 2. However, this is not the case when using Apache Maven
>>> > out-of-the-box, configured by default to use Maven Central.
>>> >
>>> > I know it's not exactly the same (website terms of service are not the
>>> same
>>> > as software licenses), but I think there's a similar expectation from
>>> users
>>> > of Apache Maven as there is with dependencies in other Apache
>>> software; that
>>> > is to say, users aren't expecting to have agreed to terms beyond ALv2
>>> in
>>> > order to use Apache software.
>>> >
>>> > Specifically, I'm told that the government cannot agree to the
>>> > indemnification clauses, because that would violate the Antideficiency
>>> Act.
>>> > I found a decent explanation of this here[3]. Further, I'm told that
>>> the
>>> > government cannot agree to be bound by the laws of Maryland and
>>> jurisdiction
>>> > clause or the 1-year limitation for lawsuits in the general terms.
>>> >
>>> > Question 1: What is the ASF's position regarding Maven Central's terms
>>> of
>>> > service, and its relationship to the Apache Maven's software license
>>> terms
>>> > and user expectations? Is the ASF okay with Sonatype providing Maven
>>> Central
>>> > service under these additional terms, which one might argue are less
>>> > "friendly" than the ALv2?
>>> >
>>> > Question 2: Is anybody aware of Maven Central "government-compatible"
>>> terms
>>> > of service already in existence?
>>> >
>>> > Thanks.
>>> >
>>> > (CC'd private@ Maven as FYI so as not to spam their dev@, but this
>>> message
>>> > should not be considered private)
>>> >
>>> > [1]: https://repo1.maven.org/terms.html
>>> > [2]:
>>> > https://central.sonatype.org/pages/central-repository-produc
>>> er-terms.html
>>> > [3]:
>>> > https://scholarship.shu.edu/cgi/viewcontent.cgi?httpsredir=
>>> 1&article=1279&context=student_scholarship
>>> >
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>
>>>
>
Re: Maven Central terms of service
Posted by Brian Fox <br...@infinity.nu>.
On Wed, Aug 8, 2018 at 3:46 PM, Christopher <ct...@apache.org> wrote:
> Hi Brian,
>
> The problematic conditions (for example, indemnification clauses) exist in
> both.
>
> My first question about ASF's position could apply to either terms,
> because ASF may have a position on the use of their trademark in
> association with either.
>
The association, specifically the usage of the maven.org domain has long
been settled.
> However, the break in user expectations for what they are agreeing to
> primarily affects the general terms, for consuming artifacts from Maven
> Central.
>
The ASLv2 defines what people can do with the software. (remember only
source is a release at Apache). How it's used when running seems fairly out
of scope, which seems to be the connection you're making here.
>
> My second question does not relate to any specific request for the
> government to distribute via Maven Central (or consume from it), and
> certainly not to any specific request for Sonatype to take on any specific
> risks. It's just a general question about whether government-compatible
> terms of service already exist (for both consuming and for producing), in
> case anybody knows if such a thing exists.
>
There are no alternate TOS, no. There are plenty of organizations that
choose to run their own repositories (Atlassian, java.net, jboss, etc) that
presumably may have their own TOS. Certainly that's an avenue for the
government to use to distribute artifacts.
>
> These are really two separate questions. They are only related in the
> broad sense that the Maven Central terms I've found are slightly less
> government "friendly" (and possibly less commercially friendly) than what
> I've seen in the Apache license terms, and ASF might have a position on
> that.
>
It seems like the terms are at least generally consistent with other
existing ASF terms so that seems like a stretch to me.
>
>
> On Wed, Aug 8, 2018 at 2:29 PM Brian Fox <br...@infinity.nu> wrote:
>
>> Hi Christopher,
>>
>> I think it's help clarifying that the terms you refer to that the
>> government can't accept are related to -publishing- content to
>> Central, not consuming from Central. Is that a correct interpretation?
>> From what I know, the government is asking for the right to distribute
>> things via Central and that Sonatype take on the full risk for
>> distributing that content. I don't think the terms related to the use
>> of Central for -publishing- is something that directly affects the
>> default usage for -consumption-.
>>
>> --Brian
>>
>> On Wed, Aug 8, 2018 at 2:24 PM, Christopher <ct...@apache.org> wrote:
>> > Hi Legal-Discuss,
>> >
>> > (NOTE: This is about Maven Central terms of service. I realize that
>> Maven
>> > Central is serviced by Sonatype, but since it is using a trademark of
>> the
>> > ASF, and because it is so closely associated with the Apache Maven PMC
>> and
>> > software, I'm wondering if this might be something of concern to ASF
>> Legal
>> > Affairs.)
>> >
>> > It has recently come to my attention that the Maven Central general
>> terms of
>> > service[1] and the producer terms of service[2] are not [U.S.]
>> > "government-compatible". This is in contrast to the Apache License,
>> which is
>> > very friendly to government and business. This is important, because
>> users
>> > of Apache Maven may not realize that it is configured by default to
>> utilize
>> > a website which is provided under different terms than one might expect
>> when
>> > using an Apache licensed product. I can see parallels between this and
>> the
>> > ASF policy regarding incompatible project dependencies: the expectation
>> is
>> > that when you are using an Apache product, you generally don't need to
>> agree
>> > to terms and conditions any more restrictive than the Apache License,
>> > Version 2. However, this is not the case when using Apache Maven
>> > out-of-the-box, configured by default to use Maven Central.
>> >
>> > I know it's not exactly the same (website terms of service are not the
>> same
>> > as software licenses), but I think there's a similar expectation from
>> users
>> > of Apache Maven as there is with dependencies in other Apache software;
>> that
>> > is to say, users aren't expecting to have agreed to terms beyond ALv2 in
>> > order to use Apache software.
>> >
>> > Specifically, I'm told that the government cannot agree to the
>> > indemnification clauses, because that would violate the Antideficiency
>> Act.
>> > I found a decent explanation of this here[3]. Further, I'm told that the
>> > government cannot agree to be bound by the laws of Maryland and
>> jurisdiction
>> > clause or the 1-year limitation for lawsuits in the general terms.
>> >
>> > Question 1: What is the ASF's position regarding Maven Central's terms
>> of
>> > service, and its relationship to the Apache Maven's software license
>> terms
>> > and user expectations? Is the ASF okay with Sonatype providing Maven
>> Central
>> > service under these additional terms, which one might argue are less
>> > "friendly" than the ALv2?
>> >
>> > Question 2: Is anybody aware of Maven Central "government-compatible"
>> terms
>> > of service already in existence?
>> >
>> > Thanks.
>> >
>> > (CC'd private@ Maven as FYI so as not to spam their dev@, but this
>> message
>> > should not be considered private)
>> >
>> > [1]: https://repo1.maven.org/terms.html
>> > [2]:
>> > https://central.sonatype.org/pages/central-repository-
>> producer-terms.html
>> > [3]:
>> > https://scholarship.shu.edu/cgi/viewcontent.cgi?
>> httpsredir=1&article=1279&context=student_scholarship
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>>
Re: Maven Central terms of service
Posted by Christopher <ct...@apache.org>.
Hi Brian,
The problematic conditions (for example, indemnification clauses) exist in
both.
My first question about ASF's position could apply to either terms, because
ASF may have a position on the use of their trademark in association with
either. However, the break in user expectations for what they are agreeing
to primarily affects the general terms, for consuming artifacts from Maven
Central.
My second question does not relate to any specific request for the
government to distribute via Maven Central (or consume from it), and
certainly not to any specific request for Sonatype to take on any specific
risks. It's just a general question about whether government-compatible
terms of service already exist (for both consuming and for producing), in
case anybody knows if such a thing exists.
These are really two separate questions. They are only related in the broad
sense that the Maven Central terms I've found are slightly less government
"friendly" (and possibly less commercially friendly) than what I've seen in
the Apache license terms, and ASF might have a position on that.
On Wed, Aug 8, 2018 at 2:29 PM Brian Fox <br...@infinity.nu> wrote:
> Hi Christopher,
>
> I think it's help clarifying that the terms you refer to that the
> government can't accept are related to -publishing- content to
> Central, not consuming from Central. Is that a correct interpretation?
> From what I know, the government is asking for the right to distribute
> things via Central and that Sonatype take on the full risk for
> distributing that content. I don't think the terms related to the use
> of Central for -publishing- is something that directly affects the
> default usage for -consumption-.
>
> --Brian
>
> On Wed, Aug 8, 2018 at 2:24 PM, Christopher <ct...@apache.org> wrote:
> > Hi Legal-Discuss,
> >
> > (NOTE: This is about Maven Central terms of service. I realize that Maven
> > Central is serviced by Sonatype, but since it is using a trademark of the
> > ASF, and because it is so closely associated with the Apache Maven PMC
> and
> > software, I'm wondering if this might be something of concern to ASF
> Legal
> > Affairs.)
> >
> > It has recently come to my attention that the Maven Central general
> terms of
> > service[1] and the producer terms of service[2] are not [U.S.]
> > "government-compatible". This is in contrast to the Apache License,
> which is
> > very friendly to government and business. This is important, because
> users
> > of Apache Maven may not realize that it is configured by default to
> utilize
> > a website which is provided under different terms than one might expect
> when
> > using an Apache licensed product. I can see parallels between this and
> the
> > ASF policy regarding incompatible project dependencies: the expectation
> is
> > that when you are using an Apache product, you generally don't need to
> agree
> > to terms and conditions any more restrictive than the Apache License,
> > Version 2. However, this is not the case when using Apache Maven
> > out-of-the-box, configured by default to use Maven Central.
> >
> > I know it's not exactly the same (website terms of service are not the
> same
> > as software licenses), but I think there's a similar expectation from
> users
> > of Apache Maven as there is with dependencies in other Apache software;
> that
> > is to say, users aren't expecting to have agreed to terms beyond ALv2 in
> > order to use Apache software.
> >
> > Specifically, I'm told that the government cannot agree to the
> > indemnification clauses, because that would violate the Antideficiency
> Act.
> > I found a decent explanation of this here[3]. Further, I'm told that the
> > government cannot agree to be bound by the laws of Maryland and
> jurisdiction
> > clause or the 1-year limitation for lawsuits in the general terms.
> >
> > Question 1: What is the ASF's position regarding Maven Central's terms of
> > service, and its relationship to the Apache Maven's software license
> terms
> > and user expectations? Is the ASF okay with Sonatype providing Maven
> Central
> > service under these additional terms, which one might argue are less
> > "friendly" than the ALv2?
> >
> > Question 2: Is anybody aware of Maven Central "government-compatible"
> terms
> > of service already in existence?
> >
> > Thanks.
> >
> > (CC'd private@ Maven as FYI so as not to spam their dev@, but this
> message
> > should not be considered private)
> >
> > [1]: https://repo1.maven.org/terms.html
> > [2]:
> >
> https://central.sonatype.org/pages/central-repository-producer-terms.html
> > [3]:
> >
> https://scholarship.shu.edu/cgi/viewcontent.cgi?httpsredir=1&article=1279&context=student_scholarship
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
Re: Maven Central terms of service
Posted by Brian Fox <br...@infinity.nu>.
Hi Christopher,
I think it's help clarifying that the terms you refer to that the
government can't accept are related to -publishing- content to
Central, not consuming from Central. Is that a correct interpretation?
From what I know, the government is asking for the right to distribute
things via Central and that Sonatype take on the full risk for
distributing that content. I don't think the terms related to the use
of Central for -publishing- is something that directly affects the
default usage for -consumption-.
--Brian
On Wed, Aug 8, 2018 at 2:24 PM, Christopher <ct...@apache.org> wrote:
> Hi Legal-Discuss,
>
> (NOTE: This is about Maven Central terms of service. I realize that Maven
> Central is serviced by Sonatype, but since it is using a trademark of the
> ASF, and because it is so closely associated with the Apache Maven PMC and
> software, I'm wondering if this might be something of concern to ASF Legal
> Affairs.)
>
> It has recently come to my attention that the Maven Central general terms of
> service[1] and the producer terms of service[2] are not [U.S.]
> "government-compatible". This is in contrast to the Apache License, which is
> very friendly to government and business. This is important, because users
> of Apache Maven may not realize that it is configured by default to utilize
> a website which is provided under different terms than one might expect when
> using an Apache licensed product. I can see parallels between this and the
> ASF policy regarding incompatible project dependencies: the expectation is
> that when you are using an Apache product, you generally don't need to agree
> to terms and conditions any more restrictive than the Apache License,
> Version 2. However, this is not the case when using Apache Maven
> out-of-the-box, configured by default to use Maven Central.
>
> I know it's not exactly the same (website terms of service are not the same
> as software licenses), but I think there's a similar expectation from users
> of Apache Maven as there is with dependencies in other Apache software; that
> is to say, users aren't expecting to have agreed to terms beyond ALv2 in
> order to use Apache software.
>
> Specifically, I'm told that the government cannot agree to the
> indemnification clauses, because that would violate the Antideficiency Act.
> I found a decent explanation of this here[3]. Further, I'm told that the
> government cannot agree to be bound by the laws of Maryland and jurisdiction
> clause or the 1-year limitation for lawsuits in the general terms.
>
> Question 1: What is the ASF's position regarding Maven Central's terms of
> service, and its relationship to the Apache Maven's software license terms
> and user expectations? Is the ASF okay with Sonatype providing Maven Central
> service under these additional terms, which one might argue are less
> "friendly" than the ALv2?
>
> Question 2: Is anybody aware of Maven Central "government-compatible" terms
> of service already in existence?
>
> Thanks.
>
> (CC'd private@ Maven as FYI so as not to spam their dev@, but this message
> should not be considered private)
>
> [1]: https://repo1.maven.org/terms.html
> [2]:
> https://central.sonatype.org/pages/central-repository-producer-terms.html
> [3]:
> https://scholarship.shu.edu/cgi/viewcontent.cgi?httpsredir=1&article=1279&context=student_scholarship
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Maven Central terms of service
Posted by Christopher <ct...@apache.org>.
On Thu, Aug 9, 2018 at 11:31 AM Hen <ba...@apache.org> wrote:
>
> I'm bemused that folk are more worried about federal/states opinions on
> jurisdiction and a de-facto standard indemnity clause than Sonatype
> declaring a 1 year window on litigation. I understand the US government may
> have created rules stopping them from operating as a normal user but that's
> something for them to fix.
>
>
I'm a little puzzled by that, too. Perhaps people just find that
interesting. As long as ASF doesn't have a problem with Maven Central's
terms and users are properly informed about the additional terms, I'm
satisfied. Once made aware of the additional terms, I don't think it's
unreasonable for them to reach out directly to Sonatype if they don't like
the existing terms, but there's nothing further for the ASF to do.
> If it's not a concern, maybe we should add that 1 year window to the
> Apache site :)
>
>
I'm not a lawyer, and don't really understand the full implications of any
particular clause in the terms. So, I'm not sure if this part is of concern
to the ASF or not...
Assuming it is of concern to the ASF, do you think an update to the README
to warn users of the additional terms of Maven Central is sufficient to
alleviate this concern as well, or do you think some action from the ASF in
addition is needed to address it?
> Hen
>
>
> On Thu, Aug 9, 2018 at 8:11 AM, Ted Dunning <te...@gmail.com> wrote:
>
>> The right thing to do is for the government to build their own version of
>> Maven central and take on any liability themselves. Or contract sonatype to
>> do this.
>>
>> Dang near every web site on the world has a term like this.
>>
>> On Thu, Aug 9, 2018, 07:43 Wheeler, David A <dw...@ida.org> wrote:
>>
>>> Hen:
>>> > I agree on the README. Apache Maven should indicate to users that
>>> using default Apache Maven is signing them up for terms of service that
>>> Apache did not write (extremely likely as Maven is partly distributed from
>>> Maven Central iirc). Assuming we're happy with said terms. The last line of
>>> terms.html feels like an issue to me.
>>>
>>> I agree, it's *important* for the Apache Foundation to warn people about
>>> this, because the distinction will NOT be obvious to most people. In
>>> general, people accept the default.
>>>
>>> I'm *not* a lawyer nor a US government lawyer, but I think there are
>>> good reasons to believe that the Apache License's indemnification clause is
>>> *not* a problem for the US government. For details, see my 2012 post
>>> "Antideficiency Act and the Apache License" <
>>> https://www.dwheeler.com/blog/2012/06/27/>. Basically, the Apache
>>> license indemnification clause only triggers on an *additional* action,
>>> which the US government simply wouldn't do.
>>>
>>> HOWEVER: The Maven central indemnity clause is quite different from the
>>> Apache license; it says: <https://repo1.maven.org/terms.html>
>>> > "You agree to indemnify and hold harmless Sonatype and its affiliates,
>>> suppliers, partners, officers, agents, and employees from and against any
>>> claim, demand, losses, damages or expenses (including reasonable attorney's
>>> fees) arising from your use of Central, your connection to Central, your
>>> violation of these Terms of Service or your violation of any rights of any
>>> third-party. Your indemnification obligation will survive the termination
>>> of these Terms of Service and your use of Central."
>>>
>>> I think that almost certainly will *not* be acceptable to the US federal
>>> government as-is. That obligates the US federal government to spend money
>>> in situations outside its control, and the Antideficiency act forbids
>>> "making or authorizing an expenditure from, or creating or authorizing an
>>> obligation under, any appropriation or fund in excess of the amount
>>> available in the appropriation or fund unless authorized by law." 31 U.S.C.
>>> § 1341(a)(1)(A). Basically, only *Congress* can authorize obligations that
>>> involve spending money - the executive and judicial branch cannot
>>> "indemnify" in most cases because that creates a financial obligation. For
>>> more: https://www.gao.gov/legal/appropriations-law-decisions/resources
>>> . That law also permits "gratis" (no fee) contributions, but not
>>> "voluntary" contributions that commit the government to later unapproved
>>> financial compensation. Lots more details are here if you want it:
>>> https://www.gao.gov/products/GAO-06-382SP
>>>
>>> The jurisdictional issue can be a problem too. There may be other
>>> organizations that this affects as well.
>>>
>>> I wouldn't be surprised if Sonatype can work something out with the US
>>> federal government, but that's a different matter. For now, a warning from
>>> Apache that there may be additional terms in such cases seems like the
>>> right thing to do.
>>>
>>> --- David A. Wheeler
>>>
>>
>
Re: Maven Central terms of service
Posted by Hen <ba...@apache.org>.
On Thu, Aug 9, 2018 at 12:42 PM, Wheeler, David A <dw...@ida.org> wrote:
> Ralph Goers [mailto:ralph.goers@dslextreme.com]
> > Given that the ASF and PMC are OK with the current arrangement your only
> > real recourse is to have a conversation with Sonatype. We cannot change
> > their terms of service.
>
> Oh, absolutely! I just think it's wise for ASF to clarify that there
> *are* different terms, because I think this separation is *not* obvious to
> many people.
>
> I believe that's all that is being proposed. As you noted, Sonatype is
> the only one who can change its terms of service.
>
I think there are three options wrt the ToS:
1) Do nothing.
2) Warn users of additional ToS applying.
3) Stop defaulting to the Sonatype instance of the Central Repository.
I think we should do at least #2. The Maven situation is generally
different to one of our projects linking to GitHub, CPAN, NPM etc because
it's 'magic' and the user isn't exercising a choice before hand to use it.
For example an Ant GitHub tag would first require the user to want to use
GitHub. An instruction to 'npm install apache-foo' first needs the user to
research installing npm. Doing #2 means that we agree in principle that the
ToS being offered are in line with the public good.
We should do #3 if there is something broadly objectionable in the terms,
or in Sonatype's business process around the terms.
* If there are unusual terms that we expect are objectionable to a
significant slice of users, then that is a concern.
* If Sonatype are refusing to do 'normal' things like negotiate a separate
agreement with the US government, then that is a concern. (Where normal is
other entities in the same situation generally doing so)
In this case the two items identified would be:
# Is the 1 year change an unusual term? I don't see it in GitHub, NuGet's
or NPM's terms. I do see it in SourceForge's.
I think it's an unusual term for this area (presumably it's normal legalese
for contracts/35 page EULAs). I think this should be a concern for the ASF.
# Is Sonatype willing to do the normal thing of negotiating separate terms
with the US Government.
If they're not then I think this is also a concern.
Hen
RE: Maven Central terms of service
Posted by "Wheeler, David A" <dw...@ida.org>.
Ralph Goers [mailto:ralph.goers@dslextreme.com]
> Given that the ASF and PMC are OK with the current arrangement your only
> real recourse is to have a conversation with Sonatype. We cannot change
> their terms of service.
Oh, absolutely! I just think it's wise for ASF to clarify that there *are* different terms, because I think this separation is *not* obvious to many people.
I believe that's all that is being proposed. As you noted, Sonatype is the only one who can change its terms of service.
--- David A. Wheeler
Re: Maven Central terms of service
Posted by Ralph Goers <ra...@dslextreme.com>.
A little bit of history. When Maven first created the concept of the repository many moons ago, it approached the ASF about hosting it. The answer was no. That was before my association with Maven, and probably the ASF as well, but as I recall the reasons were around the effort to support it and that it would contain non-ASF artifacts. Given that, one of the originators of Maven spent his own money for a number of years to host the repo with the blessing of the PMC. When he started Sonatype he had them take it over. This resulted in the PMC negotiating with Sonatype to act as the caretaker of the repo.
At any time the PMC could decide to host the central repo, although that would cause quite a bit of community confusion, but as things stand the PMC hasn’t seen any need to even discuss such a change.
Given that the ASF and PMC are OK with the current arrangement your only real recourse is to have a conversation with Sonatype. We cannot change their terms of service.
Ralph
> On Aug 9, 2018, at 10:24 AM, Wheeler, David A <dw...@ida.org> wrote:
>
> Hen:
>
>> I'm bemused that folk are more worried about federal/states opinions on jurisdiction and a de-facto standard indemnity clause than Sonatype declaring a 1 year window on litigation. I understand the US government may have created rules stopping them from operating as a normal user but that's something for them to fix.
>
> The US government is not going to change it, because it's not a "rule". The antideficiency act is a US law dating from 1884, and is a key part of the US government's legal mechanism for implementing the US Constitution ("No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law"). In other words, this law enforces Congress' "power of the purse". Exceptions are rare and heavily proscribed, because you're asking Congress to give up the power that is expressly given to it by the Constitution. The chances of this law being significantly changed in the next 100 years is basically 0%.
>
> The US federal government is a big organization that uses a lot of software, and its choices influence others as well. I think it's reasonable to avoid unnecessarily causing problems.
>
>> If it's not a concern, maybe we should add that 1 year window to the Apache site :)
>
> Well, I wouldn't say *that* :-).
>
> --- David A. Wheeler
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
RE: [Non-DoD Source] RE: Maven Central terms of service
Posted by "Karan, Cem F CIV USARMY RDECOM ARL (US)" <ce...@mail.mil>.
>Wheeler, David A:
>
>For more discussion about the *Apache* license and the US federal government's
>antideficiency act, see my post: "Antideficiency Act and the Apache License"
>at Caution-https://www.dwheeler.com/blog/2012/06/27/
>
>Phil Odence:
>> After much wrangling (as I
>> understand it) they got comfortable based on the indemnification only
>> applying to redistributed software; the Army had no plans to redistribute
>> whatever this was....
>> (I remember the question crossing my mind as the
>> whether firing a missile counted as distribution of the embedded software.)
>
>The issue isn't redistribution per se. What the Army should have realized
>(and I suspect eventually did) is that the Army was not required to indemnify
>without further action, so the Apache license indemnification clause would
>never be triggered.
>
>The US government's executive branch is *quite* allergic to indemnification
>clauses. Since they're all over the place, they cause endless headaches.
>Think of indemnification clauses as a full employment act for US government
>lawyers :-(. There are special separate negotiated agreements with GitHub,
>SourceForge, Twitter, Facebook, Google, and so on to deal with this. For more
>info, see: Caution-https://help.github.com/articles/amendment-to-github-terms-
>of-service-applicable-to-u-s-federal-government-users/ Caution-
>https://ben.balter.com/2015/01/26/the-fine-print-nobody-reads/
>
>Karan, Cem F CIV USARMY RDECOM ARL (US):
>> So... if the source code was on the missile at the time, would that satisfy
>> the terms of the license?
>> Morbidly curious...
>
>I don't think firing a missile at someone counts as a "delivery" to them in
>the software development sense :-).
>
>--- David A. Wheeler
Are you sure? It might just be an updated version of RFC 1149
(https://tools.ietf.org/html/rfc1149) ;-)
Thanks,
Cem Karan
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Maven Central terms of service
Posted by Hen <ba...@apache.org>.
On Fri, Aug 10, 2018 at 5:48 AM, Wheeler, David A <dw...@ida.org> wrote:
> For more discussion about the *Apache* license and the US federal
> government's antideficiency act, see my post:
> "Antideficiency Act and the Apache License" at
> https://www.dwheeler.com/blog/2012/06/27/
>
> Phil Odence:
> > After much wrangling (as I
> > understand it) they got comfortable based on the indemnification only
> > applying to redistributed software; the Army had no plans to redistribute
> > whatever this was....
> > (I remember the question crossing my mind as the
> > whether firing a missile counted as distribution of the embedded
> software.)
>
> The issue isn't redistribution per se. What the Army should have realized
> (and I suspect eventually did) is that the Army was not required to
> indemnify without further action, so the Apache license indemnification
> clause would never be triggered.
>
> The US government's executive branch is *quite* allergic to
> indemnification clauses. Since they're all over the place, they cause
> endless headaches. Think of indemnification clauses as a full employment
> act for US government lawyers :-(. There are special separate negotiated
> agreements with GitHub, SourceForge, Twitter, Facebook, Google, and so on
> to deal with this. For more info, see:
> https://help.github.com/articles/amendment-to-github-
> terms-of-service-applicable-to-u-s-federal-government-users/
> https://ben.balter.com/2015/01/26/the-fine-print-nobody-reads/
>
>
Thanks for this and your earlier blog links :)
Hen
RE: Maven Central terms of service
Posted by "Wheeler, David A" <dw...@ida.org>.
For more discussion about the *Apache* license and the US federal government's antideficiency act, see my post:
"Antideficiency Act and the Apache License" at https://www.dwheeler.com/blog/2012/06/27/
Phil Odence:
> After much wrangling (as I
> understand it) they got comfortable based on the indemnification only
> applying to redistributed software; the Army had no plans to redistribute
> whatever this was....
> (I remember the question crossing my mind as the
> whether firing a missile counted as distribution of the embedded software.)
The issue isn't redistribution per se. What the Army should have realized (and I suspect eventually did) is that the Army was not required to indemnify without further action, so the Apache license indemnification clause would never be triggered.
The US government's executive branch is *quite* allergic to indemnification clauses. Since they're all over the place, they cause endless headaches. Think of indemnification clauses as a full employment act for US government lawyers :-(. There are special separate negotiated agreements with GitHub, SourceForge, Twitter, Facebook, Google, and so on to deal with this. For more info, see:
https://help.github.com/articles/amendment-to-github-terms-of-service-applicable-to-u-s-federal-government-users/
https://ben.balter.com/2015/01/26/the-fine-print-nobody-reads/
Karan, Cem F CIV USARMY RDECOM ARL (US):
> So... if the source code was on the missile at the time, would that satisfy
> the terms of the license?
> Morbidly curious...
I don't think firing a missile at someone counts as a "delivery" to them in the software development sense :-).
--- David A. Wheeler
RE: Maven Central terms of service
Posted by "Karan, Cem F CIV USARMY RDECOM ARL (US)" <ce...@mail.mil>.
So... if the source code was on the missile at the time, would that satisfy the terms of the license?
Morbidly curious,
Cem Karan
Legal disclaimer: nothing I say in this thread is approved by the US Government, nor is it a position of the US Government. I'm acting on my own behalf when asking these questions.
________________________________________
From: Phil Odence [Phil.Odence@synopsys.com]
Sent: Thursday, August 09, 2018 2:42 PM
To: legal-discuss@apache.org
Subject: [Non-DoD Source] Re: Maven Central terms of service
Interestingly (maybe) the ADA was a discussion point on this list six years ago. An issue arose when a large defense contractor delivered a system to the Army that included some Apache 2.0 licensed code. The concern was with the indemnification language in Clause 9 of the license. The Army lawyers are goosey about any sort of indemnification as they interpret it as potentially taking on an unfunded obligation. After much wrangling (as I understand it) they got comfortable based on the indemnification only applying to redistributed software; the Army had no plans to redistribute whatever this was. (I remember the question crossing my mind as the whether firing a missile counted as distribution of the embedded software.)
Phil Odence
On 8/9/18, 1:24 PM, "Wheeler, David A" <dw...@ida.org> wrote:
Hen:
> I'm bemused that folk are more worried about federal/states opinions on jurisdiction and a de-facto standard indemnity clause than Sonatype declaring a 1 year window on litigation. I understand the US government may have created rules stopping them from operating as a normal user but that's something for them to fix.
The US government is not going to change it, because it's not a "rule". The antideficiency act is a US law dating from 1884, and is a key part of the US government's legal mechanism for implementing the US Constitution ("No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law"). In other words, this law enforces Congress' "power of the purse". Exceptions are rare and heavily proscribed, because you're asking Congress to give up the power that is expressly given to it by the Constitution. The chances of this law being significantly changed in the next 100 years is basically 0%.
The US federal government is a big organization that uses a lot of software, and its choices influence others as well. I think it's reasonable to avoid unnecessarily causing problems.
> If it's not a concern, maybe we should add that 1 year window to the Apache site :)
Well, I wouldn't say *that* :-).
--- David A. Wheeler
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Maven Central terms of service
Posted by Phil Odence <Ph...@synopsys.com>.
Interestingly (maybe) the ADA was a discussion point on this list six years ago. An issue arose when a large defense contractor delivered a system to the Army that included some Apache 2.0 licensed code. The concern was with the indemnification language in Clause 9 of the license. The Army lawyers are goosey about any sort of indemnification as they interpret it as potentially taking on an unfunded obligation. After much wrangling (as I understand it) they got comfortable based on the indemnification only applying to redistributed software; the Army had no plans to redistribute whatever this was. (I remember the question crossing my mind as the whether firing a missile counted as distribution of the embedded software.)
Phil Odence
On 8/9/18, 1:24 PM, "Wheeler, David A" <dw...@ida.org> wrote:
Hen:
> I'm bemused that folk are more worried about federal/states opinions on jurisdiction and a de-facto standard indemnity clause than Sonatype declaring a 1 year window on litigation. I understand the US government may have created rules stopping them from operating as a normal user but that's something for them to fix.
The US government is not going to change it, because it's not a "rule". The antideficiency act is a US law dating from 1884, and is a key part of the US government's legal mechanism for implementing the US Constitution ("No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law"). In other words, this law enforces Congress' "power of the purse". Exceptions are rare and heavily proscribed, because you're asking Congress to give up the power that is expressly given to it by the Constitution. The chances of this law being significantly changed in the next 100 years is basically 0%.
The US federal government is a big organization that uses a lot of software, and its choices influence others as well. I think it's reasonable to avoid unnecessarily causing problems.
> If it's not a concern, maybe we should add that 1 year window to the Apache site :)
Well, I wouldn't say *that* :-).
--- David A. Wheeler
RE: Maven Central terms of service
Posted by "Wheeler, David A" <dw...@ida.org>.
Hen:
> I'm bemused that folk are more worried about federal/states opinions on jurisdiction and a de-facto standard indemnity clause than Sonatype declaring a 1 year window on litigation. I understand the US government may have created rules stopping them from operating as a normal user but that's something for them to fix.
The US government is not going to change it, because it's not a "rule". The antideficiency act is a US law dating from 1884, and is a key part of the US government's legal mechanism for implementing the US Constitution ("No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law"). In other words, this law enforces Congress' "power of the purse". Exceptions are rare and heavily proscribed, because you're asking Congress to give up the power that is expressly given to it by the Constitution. The chances of this law being significantly changed in the next 100 years is basically 0%.
The US federal government is a big organization that uses a lot of software, and its choices influence others as well. I think it's reasonable to avoid unnecessarily causing problems.
> If it's not a concern, maybe we should add that 1 year window to the Apache site :)
Well, I wouldn't say *that* :-).
--- David A. Wheeler
Re: Maven Central terms of service
Posted by Hen <ba...@apache.org>.
I'm bemused that folk are more worried about federal/states opinions on
jurisdiction and a de-facto standard indemnity clause than Sonatype
declaring a 1 year window on litigation. I understand the US government may
have created rules stopping them from operating as a normal user but that's
something for them to fix.
If it's not a concern, maybe we should add that 1 year window to the Apache
site :)
Hen
On Thu, Aug 9, 2018 at 8:11 AM, Ted Dunning <te...@gmail.com> wrote:
> The right thing to do is for the government to build their own version of
> Maven central and take on any liability themselves. Or contract sonatype to
> do this.
>
> Dang near every web site on the world has a term like this.
>
> On Thu, Aug 9, 2018, 07:43 Wheeler, David A <dw...@ida.org> wrote:
>
>> Hen:
>> > I agree on the README. Apache Maven should indicate to users that using
>> default Apache Maven is signing them up for terms of service that Apache
>> did not write (extremely likely as Maven is partly distributed from Maven
>> Central iirc). Assuming we're happy with said terms. The last line of
>> terms.html feels like an issue to me.
>>
>> I agree, it's *important* for the Apache Foundation to warn people about
>> this, because the distinction will NOT be obvious to most people. In
>> general, people accept the default.
>>
>> I'm *not* a lawyer nor a US government lawyer, but I think there are good
>> reasons to believe that the Apache License's indemnification clause is
>> *not* a problem for the US government. For details, see my 2012 post
>> "Antideficiency Act and the Apache License" <https://www.dwheeler.com/
>> blog/2012/06/27/>. Basically, the Apache license indemnification clause
>> only triggers on an *additional* action, which the US government simply
>> wouldn't do.
>>
>> HOWEVER: The Maven central indemnity clause is quite different from the
>> Apache license; it says: <https://repo1.maven.org/terms.html>
>> > "You agree to indemnify and hold harmless Sonatype and its affiliates,
>> suppliers, partners, officers, agents, and employees from and against any
>> claim, demand, losses, damages or expenses (including reasonable attorney's
>> fees) arising from your use of Central, your connection to Central, your
>> violation of these Terms of Service or your violation of any rights of any
>> third-party. Your indemnification obligation will survive the termination
>> of these Terms of Service and your use of Central."
>>
>> I think that almost certainly will *not* be acceptable to the US federal
>> government as-is. That obligates the US federal government to spend money
>> in situations outside its control, and the Antideficiency act forbids
>> "making or authorizing an expenditure from, or creating or authorizing an
>> obligation under, any appropriation or fund in excess of the amount
>> available in the appropriation or fund unless authorized by law." 31 U.S.C.
>> § 1341(a)(1)(A). Basically, only *Congress* can authorize obligations that
>> involve spending money - the executive and judicial branch cannot
>> "indemnify" in most cases because that creates a financial obligation. For
>> more: https://www.gao.gov/legal/appropriations-law-decisions/resources
>> . That law also permits "gratis" (no fee) contributions, but not
>> "voluntary" contributions that commit the government to later unapproved
>> financial compensation. Lots more details are here if you want it:
>> https://www.gao.gov/products/GAO-06-382SP
>>
>> The jurisdictional issue can be a problem too. There may be other
>> organizations that this affects as well.
>>
>> I wouldn't be surprised if Sonatype can work something out with the US
>> federal government, but that's a different matter. For now, a warning from
>> Apache that there may be additional terms in such cases seems like the
>> right thing to do.
>>
>> --- David A. Wheeler
>>
>
Re: Maven Central terms of service
Posted by Ted Dunning <te...@gmail.com>.
The right thing to do is for the government to build their own version of
Maven central and take on any liability themselves. Or contract sonatype to
do this.
Dang near every web site on the world has a term like this.
On Thu, Aug 9, 2018, 07:43 Wheeler, David A <dw...@ida.org> wrote:
> Hen:
> > I agree on the README. Apache Maven should indicate to users that using
> default Apache Maven is signing them up for terms of service that Apache
> did not write (extremely likely as Maven is partly distributed from Maven
> Central iirc). Assuming we're happy with said terms. The last line of
> terms.html feels like an issue to me.
>
> I agree, it's *important* for the Apache Foundation to warn people about
> this, because the distinction will NOT be obvious to most people. In
> general, people accept the default.
>
> I'm *not* a lawyer nor a US government lawyer, but I think there are good
> reasons to believe that the Apache License's indemnification clause is
> *not* a problem for the US government. For details, see my 2012 post
> "Antideficiency Act and the Apache License" <
> https://www.dwheeler.com/blog/2012/06/27/>. Basically, the Apache
> license indemnification clause only triggers on an *additional* action,
> which the US government simply wouldn't do.
>
> HOWEVER: The Maven central indemnity clause is quite different from the
> Apache license; it says: <https://repo1.maven.org/terms.html>
> > "You agree to indemnify and hold harmless Sonatype and its affiliates,
> suppliers, partners, officers, agents, and employees from and against any
> claim, demand, losses, damages or expenses (including reasonable attorney's
> fees) arising from your use of Central, your connection to Central, your
> violation of these Terms of Service or your violation of any rights of any
> third-party. Your indemnification obligation will survive the termination
> of these Terms of Service and your use of Central."
>
> I think that almost certainly will *not* be acceptable to the US federal
> government as-is. That obligates the US federal government to spend money
> in situations outside its control, and the Antideficiency act forbids
> "making or authorizing an expenditure from, or creating or authorizing an
> obligation under, any appropriation or fund in excess of the amount
> available in the appropriation or fund unless authorized by law." 31 U.S.C.
> § 1341(a)(1)(A). Basically, only *Congress* can authorize obligations that
> involve spending money - the executive and judicial branch cannot
> "indemnify" in most cases because that creates a financial obligation. For
> more: https://www.gao.gov/legal/appropriations-law-decisions/resources .
> That law also permits "gratis" (no fee) contributions, but not "voluntary"
> contributions that commit the government to later unapproved financial
> compensation. Lots more details are here if you want it:
> https://www.gao.gov/products/GAO-06-382SP
>
> The jurisdictional issue can be a problem too. There may be other
> organizations that this affects as well.
>
> I wouldn't be surprised if Sonatype can work something out with the US
> federal government, but that's a different matter. For now, a warning from
> Apache that there may be additional terms in such cases seems like the
> right thing to do.
>
> --- David A. Wheeler
>
RE: Maven Central terms of service
Posted by "Wheeler, David A" <dw...@ida.org>.
Hen:
> I agree on the README. Apache Maven should indicate to users that using default Apache Maven is signing them up for terms of service that Apache did not write (extremely likely as Maven is partly distributed from Maven Central iirc). Assuming we're happy with said terms. The last line of terms.html feels like an issue to me.
I agree, it's *important* for the Apache Foundation to warn people about this, because the distinction will NOT be obvious to most people. In general, people accept the default.
I'm *not* a lawyer nor a US government lawyer, but I think there are good reasons to believe that the Apache License's indemnification clause is *not* a problem for the US government. For details, see my 2012 post "Antideficiency Act and the Apache License" <https://www.dwheeler.com/blog/2012/06/27/>. Basically, the Apache license indemnification clause only triggers on an *additional* action, which the US government simply wouldn't do.
HOWEVER: The Maven central indemnity clause is quite different from the Apache license; it says: <https://repo1.maven.org/terms.html>
> "You agree to indemnify and hold harmless Sonatype and its affiliates, suppliers, partners, officers, agents, and employees from and against any claim, demand, losses, damages or expenses (including reasonable attorney's fees) arising from your use of Central, your connection to Central, your violation of these Terms of Service or your violation of any rights of any third-party. Your indemnification obligation will survive the termination of these Terms of Service and your use of Central."
I think that almost certainly will *not* be acceptable to the US federal government as-is. That obligates the US federal government to spend money in situations outside its control, and the Antideficiency act forbids "making or authorizing an expenditure from, or creating or authorizing an obligation under, any appropriation or fund in excess of the amount available in the appropriation or fund unless authorized by law." 31 U.S.C. § 1341(a)(1)(A). Basically, only *Congress* can authorize obligations that involve spending money - the executive and judicial branch cannot "indemnify" in most cases because that creates a financial obligation. For more: https://www.gao.gov/legal/appropriations-law-decisions/resources . That law also permits "gratis" (no fee) contributions, but not "voluntary" contributions that commit the government to later unapproved financial compensation. Lots more details are here if you want it: https://www.gao.gov/products/GAO-06-382SP
The jurisdictional issue can be a problem too. There may be other organizations that this affects as well.
I wouldn't be surprised if Sonatype can work something out with the US federal government, but that's a different matter. For now, a warning from Apache that there may be additional terms in such cases seems like the right thing to do.
--- David A. Wheeler
Re: Maven Central terms of service
Posted by Hen <ba...@apache.org>.
With regards to LEGAL-333, that seems to mostly be focused on the 2015
https://central.sonatype.org/pages/central-repository-producer-terms.html
and not the 2017 https://repo1.maven.org/terms.html it links to (bar
Ralph's penultimate link).
I agree on the README. Apache Maven should indicate to users that using
default Apache Maven is signing them up for terms of service that Apache
did not write (extremely likely as Maven is partly distributed from Maven
Central iirc). Assuming we're happy with said terms. The last line of
terms.html feels like an issue to me.
Hen
On Wed, Aug 8, 2018 at 10:02 PM, Christopher <ct...@apache.org> wrote:
> Thanks for that! I hadn't seen that before, and you're right about the
> overlap! That's very close to my concern, which is less about
> "compatibility" (a resolved question) and more about users being
> unintentionally bound to additional terms which may significantly differ
> from Apache Maven's own terms.
>
> Previously, I was focused on the "additional terms" part of that and
> thinking Central's terms should probably be altered to be more similar to
> Apache Maven's terms (if Sonatype was willing to do so). However, taking
> some inspiration from https://www.apache.org/legal/
> resolved.html#category-b , I now realize the important part is the
> "unintentionally" part: Apache Maven can mitigate the "unintentional"
> binding of users to additional terms of Maven Central with some info in
> their README (if they are willing) to highlight the additional terms for
> the default config, similar to what is described for Category B.
>
> The main difference I can see between this scenario and that of Category B
> is that in the Cat-B scenario, users must take explicit action to create a
> derivative work which binds them to additional terms, whereas using Apache
> Maven, users are bound to Maven Central's terms *unless* they take action
> to change the default. Either way, the *least* that could be done to
> address this is update the README so users are made aware of the additional
> terms for using Central.
>
>
>
> On Wed, Aug 8, 2018 at 10:46 PM Ralph Goers <ra...@dslextreme.com>
> wrote:
>
>> FWIW, I think this discussion has a lot of overlap with
>> https://issues.apache.org/jira/browse/LEGAL-333
>>
>> Ralph
>>
>>
>> On Aug 8, 2018, at 12:41 PM, Ralph Goers <ra...@dslextreme.com>
>> wrote:
>>
>> With regards to the ASF being OK with the agreement with Sonatype, I
>> could swear this has been asked and answered before. Although it may not
>> have been specifically targeted at a question raised by the U.S. government
>> I specifically recall discussing this same issue previously. Do we really
>> need to rehash it again?
>>
>> Ralph
>>
>> On Aug 8, 2018, at 11:24 AM, Christopher <ct...@apache.org> wrote:
>>
>> Hi Legal-Discuss,
>>
>> (NOTE: This is about Maven Central terms of service. I realize that Maven
>> Central is serviced by Sonatype, but since it is using a trademark of the
>> ASF, and because it is so closely associated with the Apache Maven PMC and
>> software, I'm wondering if this might be something of concern to ASF Legal
>> Affairs.)
>>
>> It has recently come to my attention that the Maven Central general terms
>> of service[1] and the producer terms of service[2] are not [U.S.]
>> "government-compatible". This is in contrast to the Apache License, which
>> is very friendly to government and business. This is important, because
>> users of Apache Maven may not realize that it is configured by default to
>> utilize a website which is provided under different terms than one might
>> expect when using an Apache licensed product. I can see parallels between
>> this and the ASF policy regarding incompatible project dependencies: the
>> expectation is that when you are using an Apache product, you generally
>> don't need to agree to terms and conditions any more restrictive than the
>> Apache License, Version 2. However, this is not the case when using Apache
>> Maven out-of-the-box, configured by default to use Maven Central.
>>
>> I know it's not exactly the same (website terms of service are not the
>> same as software licenses), but I think there's a similar expectation from
>> users of Apache Maven as there is with dependencies in other Apache
>> software; that is to say, users aren't expecting to have agreed to terms
>> beyond ALv2 in order to use Apache software.
>>
>> Specifically, I'm told that the government cannot agree to the
>> indemnification clauses, because that would violate the Antideficiency Act.
>> I found a decent explanation of this here[3]. Further, I'm told that the
>> government cannot agree to be bound by the laws of Maryland and
>> jurisdiction clause or the 1-year limitation for lawsuits in the general
>> terms.
>>
>> Question 1: What is the ASF's position regarding Maven Central's terms of
>> service, and its relationship to the Apache Maven's software license terms
>> and user expectations? Is the ASF okay with Sonatype providing Maven
>> Central service under these additional terms, which one might argue are
>> less "friendly" than the ALv2?
>>
>> Question 2: Is anybody aware of Maven Central "government-compatible"
>> terms of service already in existence?
>>
>> Thanks.
>>
>> (CC'd private@ Maven as FYI so as not to spam their dev@, but this
>> message should not be considered private)
>>
>> [1]: https://repo1.maven.org/terms.html
>> [2]: https://central.sonatype.org/pages/central-repository-
>> producer-terms.html
>> [3]: https://scholarship.shu.edu/cgi/viewcontent.cgi?
>> httpsredir=1&article=1279&context=student_scholarship
>>
>>
>>
>>
Re: Maven Central terms of service
Posted by Christopher <ct...@apache.org>.
Thanks for that! I hadn't seen that before, and you're right about the
overlap! That's very close to my concern, which is less about
"compatibility" (a resolved question) and more about users being
unintentionally bound to additional terms which may significantly differ
from Apache Maven's own terms.
Previously, I was focused on the "additional terms" part of that and
thinking Central's terms should probably be altered to be more similar to
Apache Maven's terms (if Sonatype was willing to do so). However, taking
some inspiration from https://www.apache.org/legal/resolved.html#category-b ,
I now realize the important part is the "unintentionally" part: Apache
Maven can mitigate the "unintentional" binding of users to additional terms
of Maven Central with some info in their README (if they are willing) to
highlight the additional terms for the default config, similar to what is
described for Category B.
The main difference I can see between this scenario and that of Category B
is that in the Cat-B scenario, users must take explicit action to create a
derivative work which binds them to additional terms, whereas using Apache
Maven, users are bound to Maven Central's terms *unless* they take action
to change the default. Either way, the *least* that could be done to
address this is update the README so users are made aware of the additional
terms for using Central.
On Wed, Aug 8, 2018 at 10:46 PM Ralph Goers <ra...@dslextreme.com>
wrote:
> FWIW, I think this discussion has a lot of overlap with
> https://issues.apache.org/jira/browse/LEGAL-333
>
> Ralph
>
>
> On Aug 8, 2018, at 12:41 PM, Ralph Goers <ra...@dslextreme.com>
> wrote:
>
> With regards to the ASF being OK with the agreement with Sonatype, I could
> swear this has been asked and answered before. Although it may not have
> been specifically targeted at a question raised by the U.S. government I
> specifically recall discussing this same issue previously. Do we really
> need to rehash it again?
>
> Ralph
>
> On Aug 8, 2018, at 11:24 AM, Christopher <ct...@apache.org> wrote:
>
> Hi Legal-Discuss,
>
> (NOTE: This is about Maven Central terms of service. I realize that Maven
> Central is serviced by Sonatype, but since it is using a trademark of the
> ASF, and because it is so closely associated with the Apache Maven PMC and
> software, I'm wondering if this might be something of concern to ASF Legal
> Affairs.)
>
> It has recently come to my attention that the Maven Central general terms
> of service[1] and the producer terms of service[2] are not [U.S.]
> "government-compatible". This is in contrast to the Apache License, which
> is very friendly to government and business. This is important, because
> users of Apache Maven may not realize that it is configured by default to
> utilize a website which is provided under different terms than one might
> expect when using an Apache licensed product. I can see parallels between
> this and the ASF policy regarding incompatible project dependencies: the
> expectation is that when you are using an Apache product, you generally
> don't need to agree to terms and conditions any more restrictive than the
> Apache License, Version 2. However, this is not the case when using Apache
> Maven out-of-the-box, configured by default to use Maven Central.
>
> I know it's not exactly the same (website terms of service are not the
> same as software licenses), but I think there's a similar expectation from
> users of Apache Maven as there is with dependencies in other Apache
> software; that is to say, users aren't expecting to have agreed to terms
> beyond ALv2 in order to use Apache software.
>
> Specifically, I'm told that the government cannot agree to the
> indemnification clauses, because that would violate the Antideficiency Act.
> I found a decent explanation of this here[3]. Further, I'm told that the
> government cannot agree to be bound by the laws of Maryland and
> jurisdiction clause or the 1-year limitation for lawsuits in the general
> terms.
>
> Question 1: What is the ASF's position regarding Maven Central's terms of
> service, and its relationship to the Apache Maven's software license terms
> and user expectations? Is the ASF okay with Sonatype providing Maven
> Central service under these additional terms, which one might argue are
> less "friendly" than the ALv2?
>
> Question 2: Is anybody aware of Maven Central "government-compatible"
> terms of service already in existence?
>
> Thanks.
>
> (CC'd private@ Maven as FYI so as not to spam their dev@, but this
> message should not be considered private)
>
> [1]: https://repo1.maven.org/terms.html
> [2]:
> https://central.sonatype.org/pages/central-repository-producer-terms.html
> [3]:
> https://scholarship.shu.edu/cgi/viewcontent.cgi?httpsredir=1&article=1279&context=student_scholarship
>
>
>
>
Re: Maven Central terms of service
Posted by Ralph Goers <ra...@dslextreme.com>.
FWIW, I think this discussion has a lot of overlap with https://issues.apache.org/jira/browse/LEGAL-333 <https://issues.apache.org/jira/browse/LEGAL-333>
Ralph
> On Aug 8, 2018, at 12:41 PM, Ralph Goers <ra...@dslextreme.com> wrote:
>
> With regards to the ASF being OK with the agreement with Sonatype, I could swear this has been asked and answered before. Although it may not have been specifically targeted at a question raised by the U.S. government I specifically recall discussing this same issue previously. Do we really need to rehash it again?
>
> Ralph
>
>> On Aug 8, 2018, at 11:24 AM, Christopher <ctubbsii@apache.org <ma...@apache.org>> wrote:
>>
>> Hi Legal-Discuss,
>>
>> (NOTE: This is about Maven Central terms of service. I realize that Maven Central is serviced by Sonatype, but since it is using a trademark of the ASF, and because it is so closely associated with the Apache Maven PMC and software, I'm wondering if this might be something of concern to ASF Legal Affairs.)
>>
>> It has recently come to my attention that the Maven Central general terms of service[1] and the producer terms of service[2] are not [U.S.] "government-compatible". This is in contrast to the Apache License, which is very friendly to government and business. This is important, because users of Apache Maven may not realize that it is configured by default to utilize a website which is provided under different terms than one might expect when using an Apache licensed product. I can see parallels between this and the ASF policy regarding incompatible project dependencies: the expectation is that when you are using an Apache product, you generally don't need to agree to terms and conditions any more restrictive than the Apache License, Version 2. However, this is not the case when using Apache Maven out-of-the-box, configured by default to use Maven Central.
>>
>> I know it's not exactly the same (website terms of service are not the same as software licenses), but I think there's a similar expectation from users of Apache Maven as there is with dependencies in other Apache software; that is to say, users aren't expecting to have agreed to terms beyond ALv2 in order to use Apache software.
>>
>> Specifically, I'm told that the government cannot agree to the indemnification clauses, because that would violate the Antideficiency Act. I found a decent explanation of this here[3]. Further, I'm told that the government cannot agree to be bound by the laws of Maryland and jurisdiction clause or the 1-year limitation for lawsuits in the general terms.
>>
>> Question 1: What is the ASF's position regarding Maven Central's terms of service, and its relationship to the Apache Maven's software license terms and user expectations? Is the ASF okay with Sonatype providing Maven Central service under these additional terms, which one might argue are less "friendly" than the ALv2?
>>
>> Question 2: Is anybody aware of Maven Central "government-compatible" terms of service already in existence?
>>
>> Thanks.
>>
>> (CC'd private@ Maven as FYI so as not to spam their dev@, but this message should not be considered private)
>>
>> [1]: https://repo1.maven.org/terms.html <https://repo1.maven.org/terms.html>
>> [2]: https://central.sonatype.org/pages/central-repository-producer-terms.html <https://central.sonatype.org/pages/central-repository-producer-terms.html>
>> [3]: https://scholarship.shu.edu/cgi/viewcontent.cgi?httpsredir=1&article=1279&context=student_scholarship <https://scholarship.shu.edu/cgi/viewcontent.cgi?httpsredir=1&article=1279&context=student_scholarship>
>>
>
Re: Maven Central terms of service
Posted by Ralph Goers <ra...@dslextreme.com>.
With regards to the ASF being OK with the agreement with Sonatype, I could swear this has been asked and answered before. Although it may not have been specifically targeted at a question raised by the U.S. government I specifically recall discussing this same issue previously. Do we really need to rehash it again?
Ralph
> On Aug 8, 2018, at 11:24 AM, Christopher <ct...@apache.org> wrote:
>
> Hi Legal-Discuss,
>
> (NOTE: This is about Maven Central terms of service. I realize that Maven Central is serviced by Sonatype, but since it is using a trademark of the ASF, and because it is so closely associated with the Apache Maven PMC and software, I'm wondering if this might be something of concern to ASF Legal Affairs.)
>
> It has recently come to my attention that the Maven Central general terms of service[1] and the producer terms of service[2] are not [U.S.] "government-compatible". This is in contrast to the Apache License, which is very friendly to government and business. This is important, because users of Apache Maven may not realize that it is configured by default to utilize a website which is provided under different terms than one might expect when using an Apache licensed product. I can see parallels between this and the ASF policy regarding incompatible project dependencies: the expectation is that when you are using an Apache product, you generally don't need to agree to terms and conditions any more restrictive than the Apache License, Version 2. However, this is not the case when using Apache Maven out-of-the-box, configured by default to use Maven Central.
>
> I know it's not exactly the same (website terms of service are not the same as software licenses), but I think there's a similar expectation from users of Apache Maven as there is with dependencies in other Apache software; that is to say, users aren't expecting to have agreed to terms beyond ALv2 in order to use Apache software.
>
> Specifically, I'm told that the government cannot agree to the indemnification clauses, because that would violate the Antideficiency Act. I found a decent explanation of this here[3]. Further, I'm told that the government cannot agree to be bound by the laws of Maryland and jurisdiction clause or the 1-year limitation for lawsuits in the general terms.
>
> Question 1: What is the ASF's position regarding Maven Central's terms of service, and its relationship to the Apache Maven's software license terms and user expectations? Is the ASF okay with Sonatype providing Maven Central service under these additional terms, which one might argue are less "friendly" than the ALv2?
>
> Question 2: Is anybody aware of Maven Central "government-compatible" terms of service already in existence?
>
> Thanks.
>
> (CC'd private@ Maven as FYI so as not to spam their dev@, but this message should not be considered private)
>
> [1]: https://repo1.maven.org/terms.html <https://repo1.maven.org/terms.html>
> [2]: https://central.sonatype.org/pages/central-repository-producer-terms.html <https://central.sonatype.org/pages/central-repository-producer-terms.html>
> [3]: https://scholarship.shu.edu/cgi/viewcontent.cgi?httpsredir=1&article=1279&context=student_scholarship <https://scholarship.shu.edu/cgi/viewcontent.cgi?httpsredir=1&article=1279&context=student_scholarship>
>