You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by Davanum Srinivas <da...@gmail.com> on 2005/06/24 03:58:33 UTC
Fwd: IBM's license for WS-Security
Jeff,
Here's the feedback on the IBM License (Sorry the U.S. Export clause
was only in the MSFT license and i wrongly copied it in the email i
sent to you).
thanks,
dims
===============================================================
Some brief comments on the IBM license for WS-Security:
1. The license would allow ASF to make, sell etc. only Licensed Products
that are compliant with "all relevant portions of the Specification." What
are relevant portions? Is ASF willing to guarantee full compliance? (Section
1.1 and 6.2.)
2. The license is nontransferrable. Under this license, ASF can't allow
third parties to make Licensed Products, which is contrary to ASF's license.
While the license purports to be sublicenseable, that sublicense extends
only to "Subsidiaries," which is irrelevant to ASF's model or open source in
general. (Section 1.3.)
3. ASF can't experiment with this patented technology unless it in fact
afterwards executes this agreement. Prior infringment isn't excused
otherwise. So be careful until you decide to execute the agreement. (Section
1.4)
4. The patent termination provision (section 2.2) is very broad and applies
to any claim for patent infringement. Such provisions have been denounced by
several companies, and ASF changed its Apache 2.0 license in response to
such criticism. Now IBM is resurrecting it here.
5. For some reason, IBM has the right to publicise the agreement but the
other party doesn't. (Section 5.2.). This lack of balance of rights in IBM's
licenses always troubles me. Furthermore, why that restriction?
6. The license requires formal execution. (Section 5.6.) That kind of
licensing friction doesn't work for open source downstream licensees who
intend to make, use, sell, etc., Licensed Products or derivative works.
7. This license doesn't include a copyright license to "implementation
examples." So be careful not to copy those examples when implementing the
Specification. (Section 6.1, final sentence.)
===============================================================
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by Jeffrey Thompson <jt...@us.ibm.com>.
Davanum Srinivas <da...@gmail.com> wrote on 06/27/2005 11:56:30 AM:
> Thanks Jeff. I do understand the "there isn't much interest in
> redrafting the details of a patent license that was published 3 years
> ago when there would be no practical effect to making changes.". BUT
> the problem is a few ASF members (including a Board member) have told
> us that we can't push out a release for WSS4J (OR) get code from
> Verisign for TSIK incubation if we don't get licenses from MSFT/IBM.
> So i have no idea what to do....Please advise.
Once I get back from vacation (7/12) I'd be happy to have a call or an irc
chat with interested members if that would help.
>
> Let's look at it from another angle, do *you* think there are any
> problems with Apache signing the IBM License for WS-Security as-is?
*I* don't see any problem with Apache signing the license. It might want
to wait until we identify a patent though.
>
> thanks,
> dims
>
Jeff
Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
(notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
(web) http://www.beff.net/
Re: IBM's license for WS-Security - Take #2
Posted by Davanum Srinivas <da...@gmail.com>.
Thanks Jeff. I do understand the "there isn't much interest in
redrafting the details of a patent license that was published 3 years
ago when there would be no practical effect to making changes.". BUT
the problem is a few ASF members (including a Board member) have told
us that we can't push out a release for WSS4J (OR) get code from
Verisign for TSIK incubation if we don't get licenses from MSFT/IBM.
So i have no idea what to do....Please advise.
Let's look at it from another angle, do *you* think there are any
problems with Apache signing the IBM License for WS-Security as-is?
thanks,
dims
On 6/27/05, Jeffrey Thompson <jt...@us.ibm.com> wrote:
>
> Davanum Srinivas <da...@gmail.com> wrote on 06/26/2005 08:28:08 AM:
>
> > Jeff,
> >
> > Did you miss replying to this email? (or did i lose it in my spam
> bucket?)
> >
> > thanks,
> > dims
>
> Dims
> You didn't miss the reply. I didn't reply as we were already exploring
> the basic issues on the other thread.
>
> For completeness, I'll include comments below, however, as you might be
> able to imagine, there isn't much interest in redrafting the details of a
> patent license that was published 3 years ago when there would be no
> practical effect to making changes. Purely theoretical discussions are
> interesting, but when people's plates are already full, asking them to redo
> an agreement without a real reason isn't likely to be received well.
>
> >
> > On 6/23/05, Davanum Srinivas <da...@gmail.com> wrote:
> > > Jeff,
> > >
> > > Here's the feedback on the IBM License (Sorry the U.S. Export clause
> > > was only in the MSFT license and i wrongly copied it in the email i
> > > sent to you).
> > >
> > > thanks,
> > > dims
> > >
> > >
> ===============================================================
> > > Some brief comments on the IBM license for WS-Security:
> > >
> > > 1. The license would allow ASF to make, sell etc. only Licensed
> Products
> > > that are compliant with "all relevant portions of the Specification."
> What
> > > are relevant portions? Is ASF willing to guarantee full compliance?
> (Section
> > > 1.1 and 6.2.)
>
> Yes, the code needs to be compliant with the Spec otherwise its not a
> licensed implementation of the spec.
>
> > >
> > > 2. The license is nontransferrable. Under this license, ASF can't allow
> > > third parties to make Licensed Products, which is contrary to ASF's
> license.
> > > While the license purports to be sublicenseable, that sublicense
> extends
> > > only to "Subsidiaries," which is irrelevant to ASF's model or
> opensource in
> > > general. (Section 1.3.)
>
> ASF can't transfer the license or sublicense it to customers. See our other
> discussion as to why that doesn't prevent Apache from creating and
> distributing implementations and why Apache's licensees are already covered
> for their use.
>
> > >
> > > 3. ASF can't experiment with this patented technology unless it in fact
> > > afterwards executes this agreement. Prior infringment isn't excused
> > > otherwise. So be careful until you decide to execute the agreement.
> (Section
> > > 1.4)
>
> If we had identified specific patents, I guess this could be an issue, but
> I'm not sure that it would have any practical effect. If a patent holder
> sues someone for past patent infringement when there is a patent license
> available, the court is fairly limited on what it can award as damages. The
> royalty rate on the license (potentially trebled) is for all practical
> purposes the cap. Since the license being offered is for $0, there would be
> no damages available to the patent holder for the past infringment. So
> there is no reason for the patent holder to pursue anyone for past
> infringment. In any event, its a valid observation about the license, which
> I don't think will have a practical impact on Apache, but I'll pass it on
> for the next time.
>
> > >
> > > 4. The patent termination provision (section 2.2) is very broad and
> applies
> > > to any claim for patent infringement. Such provisions have been
> denounced by
> > > several companies, and ASF changed its Apache 2.0 license in response
> to
> > > such criticism. Now IBM is resurrecting it here.
>
> IBM wants to discourage patent litigation. I understand that different
> people have different opinions on how to best do that, but there is no
> requirement that Apache and IBM take exactly the same approach. Remember,
> this patent license is orthogonal to the Apache license.
>
> > >
> > > 5. For some reason, IBM has the right to publicise the agreement but
> the
> > > other party doesn't. (Section 5.2.). This lack of balance of rights in
> IBM's
> > > licenses always troubles me. Furthermore, why that restriction?
>
> Interesting observation. I don't know the reason behind that, but I'll pass
> the issue on for the next time.
>
> > >
> > > 6. The license requires formal execution. (Section 5.6.) That kind of
> > > licensing friction doesn't work for open source downstream licensees
> who
> > > intend to make, use, sell, etc., Licensed Products or derivative works.
>
> We've discussed this one. Apache's licensees don't need to execute a
> license for their use of Apache's implementation. Actual signatures by the
> few companies that are creating implementations isn't the lowest friction
> approach, but it isn't onerous either. And as I mentioned before, covenants
> not to assert are being considered for future standards.
>
> > >
> > > 7. This license doesn't include a copyright license to "implementation
> > > examples." So be careful not to copy those examples when implementing
> the
> > > Specification. (Section 6.1, final sentence.)
>
> To pick a nit, the patent license doesn't include a copyright license at
> all, let alone a copyright license to the examples. The purpose of that
> sentence is to make it clear that the specification really means the
> normative sections of the document, not examples, and not other stuff that
> doesn't describe what has to be done to comply with the spec.
> Theoretically, a example could include lots of stuff that isn't WS-Security
> and we want no confusion as to what is being licensed.
>
> However, I don't disagree with your conclusion. From a lawyer's
> perspective, its better not to copy example code. Read it. Understand it.
> Write your own code.
>
> > >
> ===============================================================
>
> Jeff
>
> Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
> (notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
> (web) http://www.beff.net/
>
--
Davanum Srinivas -http://blogs.cocoondev.org/dims/
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 10:27 AM 6/27/2005, Jeffrey Thompson wrote:
>However, I don't disagree with your conclusion. From a lawyer's perspective, its better not to copy example code. Read it. Understand it. Write your own code.
<nods>
Anyone coming from the Microsoft world understands this; read the
licenses to the various MS dev products, and you get the sense that
they believe their example snippets have more value than their
Office Suite product.
This holds equally true for fragments you might google, not knowing
their true propriety or ownership. Read, learn; then implement
on your own.
If we were shipping a 'language' product where we wished to ship
examples, this would be a barrier (not insurmountable). For those
libraries and tools we simply bind to, it's a non-issue.
Bill
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by Niclas Hedhman <ni...@apache.org>.
On Monday 04 July 2005 20:09, Simon Kitching wrote:
> I think you've misunderstood Robert's statement.
Who misunderstood who is irrelevant. I thought it was clear that I was talking
of "the" patent(s), and Robert took it as "any" patent. However, Jeffrey's
post is saying something else.
Maybe I am totally off here, but to me it seems he is saying;
If you do derivative work, you need to execute an agreement with IBM.
That I don't find acceptable, and I hope many in ASF feel the same way ;o)
> Nevertheless, such code published by Apache under the APL is free. What
> is not free is the ability for derivative projects to use a certain
> brand-name, but I don't think that's ever been part of the open-source
> movement.
Well... "brand name" is somewhat loose. For instance, one could argue that
CSS, HTML and so on are also brand names that one would like to be able to
'stamp on' one's product. How about "Our editor allows you to edit popular
bracket marked up text..." instead of "XML Editor". If "brand name" was not
part of the OSS movement, there would not have been licensing restrictions of
the use of Apache names in derivative works for instance.
So, whether "brand name" is part of OSS movement or not is probably highly
debatable.
I do agree with you that Sun has "their ways" and that it is a matter of "play
with their rules, or no play".
And it is my opinion that this practice slowly erodes our "principles" of
freedom. (Maybe I am just becoming a Stallman lakey at older age ;o) )
Cheers
Niclas
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by Simon Kitching <sk...@apache.org>.
On Mon, 2005-07-04 at 19:06 +0800, Niclas Hedhman wrote:
> On Monday 04 July 2005 17:49, Ben Laurie wrote:
> > > FWIW, I think Apache is starting to selling out its principles to get
> > > hold of IP rights.
> >
> > What principles are being sold out?
>
> The freedom aspect for the downstream folks. I agree that it often seems like
> reasonable terms from donators at each indivdual case, but if aggregated we
> will end up in a scenario where; "Project A is available under terms
> described at X, Project B is similar but..., and Project C is for use only.",
> and I hope this won't happen.
I think you've misunderstood Robert's statement.
Robert's original statement was simply pointing out that Apache can't
promise that any project deriving code from an ASF project is
patent-safe, because that project could *add* extra code that violates
patents.
It wasn't saying that it is acceptable for the ASF to promote projects
which use patents that are not freely available to downstream users.
Section 3 of the APL 2.0 license clearly rules this out; it just isn't
allowed (IANAL).
>
> > > The recent use of NDAs between ASF and corporate entities seems to
> > > indicate that as well.
> > What NDAs?
>
> Perhaps I have misunderstood something, but I got the impression that the J2EE
> TCK from Sun is provided under an NDA, and I get the impression that similar
> "talks" keep popping up more frequently lately (possibly as a result of
> increased the rate of project creations at ASF), like in this thread (below);
>
> <quote source="Jeffrey Thompson" date="26 June 2005" >
> Apache's licensees don't need to execute a license for their use of Apache's
> implementation. Actual signatures by the few companies that are creating
> implementations isn't the lowest friction approach, but it isn't onerous
> either.
> </quote>
>
> I personally think that IBM (in this case) is not totally aware, or consider
> the scenario, that many of us don't "use" the "output" (binaries) of ASF
> projects, but "tweak" them to specific needs, and that is why we love
> OpenSource, esp the Apache-style, so much. Whether that "tweak" is a single
> line or a 5 man-year implementation of something else, is fairly academic.
Under this approach anyone who modifies Apache code that passes the Sun
TCK would certainly lose the ability to claim that it complies with the
Sun TCK.
And they can't demonstrate compliance because the Sun TCK is only
available under restricted conditions.
That's mildly unfortunate. I would certainly like to see the TCK freely
available, and a certification brand available to anyone who can show
their code passes the TCK.
Nevertheless, such code published by Apache under the APL is free. What
is not free is the ability for derivative projects to use a certain
brand-name, but I don't think that's ever been part of the open-source
movement.
Regards,
Simon
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by Niclas Hedhman <ni...@apache.org>.
On Monday 04 July 2005 17:49, Ben Laurie wrote:
> > FWIW, I think Apache is starting to selling out its principles to get
> > hold of IP rights.
>
> What principles are being sold out?
The freedom aspect for the downstream folks. I agree that it often seems like
reasonable terms from donators at each indivdual case, but if aggregated we
will end up in a scenario where; "Project A is available under terms
described at X, Project B is similar but..., and Project C is for use only.",
and I hope this won't happen.
> > The recent use of NDAs between ASF and corporate entities seems to
> > indicate that as well.
> What NDAs?
Perhaps I have misunderstood something, but I got the impression that the J2EE
TCK from Sun is provided under an NDA, and I get the impression that similar
"talks" keep popping up more frequently lately (possibly as a result of
increased the rate of project creations at ASF), like in this thread (below);
<quote source="Jeffrey Thompson" date="26 June 2005" >
Apache's licensees don't need to execute a license for their use of Apache's
implementation. Actual signatures by the few companies that are creating
implementations isn't the lowest friction approach, but it isn't onerous
either.
</quote>
I personally think that IBM (in this case) is not totally aware, or consider
the scenario, that many of us don't "use" the "output" (binaries) of ASF
projects, but "tweak" them to specific needs, and that is why we love
OpenSource, esp the Apache-style, so much. Whether that "tweak" is a single
line or a 5 man-year implementation of something else, is fairly academic.
Cheers
Niclas
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by Ben Laurie <be...@algroup.co.uk>.
Niclas Hedhman wrote:
> On Monday 04 July 2005 00:26, robert burrell donkin wrote:
>
>>i cannot see how the ASF could possibly offer a patent guarantee for
>>derivative works. there is no limit on the patents which a derivative
>>work may infringe. the best that could be offered is a promise that all
>>derivative works would be entitled to use any patents owned by
>>contributors that necessarily infringe the original library.
>
>
> Ok, sorry. I was of course referring to the same patent(s) being infringed in
> the Apache code and the derivative work.
>
> If I understand Jeffrey and you correctly, you think it is Ok that if I take
> WS-Security and for instance add a new management interface, that they
> derived product is "fair game" for patent litigation?
> Perhaps I understand you guys wrongly, but I have read Jeffrey's posts over
> and over again, and that is what I see, both in respect to the patent issues
> as well as the 'compliance issue'.
>
> FWIW, I think Apache is starting to selling out its principles to get hold of
> IP rights.
What principles are being sold out?
> The recent use of NDAs between ASF and corporate entities seems to
> indicate that as well.
What NDAs?
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by Niclas Hedhman <ni...@apache.org>.
On Monday 04 July 2005 00:26, robert burrell donkin wrote:
> i cannot see how the ASF could possibly offer a patent guarantee for
> derivative works. there is no limit on the patents which a derivative
> work may infringe. the best that could be offered is a promise that all
> derivative works would be entitled to use any patents owned by
> contributors that necessarily infringe the original library.
Ok, sorry. I was of course referring to the same patent(s) being infringed in
the Apache code and the derivative work.
If I understand Jeffrey and you correctly, you think it is Ok that if I take
WS-Security and for instance add a new management interface, that they
derived product is "fair game" for patent litigation?
Perhaps I understand you guys wrongly, but I have read Jeffrey's posts over
and over again, and that is what I see, both in respect to the patent issues
as well as the 'compliance issue'.
FWIW, I think Apache is starting to selling out its principles to get hold of
IP rights. The recent use of NDAs between ASF and corporate entities seems to
indicate that as well.
But OTOH, may I don't get it.
Cheers
Niclas
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by Davanum Srinivas <da...@gmail.com>.
Jeff,
As you said, patents are not going away in a few weeks and we have to
learn to co-exist. That does not mean we should willingly infringe. we
need to do the best efforts to talk to parties responsible. For
example, we needed "coverage" for doing an implementation of J2EE in
Geronimo and we talked to SUN and got it squared away. Am sure Geir is
haggling right now for Harmony with the JCP/SUN gods. We are doing the
same here with WS-Security. We are talking to vendors who specifically
offered licenses and are telling them that we can't/won't sign it
as-is. IBM/MSFT licenses are public (though Verisign is not). But all
3 of them have specifically told OASIS that they *MAY* have patents.
We can't ignore that. I've checked MSFT legal page for licenses and i
don't see them listing any others that at least ws pmc uses. I had to
beg Tony Nadalin for the pointer to the IBM page as it was not
google-able. I had to ask Hemma at Verisign for a copy of the license.
If we can't negotiate with folks and reach a reasonable solution, i'd
rather not implement WS-Security. No, i definitely don't want a
"blanket ok" from apache board for implementing anything has potential
known problems.
-- dims
> At the end of the day, Apache needs to be able to create useful software.
> Going thru this angst for each individual project isn't helping.
>
> And, btw, if WS-Security is a problem, all of the WS* specs will have the
> same problem and so will the XML related projects and Java and .Net ones.
> If Apache is planning on cancelling all of these other projects, I'd like to
> know.
>
>
> Jeff
>
> Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
> (notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
> (web) http://www.beff.net/
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by Jeffrey Thompson <jt...@us.ibm.com>.
Simon Kitching <sk...@apache.org> wrote on 07/06/2005 04:56:26 AM:
> [NB: I haven't read the conditions of the IBM patent, but I assume that
> if it is necessary to apply for it then IBM have some kind of right to
> refuse to grant it under certain conditions]
Nope. IBM has made a public commitment to make all necessary patent
claims available RF for WS-Security with the knowledge that people will
rely on it. If someone wants a license and is willing to agree to the
nominal conditions in the IBM patent license (basically, don't sue us),
then it's merely an administrative function to execute the license. No
discretion is involved.
>
> So the issue hinges on the definition of what is a "NEW" work?
Right, and that's not an IBM-only issue. Every patent license that
permits someone to "make" products that use a patented invention is
limited in this way. There has been a long line of patent cases on what
it means to make a work and when is something made "by" or "for" the
licensee, versus "by" or "for" a third party, etc. IBM is a licensee as
well as a licensor so we face this issue as well.
>
> And it is your opinion that anything other than "a few bugfixes"
> qualifies as a NEW work?
As I said before, everything in the middle is fact specific and the Apache
customer would be wise to get competent legal advice from its lawyers on
that point. However, it seems VERY clear to me that Apache users that
aren't making substantive modifications are still using Apache's licensed
software. I know that some people have expressed worry about this point,
but it seems to be just that, worry.
>
> Code that is not derived from the original work is obviously not covered
> by the original patent grant, even when combined with code that *is*
> derived from the original work - fair enough. But code I would expect
> that the bits that are derivative to retain their patent grant even when
> unrelated parts of the original work have been rewritten or replaced.
>
> If code can't be modified without the permission of some company then
> that code isn't open source by my definition.
I have to disagree with an unstated premise here. Whether or not you can
"modify" software is purely a copyright issue, patents are not involved.
If I wrote a program, the law says that I have a monopoly on creating
derivative works of that program. I can license others to do so or not at
my whim (theoretically). So, I agree with your statement that the program
is not "open" if I have reserved that copyright right.
However, you are implying that the existence of a patent which reads on
the resulting derivative work makes the work "non-open". Your beef is
with the existence of patents that read on software, not on the details of
any particular patent or copyright license. Every single free or open
source program is subject to this. I have the ability to take ANY piece
of software, modify it in such a way as to infringe a third party patent
to which I am unlicensed. If I create a product from that software and
market it, I would be subject to possible royalties and even an
injunction. Does that make the software non-open? If it does, then
you've just make the entire FOSS universe non-open.
This is a threshold issue that Apache needs to get comfortable with. If
you want to lobby to eliminate software patents, great. Personally, I
think that the software industry would be much better off without them.
However, assuming that we don't eliminate software patents in the next few
weeks, Apache needs to understand how to operate in an environment where
software patents exist.
My recommendation: Get a small group together to create a policy on
patents, patent commitments, patent licenses, etc. It would need to
ensure that (1) any software Apache distributes is covered by a patent
license, patent commitment, or covenant not to assert for any known
patents; (2) Apache's licensees are covered for their use of the Apache
software; and (3) to the extent that Apache's licensees create their own
derivative implementations those same commitments, licenses, covenants,
etc. would be available to them without undue restrictions. I assume that
Robyn would want to be involved (and I think that she should be) and I'm
willing to help as well.
At the end of the day, Apache needs to be able to create useful software.
Going thru this angst for each individual project isn't helping.
And, btw, if WS-Security is a problem, all of the WS* specs will have the
same problem and so will the XML related projects and Java and .Net ones.
If Apache is planning on cancelling all of these other projects, I'd like
to know.
Jeff
Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
(notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
(web) http://www.beff.net/
Re: IBM's license for WS-Security - Take #2
Posted by Simon Kitching <sk...@apache.org>.
On Wed, 2005-07-06 at 02:02 -0400, Jeffrey Thompson wrote:
> >
> > However, I read it that the text in Jeffrey's mail talks about
> derivative
> > works has to execute an agreement with IBM, for the same patent
> license (i.e.
> > a) in your scenario).
> >
> > And so far, I have not seen someone with authority step up and say;
> > "Unacceptable" ;o)
> >
>
> I certainly can't dictate Apache's policy on this point, however, I do
> feel compelled to point out that if Apache's policy is as stated, then
> Apache won't be able to implement pretty much any internet standard at
> all. I don't set IBM's policy on this point either, but it is the
> same as almost every other patent holder that is trying to promote a
> standard. If you commit to grant a patent license for implementations
> of the standard, you grant a license to each "NEW" implementation
> separately and you specifically limit them to correct implementations.
> Otherwise the patent holder doesn't get the "benefit" of promoting the
> standard.
[snip]
> The law isn't necessarily as clear cut as programmers would want. If
> it is still Apache's implementation with a few tweaks, then its still
> licensed. If someone has completely rewritten it, then it is not
> licensed. Everything in between is fact specific. Conservative legal
> advice to a business planning on marketing the Apache code after
> making more than just bug fixes would be to get a license. But, that
> would be conservative. There are businesses that would just ignore
> the license, knowing that the license is there, for free, any time
> they want it. That approach wouldn't be wrong either.
[NB: I haven't read the conditions of the IBM patent, but I assume that
if it is necessary to apply for it then IBM have some kind of right to
refuse to grant it under certain conditions]
So the issue hinges on the definition of what is a "NEW" work?
And it is your opinion that anything other than "a few bugfixes"
qualifies as a NEW work?
Code that is not derived from the original work is obviously not covered
by the original patent grant, even when combined with code that *is*
derived from the original work - fair enough. But code I would expect
that the bits that are derivative to retain their patent grant even when
unrelated parts of the original work have been rewritten or replaced.
If code can't be modified without the permission of some company then
that code isn't open source by my definition. So I checked the APL. And
much to my surprise, this appears to be acceptable according to the APL;
Section 2 specifies that Copyright must be granted for Derivative Works
but Section 3 does not mention Derivative works at all; it says that
contributors are required to grant patents for their contribution to the
Work but doesn't mention derivatives.
I find this deeply disturbing. If I have understood this correctly then
I would indeed urge the ASF to walk away from such projects. The
open-source world is quite capable of defining its own standards, and
this is certainly healthier than building code that is advertised as
"open" when derivatives cannot in fact be created without the permission
of a company. It would be better if open and commercial entities could
cooperate - but promoting encumbered works as "open" is not honest.
I wonder how the GPL works in this regard. Section 2 requires that
"works based on" the program be freely redistributable. And section 7
requires that if you can't abide by the terms of section 2 then you
can't distribute the Program at all. So that would *seem* to forbid the
distribution of any work under the GPL for which "works based on" the
work need a separate patent license. So it seems to me (IANAL) that the
GPL doesn't suffer the serious flaw, as long as "based on" is
interpreted liberally.
Aargh - why on earth has this ****** patent system got us arguing about
"NEW" vs "works based on" - vague terms with no scientific definition of
any sort. This is enough to turn anyone Anarchist..or even Nihilist.
And of course just a reminder - this discussion (currently) applies only
within the USA and a few other unfortunate countries. The rest of the
world doesn't have to give such patent claims any respect at all.
Regards,
Simon
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by Jeffrey Thompson <jt...@us.ibm.com>.
Sorry for being silent for a while. I'm not ignoring the list. Well. . .
. actually, I am. I've been traveling. Sitting right now in an internet
cafe in Delphi, Greece. Going to consult the Oracle on how to resolve
this issue . . . .
Niclas Hedhman <ni...@hedhman.org> wrote on 07/05/2005 11:18:18 PM:
> On Wednesday 06 July 2005 01:35, robert burrell donkin wrote:
> > (i suspect that we're all in consensus here but fumbling around to
> > understand the language...)
>
> Yes, I agree with your conclusions of a), b) and c).
>
> However, I read it that the text in Jeffrey's mail talks about
derivative
> works has to execute an agreement with IBM, for the same patent license
(i.e.
> a) in your scenario).
>
> And so far, I have not seen someone with authority step up and say;
> "Unacceptable" ;o)
>
I certainly can't dictate Apache's policy on this point, however, I do
feel compelled to point out that if Apache's policy is as stated, then
Apache won't be able to implement pretty much any internet standard at
all. I don't set IBM's policy on this point either, but it is the same as
almost every other patent holder that is trying to promote a standard. If
you commit to grant a patent license for implementations of the standard,
you grant a license to each "NEW" implementation separately and you
specifically limit them to correct implementations. Otherwise the patent
holder doesn't get the "benefit" of promoting the standard.
It would seem to me that nothing in that approach would conflict with
Apache's goal as long as the process by which new implementations are
licensed is not onorous. (As I mentioned, many patent holders, including
IBM, are looking at covenants not to assert which have virtually no
process at all, so that would be great from Apache's perspective). Until
that happens, though, Apache really needs to make sure that the Apache
licensees either are covered, or can easily get covered, by licenses for
any known necessary patents. Insisting that they get covered
automatically isn't going to work (at least in the near term). There are
patent holders that aren't yet ready for that.
>
> Every mail I have risen about this, always turn over to "other patents".
BenL
> mention that "we don't want patent grant to evaporate". A nice
assurance, but
> fairly non-assertive and non-authorative, don't you think? :o)
>
> As I see it (taken from Jeffrey's posts);
>
> 1. "there isn't much interest in redrafting the details of a patent
license
> that was published 3 years ago when there would be no practical effect
to
> making changes" --> meaning IBM will not change the patent grant policy
for
> ASF in this case.
>
>
> 2. "ASF can't transfer the license or sublicense it to customers. See
our
> other discussion as to why that doesn't prevent Apache from creating and
> distributing implementations and why Apache's licensees are already
covered
> for their use." --> To me this is very vague. Can I or can I not make
the
> one-line modification, 5 man-year re-shuffle, or not? Is the "license"
in the
> text above a license to any patent, a license to implement a spec, or
license
> to use patents?
>
The law isn't necessarily as clear cut as programmers would want. If it
is still Apache's implementation with a few tweaks, then its still
licensed. If someone has completely rewritten it, then it is not
licensed. Everything in between is fact specific. Conservative legal
advice to a business planning on marketing the Apache code after making
more than just bug fixes would be to get a license. But, that would be
conservative. There are businesses that would just ignore the license,
knowing that the license is there, for free, any time they want it. That
approach wouldn't be wrong either.
>
> IMHO, Dims haven't really got an answer to it all yet.
>
>
> Cheers
> Niclas
>
>
I apologize for the rambling, but I have to run. I didn't have time to
make it shorter.
Jeff
Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
(notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
(web) http://www.beff.net/
Re: IBM's license for WS-Security - Take #2
Posted by Niclas Hedhman <ni...@hedhman.org>.
On Wednesday 06 July 2005 01:35, robert burrell donkin wrote:
> (i suspect that we're all in consensus here but fumbling around to
> understand the language...)
Yes, I agree with your conclusions of a), b) and c).
However, I read it that the text in Jeffrey's mail talks about derivative
works has to execute an agreement with IBM, for the same patent license (i.e.
a) in your scenario).
And so far, I have not seen someone with authority step up and say;
"Unacceptable" ;o)
Every mail I have risen about this, always turn over to "other patents". BenL
mention that "we don't want patent grant to evaporate". A nice assurance, but
fairly non-assertive and non-authorative, don't you think? :o)
As I see it (taken from Jeffrey's posts);
1. "there isn't much interest in redrafting the details of a patent license
that was published 3 years ago when there would be no practical effect to
making changes" --> meaning IBM will not change the patent grant policy for
ASF in this case.
2. "ASF can't transfer the license or sublicense it to customers. See our
other discussion as to why that doesn't prevent Apache from creating and
distributing implementations and why Apache's licensees are already covered
for their use." --> To me this is very vague. Can I or can I not make the
one-line modification, 5 man-year re-shuffle, or not? Is the "license" in the
text above a license to any patent, a license to implement a spec, or license
to use patents?
IMHO, Dims haven't really got an answer to it all yet.
Cheers
Niclas
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by Ben Laurie <be...@algroup.co.uk>.
robert burrell donkin wrote:
> IANAL!
>
> On Mon, 2005-07-04 at 10:48 +0100, Ben Laurie wrote:
>
>>robert burrell donkin wrote:
>>
>>>>>If your goal is to ensure that your licensees have all necessary patent
>>>>>and copyright rights to create whatever derivative works they want
>>>>
>>>>>from Apache's source code, you are bound to fail. That is an
>>>>
>>>>>impossible task.
>>>>
>>>>Yes, I think that has been the goal, and if it is not, then I think a
>>>>clarification is needed from the Board of how the patent issues are supposed
>>>>to be dealt with both for the relevant projects as well as for all the users
>>>>out there, who think that ASF code base has no known patent issues attached
>>>>to it.
>>>
>>>i cannot see how the ASF could possibly offer a patent guarantee for
>>>derivative works. there is no limit on the patents which a derivative
>>>work may infringe. the best that could be offered is a promise that all
>>>derivative works would be entitled to use any patents owned by
>>>contributors that necessarily infringe the original library.
>>
>>You mean that the library necessarily infringes
>
>
> yes
>
>
>>(not sure I understand
>>the use of this word "necessarily", btw. though I've noticed it is popular).
>
>
> it's so popular that it's even in the ASL 2.0 :)
>
> IANAL but i think the word describes a distinction between those patents
> which are infringed by the nature of the code and those which are
> infringed only when it is combined into a derivative work.
>
>
>>>i don't quite grasp the necessity of the connection between derivative
>>>works and the issue of code with known patent encumbrances. IMHO what
>>>most users think of as 'having no known patent issues attached' is that
>>>the ASF has licenses for any patents know to be necessary to use the
>>>software.
>>
>>The point is that we are trying to produce code that is useful to people
>>downstream, including those that modify or add to it. We don't want
>>patent grants to evaporate simply because they changed a line of code
>>somewhere.
>
>
> +1
>
> IMHO it is not unreasonable (though) for a contributor to ask that
> derivative works that infringe patents that the original did not must
> obtain licenses for those but that licenses granted for the original are
> not lost just because it is combined into some large work.
Absolutely agreed.
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by robert burrell donkin <rd...@apache.org>.
IANAL!
On Mon, 2005-07-04 at 10:48 +0100, Ben Laurie wrote:
> robert burrell donkin wrote:
> >>>If your goal is to ensure that your licensees have all necessary patent
> >>>and copyright rights to create whatever derivative works they want
> >>>from Apache's source code, you are bound to fail. That is an
> >>>impossible task.
> >>
> >>Yes, I think that has been the goal, and if it is not, then I think a
> >>clarification is needed from the Board of how the patent issues are supposed
> >>to be dealt with both for the relevant projects as well as for all the users
> >>out there, who think that ASF code base has no known patent issues attached
> >>to it.
> >
> > i cannot see how the ASF could possibly offer a patent guarantee for
> > derivative works. there is no limit on the patents which a derivative
> > work may infringe. the best that could be offered is a promise that all
> > derivative works would be entitled to use any patents owned by
> > contributors that necessarily infringe the original library.
>
> You mean that the library necessarily infringes
yes
> (not sure I understand
> the use of this word "necessarily", btw. though I've noticed it is popular).
it's so popular that it's even in the ASL 2.0 :)
IANAL but i think the word describes a distinction between those patents
which are infringed by the nature of the code and those which are
infringed only when it is combined into a derivative work.
> > i don't quite grasp the necessity of the connection between derivative
> > works and the issue of code with known patent encumbrances. IMHO what
> > most users think of as 'having no known patent issues attached' is that
> > the ASF has licenses for any patents know to be necessary to use the
> > software.
>
> The point is that we are trying to produce code that is useful to people
> downstream, including those that modify or add to it. We don't want
> patent grants to evaporate simply because they changed a line of code
> somewhere.
+1
IMHO it is not unreasonable (though) for a contributor to ask that
derivative works that infringe patents that the original did not must
obtain licenses for those but that licenses granted for the original are
not lost just because it is combined into some large work.
say i owned three patents:
(a) a general software patent (boo hiss evil) about logging (say);
(b) a whizzy bit of electronics hooked up to smart control program used
to log information about aircraft;
(c) a unrelated patent about boats.
i contribute code to the ASF which embodies (a) in project foobar. i do
not think it unreasonable that derivative works of foobar that infringe
patents (b) and (c) are unprotected by the license granted for the use
of (a) in foobar. the necessarily bit comes in with (b): though foobar
may be used as part of the control code, (b) is not necessarily
infringed by foobar and use of foobar in the control code would not
allow (b) to be automatically granted by the foobar license. i would
hope that any derivative works of foobar would inherit the same license
granted for (a) to foobar.
(i suspect that we're all in consensus here but fumbling around to
understand the language...)
- robert
Re: IBM's license for WS-Security - Take #2
Posted by Ben Laurie <be...@algroup.co.uk>.
robert burrell donkin wrote:
>>>If your goal is to ensure that your licensees have all necessary patent
>>>and copyright rights to create whatever derivative works they want
>>>from Apache's source code, you are bound to fail. That is an
>>>impossible task.
>>
>>Yes, I think that has been the goal, and if it is not, then I think a
>>clarification is needed from the Board of how the patent issues are supposed
>>to be dealt with both for the relevant projects as well as for all the users
>>out there, who think that ASF code base has no known patent issues attached
>>to it.
>
> i cannot see how the ASF could possibly offer a patent guarantee for
> derivative works. there is no limit on the patents which a derivative
> work may infringe. the best that could be offered is a promise that all
> derivative works would be entitled to use any patents owned by
> contributors that necessarily infringe the original library.
You mean that the library necessarily infringes (not sure I understand
the use of this word "necessarily", btw. though I've noticed it is popular).
> i don't quite grasp the necessity of the connection between derivative
> works and the issue of code with known patent encumbrances. IMHO what
> most users think of as 'having no known patent issues attached' is that
> the ASF has licenses for any patents know to be necessary to use the
> software.
The point is that we are trying to produce code that is useful to people
downstream, including those that modify or add to it. We don't want
patent grants to evaporate simply because they changed a line of code
somewhere.
Cheers,
Ben.
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by robert burrell donkin <rd...@apache.org>.
On Wed, 2005-06-29 at 11:25 +0800, Mohammad Isac Niclas bin Abdullah
wrote:
> On Wednesday 29 June 2005 03:32, Jeffrey Thompson wrote:
> > If there is a necessary patent, all Apache can do is make sure that it is
> > licensed so that those that use Apache's implementation are covered.
>
> AFAIK, this is not in the spirit of the "Apache Way". "use" is not defined to
> binary copies, but usage of source code in any way what so ever.
>
> I thought that ALv2 clause 2,3 and 4 (backed by clause 2 and 3 in the CLA) is
> fairly clear, that I can take and do whatever I want with the codebase, and
> know that the original contributor(s) will not come after me for patent
> infringements. And
>
> (Infringements of 'unknown' patents is of course a different story, as it is
> for any software development, open source or commercial, and not of
> discussion here.)
i don't believe that this is a accurate summary of the clause 3 in
ASL2.0. the contributors only grant a license to any patents which are
necessarily infringed. if you take the code base and create a derivative
work then you are responsible for any infringement in this work of any
patents which are not infringed by the original apache library. you can
be sued for these new infringements.
(hopefully someone with more legal knowledge will jump in here and
confirm or rebut my assertion...)
ASL2.0 seems like quite a reasonable compromise to me. granting licenses
for all patents held by contributors (not just infringing ones) would
(in effect) allows third parties a loophole (by claiming that the
software is a derivative of an apache work) which would effectively
allow them to bypass all patents held by the company. it is unlikely
that many patent holders who agree to terms that which effectively
prevent them from enforcing the patents they hold.
> > If your goal is to ensure that your licensees have all necessary patent
> > and copyright rights to create whatever derivative works they want
> > from Apache's source code, you are bound to fail. That is an
> > impossible task.
>
> Yes, I think that has been the goal, and if it is not, then I think a
> clarification is needed from the Board of how the patent issues are supposed
> to be dealt with both for the relevant projects as well as for all the users
> out there, who think that ASF code base has no known patent issues attached
> to it.
i cannot see how the ASF could possibly offer a patent guarantee for
derivative works. there is no limit on the patents which a derivative
work may infringe. the best that could be offered is a promise that all
derivative works would be entitled to use any patents owned by
contributors that necessarily infringe the original library.
i don't quite grasp the necessity of the connection between derivative
works and the issue of code with known patent encumbrances. IMHO what
most users think of as 'having no known patent issues attached' is that
the ASF has licenses for any patents know to be necessary to use the
software.
- robert
Re: IBM's license for WS-Security - Take #2
Posted by Mohammad Isac Niclas bin Abdullah <ni...@apache.org>.
On Wednesday 29 June 2005 03:32, Jeffrey Thompson wrote:
> If there is a necessary patent, all Apache can do is make sure that it is
> licensed so that those that use Apache's implementation are covered.
AFAIK, this is not in the spirit of the "Apache Way". "use" is not defined to
binary copies, but usage of source code in any way what so ever.
I thought that ALv2 clause 2,3 and 4 (backed by clause 2 and 3 in the CLA) is
fairly clear, that I can take and do whatever I want with the codebase, and
know that the original contributor(s) will not come after me for patent
infringements. And
(Infringements of 'unknown' patents is of course a different story, as it is
for any software development, open source or commercial, and not of
discussion here.)
> If your goal is to ensure that your licensees have all necessary patent
> and copyright rights to create whatever derivative works they want
> from Apache's source code, you are bound to fail. That is an
> impossible task.
Yes, I think that has been the goal, and if it is not, then I think a
clarification is needed from the Board of how the patent issues are supposed
to be dealt with both for the relevant projects as well as for all the users
out there, who think that ASF code base has no known patent issues attached
to it.
Jeffrey, I really appreciate that you are taking time to answer "this layman".
Thanks
Niclas
--
+---------//-------------------+
| http://www.bali.ac |
| http://niclas.hedhman.org |
+------//----------------------+
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by Jeffrey Thompson <jt...@us.ibm.com>.
Niclas Hedhman <ni...@apache.org> wrote on 06/28/2005 03:50:42 AM:
> On Monday 27 June 2005 23:27, Jeffrey Thompson wrote:
> > ASF can't transfer the license or sublicense it to customers. See our
> > other discussion as to why that doesn't prevent Apache from creating
and
> > distributing implementations and why Apache's licensees are already
covered
> > for their use.
>
> Sorry for being very dense and a total idiot at times...
>
> I think the question to ask is;
>
> At the end of the day, can anyone take WS-Security and do an arbitrarily
set
> of changes (compliant or not) to the codebase and distribute it to
anyone
> else, for-free or for-profit, in accordance with the ALv2 license
attached to
> WS-Security, without executing any agreement with ASF, IBM or other
party??
The way that you asked that question, the answer will have to be "of
course not". Apache cannot ensure that its licensees will never need any
additional IP rights, some of which may require executed agreements.
Apache's then current WS-Security implementation might initially infringe
some patent by some currently unknown patent holder. If he shows up next
year and asks for a license agreement, Apache can't do anything about that
(at least right now).
Also, your licensee might make changes that cause the code to infringe
other patents or copyrights. Apache isn't responsible for those rights
either.
If your goal is to ensure that your licensees have all necessary patent
and copyright rights to create whatever derivative works they want from
Apache's source code, you are bound to fail. That is an impossible task.
As I mentioned before, Apache cannot force all patent licenses to be
exactly congruent to the Apache license. Patents and copyright focus on
different aspects of IP, so their licenses necessary focus on different
things. Its best to think of the patent commitments that are being made
to specifications, standards, and the like as being orthognal to the
Apache source license. The patent commitment applies to all
implementations, not just Apache's, and is limited to actual
implementations of the spec/standard/whatever. If there is a necessary
patent, all Apache can do is make sure that it is licensed so that those
that use Apache's implementation are covered.
>
> If the answer is not "Yes, of course.", then I think there is a problem
for
> ASF to proceed on this track. If the issue is only that the
modifiedcodebase
> can not claim "compliance", then I think it is less of a concern.
As far as I know, no one is debating the rules under which implementations
are permitted to claim "compliance" with WS-Security. OASIS doesn't do
that. They publish the specs, they don't police implementations.
In the end, Apache should be very careful not to set a standard that
cannot be met. If Apache will not implement a specification unless all
owners of all copyrights and patents which could be infringed by all
possible derivative works provide licenses which are unrestricted, then
the list of specifications that Apache would be able to implement would be
quite short. All WS* specs would be off the list, as well as all specs
published by W3C, OASIS, ECMA, and ANSI and don't even think about
implementing anything related to Java or .NET.
>
>
> Cheers
> Niclas
Jeff
Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
(notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
(web) http://www.beff.net/
Re: IBM's license for WS-Security - Take #2
Posted by Niclas Hedhman <ni...@apache.org>.
On Monday 27 June 2005 23:27, Jeffrey Thompson wrote:
> > > 2. The license is nontransferrable. Under this license, ASF can't allow
> > >
> > > third parties to make Licensed Products, which is contrary to ASF's
> > > license. While the license purports to be sublicenseable, that
> > > sublicense extends only to "Subsidiaries," which is irrelevant to
> > > ASF's model or opensource in general. (Section 1.3.)
>
> ASF can't transfer the license or sublicense it to customers. See our
> other discussion as to why that doesn't prevent Apache from creating and
> distributing implementations and why Apache's licensees are already covered
> for their use.
Sorry for being very dense and a total idiot at times...
I think the question to ask is;
At the end of the day, can anyone take WS-Security and do an arbitrarily set
of changes (compliant or not) to the codebase and distribute it to anyone
else, for-free or for-profit, in accordance with the ALv2 license attached to
WS-Security, without executing any agreement with ASF, IBM or other party??
If the answer is not "Yes, of course.", then I think there is a problem for
ASF to proceed on this track. If the issue is only that the modified codebase
can not claim "compliance", then I think it is less of a concern.
Cheers
Niclas
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: IBM's license for WS-Security - Take #2
Posted by Jeffrey Thompson <jt...@us.ibm.com>.
Davanum Srinivas <da...@gmail.com> wrote on 06/26/2005 08:28:08 AM:
> Jeff,
>
> Did you miss replying to this email? (or did i lose it in my spam
bucket?)
>
> thanks,
> dims
Dims
You didn't miss the reply. I didn't reply as we were already
exploring the basic issues on the other thread.
For completeness, I'll include comments below, however, as you might
be able to imagine, there isn't much interest in redrafting the details of
a patent license that was published 3 years ago when there would be no
practical effect to making changes. Purely theoretical discussions are
interesting, but when people's plates are already full, asking them to
redo an agreement without a real reason isn't likely to be received well.
>
> On 6/23/05, Davanum Srinivas <da...@gmail.com> wrote:
> > Jeff,
> >
> > Here's the feedback on the IBM License (Sorry the U.S. Export clause
> > was only in the MSFT license and i wrongly copied it in the email i
> > sent to you).
> >
> > thanks,
> > dims
> >
> > ===============================================================
> > Some brief comments on the IBM license for WS-Security:
> >
> > 1. The license would allow ASF to make, sell etc. only Licensed
Products
> > that are compliant with "all relevant portions of the Specification."
What
> > are relevant portions? Is ASF willing to guarantee full compliance?
(Section
> > 1.1 and 6.2.)
Yes, the code needs to be compliant with the Spec otherwise its not a
licensed implementation of the spec.
> >
> > 2. The license is nontransferrable. Under this license, ASF can't
allow
> > third parties to make Licensed Products, which is contrary to ASF's
license.
> > While the license purports to be sublicenseable, that sublicense
extends
> > only to "Subsidiaries," which is irrelevant to ASF's model or
opensource in
> > general. (Section 1.3.)
ASF can't transfer the license or sublicense it to customers. See our
other discussion as to why that doesn't prevent Apache from creating and
distributing implementations and why Apache's licensees are already
covered for their use.
> >
> > 3. ASF can't experiment with this patented technology unless it in
fact
> > afterwards executes this agreement. Prior infringment isn't excused
> > otherwise. So be careful until you decide to execute the agreement.
(Section
> > 1.4)
If we had identified specific patents, I guess this could be an issue, but
I'm not sure that it would have any practical effect. If a patent holder
sues someone for past patent infringement when there is a patent license
available, the court is fairly limited on what it can award as damages.
The royalty rate on the license (potentially trebled) is for all practical
purposes the cap. Since the license being offered is for $0, there would
be no damages available to the patent holder for the past infringment. So
there is no reason for the patent holder to pursue anyone for past
infringment. In any event, its a valid observation about the license,
which I don't think will have a practical impact on Apache, but I'll pass
it on for the next time.
> >
> > 4. The patent termination provision (section 2.2) is very broad and
applies
> > to any claim for patent infringement. Such provisions have been
denounced by
> > several companies, and ASF changed its Apache 2.0 license in response
to
> > such criticism. Now IBM is resurrecting it here.
IBM wants to discourage patent litigation. I understand that different
people have different opinions on how to best do that, but there is no
requirement that Apache and IBM take exactly the same approach. Remember,
this patent license is orthogonal to the Apache license.
> >
> > 5. For some reason, IBM has the right to publicise the agreement but
the
> > other party doesn't. (Section 5.2.). This lack of balance of rights in
IBM's
> > licenses always troubles me. Furthermore, why that restriction?
Interesting observation. I don't know the reason behind that, but I'll
pass the issue on for the next time.
> >
> > 6. The license requires formal execution. (Section 5.6.) That kind of
> > licensing friction doesn't work for open source downstream licensees
who
> > intend to make, use, sell, etc., Licensed Products or derivative
works.
We've discussed this one. Apache's licensees don't need to execute a
license for their use of Apache's implementation. Actual signatures by
the few companies that are creating implementations isn't the lowest
friction approach, but it isn't onerous either. And as I mentioned
before, covenants not to assert are being considered for future standards.
> >
> > 7. This license doesn't include a copyright license to "implementation
> > examples." So be careful not to copy those examples when implementing
the
> > Specification. (Section 6.1, final sentence.)
To pick a nit, the patent license doesn't include a copyright license at
all, let alone a copyright license to the examples. The purpose of that
sentence is to make it clear that the specification really means the
normative sections of the document, not examples, and not other stuff that
doesn't describe what has to be done to comply with the spec.
Theoretically, a example could include lots of stuff that isn't
WS-Security and we want no confusion as to what is being licensed.
However, I don't disagree with your conclusion. From a lawyer's
perspective, its better not to copy example code. Read it. Understand
it. Write your own code.
> > ===============================================================
Jeff
Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
(notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
(web) http://www.beff.net/
IBM's license for WS-Security - Take #2
Posted by Davanum Srinivas <da...@gmail.com>.
Jeff,
Did you miss replying to this email? (or did i lose it in my spam bucket?)
thanks,
dims
On 6/23/05, Davanum Srinivas <da...@gmail.com> wrote:
> Jeff,
>
> Here's the feedback on the IBM License (Sorry the U.S. Export clause
> was only in the MSFT license and i wrongly copied it in the email i
> sent to you).
>
> thanks,
> dims
>
> ===============================================================
> Some brief comments on the IBM license for WS-Security:
>
> 1. The license would allow ASF to make, sell etc. only Licensed Products
> that are compliant with "all relevant portions of the Specification." What
> are relevant portions? Is ASF willing to guarantee full compliance? (Section
> 1.1 and 6.2.)
>
> 2. The license is nontransferrable. Under this license, ASF can't allow
> third parties to make Licensed Products, which is contrary to ASF's license.
> While the license purports to be sublicenseable, that sublicense extends
> only to "Subsidiaries," which is irrelevant to ASF's model or open source in
> general. (Section 1.3.)
>
> 3. ASF can't experiment with this patented technology unless it in fact
> afterwards executes this agreement. Prior infringment isn't excused
> otherwise. So be careful until you decide to execute the agreement. (Section
> 1.4)
>
> 4. The patent termination provision (section 2.2) is very broad and applies
> to any claim for patent infringement. Such provisions have been denounced by
> several companies, and ASF changed its Apache 2.0 license in response to
> such criticism. Now IBM is resurrecting it here.
>
> 5. For some reason, IBM has the right to publicise the agreement but the
> other party doesn't. (Section 5.2.). This lack of balance of rights in IBM's
> licenses always troubles me. Furthermore, why that restriction?
>
> 6. The license requires formal execution. (Section 5.6.) That kind of
> licensing friction doesn't work for open source downstream licensees who
> intend to make, use, sell, etc., Licensed Products or derivative works.
>
> 7. This license doesn't include a copyright license to "implementation
> examples." So be careful not to copy those examples when implementing the
> Specification. (Section 6.1, final sentence.)
> ===============================================================
>
--
Davanum Srinivas -http://blogs.cocoondev.org/dims/
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only, are not privileged and do not constitute legal advice.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org