Re: Status of Apache NetBeans code donation

[Jaroslav Tulach <ja...@oracle.com>]

Hello NetBeans fans!
Here is a few more details on top of Geertjan's  report:

On pátek 23. prosince 2016 15:27:37 CET Geertjan Wielenga wrote:
> Hi all,
> 
> We've identified the following repos as being the repos we want to donate
> to Apache:
> 
> community-ruby (2376 files)
> community-soa (11770 files files)
> community-uml (6365 files)
> community-visualweb (6339 files)
> community-xml (2326 files)
> html4j (280 files)
> jackpot30 (964 files)
> (main)contrib
> (main)misc (5076 files)
> plsql-support (2341 files)
> releases (100548 files)
> releases-l10n (33348 files)

If you look at repositories listed at http://hg.netbeans.org you may find 
"donation_review" branches in some of them. 

> However, we can't contribute something we haven't reviewed. We can only
> give to Apache what is ours to give. We can't make licensing decisions for
> someone else's code. E.g., we can't donate Oracle logos, for example. And
> there are several other logos too. We can't donate all kinds of things if
> they're not actually ours to donate.

The idea is to cleanup the code and put the fixes into the donation_review 
branch that should then contain files officially donate-able by Oracle to Apache 
(insert all the legal warnings describing everything that can go wrong here).

> Starting from the smallest repo, i.e., 'html4j', the repos are being
> reviewed. That particular repo took less than a day to review, yes, someone
> is going through the repo paintakingly looking at files for licensing
> concerns and anything else that could be odd for whatever reason. And then
> the concerns discovered need to be discussed and handled.

Good news is that in case of html4j repository I received the review comments 
and addressed them as well as I could. Today I've merged the fixes into the 
donation_review branch: https://hg.netbeans.org/html4j/rev/929563230c07

I have good feelings about the review process. The review identified things 
that really cannot be donated (knockout.js or safari_logo.png files being two 
examples). I have managed to address these issues and still keep the code 
buildable and functional. 

> Yes, this is taking time -- still, once done we'll know for sure that
> things are good and ready.

The html4j repository is just a single step, but it seems to indicate that we 
are moving in the right direction.

-jt

> Yes, this is taking time -- still, once done we'll know for sure that
> things are good and ready. We're doing something right now that I had
> thought we'd be doing throughout incubation in the Apache Git repo. Instead
> of that, we're doing it before getting it into the Apache Git repo. This is
> something that Oracle wants and must do, itself, i.e., no one else, outside
> Oracle, should be involved in this since it is Oracle that is donating the
> code and not anyone else. 
> 
> Hard to give a time estimate for the above, though I imagine some weeks at
> least are involved.
> 
> We're moving along and there is progress and the end is clear. In the end
> this will have been a good process for its thoroughness and for having
> avoided situations with unknown unknowns, since everything will ultimately
> come to light as this investigation continues.
> 
> Gj

Re: Cannot donate MIT code was: Status of Apache NetBeans code donation

[Geertjan Wielenga <ge...@googlemail.com>]

That's a great point. Just because Oracle can't donate, for example,
Knockout.js, does not mean that we cannot use, for example, Knockout.js,
once we're in Apache.

I think we should take this route in the work we're doing at the moment in
Oracle to prepare the donation:

When we encounter something we can't donate, e.g., images or Knockout.js or
whatever, in one of the repos we're planning to donate:

Plan A: Remove it, if possible.

Plan B: If not possible to remove, put a placeholder file in the place
where the file should be, e.g., Knockout.js, as a marker, so that when we
have donated the repo, we can easily find that location again. The
advantage of this approach is that we'll still be able to do a clean
donation, i.e., without exclusions. Disadvantage is, of course, that the
repo will not be buildable. Not a big problem, since we'll know why.

Plan C: If Plan B is not desirable for some reason in some specific case,
explicitly exclude the problematic file, i.e., in the code donation
document, state "we donate everything in the repos at location XYZ, except
for file A, B, and C".

Of course, this info is not relevant for Apache, just for those in Oracle
working on preparing the code donation. However, it's good, I think, for
those interested in progress to see the kinds of thinking being done and
processes being followed.

Gj

On Tue, Jan 3, 2017 at 3:49 PM, Mark Struberg <st...@yahoo.de.invalid>
wrote:

> I share your conclusio. Nemo plus iuris transferre potest quam ipse habet.
> Oracle cannot grant us anythong which they don't own.
>
> Apart from that there is a separate question where any ASF project can add
> MIT based code. And the answer is yes, we can [1].
> Of course we have to add it to our NOTICE file and we also have to add the
> MIT license as MIT requires attribution.
>
> So while Oracle cannot grant it to us we can still use it.
> Probably it's easier to have a list of grant-exclusions and keep it in GIT
> than removing it (leaving a disfunctional project) and then re-adding it
> again?
>
> LieGrue,
> strub
>
> [1] https://www.apache.org/legal/resolved
>
>
>
> > Am 03.01.2017 um 14:49 schrieb Jaroslav Tulach <
> jaroslav.tulach@oracle.com>:
> >
> > Hello Emilian,
> > great question. Possibly something for Apache mentors to help us explain.
> >
> > On úterý 3. ledna 2017 11:54:37 CET Emilian Bold wrote:
> >> Why did you remove 2 compatible dependencies which were MIT licensed?
> >
> > Originally this puzzled me as well. However it seems logical to me now.
> Oracle
> > cannot donate knockout.js (even if licensed under compatible MIT
> license) to
> > Apache as Oracle doesn't own any rights to knockout.js.
> >
> >> Downloading the JS from the URL just obfuscates the dependency.
> >
> > The dependency is of course still there, but by not having the actual
> code
> > under the version control system, Oracle could now say:
> >
> > --- begin ---
> > All the files that are result of
> >
> > $ hg clone https://hg.netbeans.org/html4j/
> > $ cd html4j
> > $ hg update -C 929563230c07
> >
> > are being donated to Apache.
> > --- end ---
> >
> > Such simple and exact statement was not possible before.
> >
> > It is sort of similar to 3rd party JAR dependencies where the version
> control
> > system contains only SHA reference to the binary and the actual binary is
> > downloaded during the build.
> >
> > -jt
> >
> > Btw. wouldn't you be so kind to convert the html4j repository to git?
> >
> >> În mar., 3 ian. 2017 la 12:57 Jaroslav Tulach <
> jaroslav.tulach@oracle.com>
> >>
> >> a scris:
> >>> Hello NetBeans fans!
> >>>
> >>> Here is a few more details on top of Geertjan's  report:
> >>>
> >>> On pátek 23. prosince 2016 15:27:37 CET Geertjan Wielenga wrote:
> >>>> Hi all,
> >>>>
> >>>>
> >>>>
> >>>> We've identified the following repos as being the repos we want to
> >>>> donate
> >>>>
> >>>> to Apache:
> >>>>
> >>>>
> >>>>
> >>>> community-ruby (2376 files)
> >>>>
> >>>> community-soa (11770 files files)
> >>>>
> >>>> community-uml (6365 files)
> >>>>
> >>>> community-visualweb (6339 files)
> >>>>
> >>>> community-xml (2326 files)
> >>>>
> >>>> html4j (280 files)
> >>>>
> >>>> jackpot30 (964 files)
> >>>>
> >>>> (main)contrib
> >>>>
> >>>> (main)misc (5076 files)
> >>>>
> >>>> plsql-support (2341 files)
> >>>>
> >>>> releases (100548 files)
> >>>>
> >>>> releases-l10n (33348 files)
> >>>
> >>> If you look at repositories listed at http://hg.netbeans.org you may
> find
> >>>
> >>> "donation_review" branches in some of them.
> >>>
> >>>> However, we can't contribute something we haven't reviewed. We can
> only
> >>>>
> >>>> give to Apache what is ours to give. We can't make licensing decisions
> >>>
> >>> for
> >>>
> >>>> someone else's code. E.g., we can't donate Oracle logos, for example.
> >>>> And
> >>>>
> >>>> there are several other logos too. We can't donate all kinds of things
> >>>> if
> >>>>
> >>>> they're not actually ours to donate.
> >>>
> >>> The idea is to cleanup the code and put the fixes into the
> donation_review
> >>>
> >>> branch that should then contain files officially donate-able by Oracle
> to
> >>> Apache
> >>>
> >>> (insert all the legal warnings describing everything that can go wrong
> >>> here).
> >>>
> >>>> Starting from the smallest repo, i.e., 'html4j', the repos are being
> >>>>
> >>>> reviewed. That particular repo took less than a day to review, yes,
> >>>
> >>> someone
> >>>
> >>>> is going through the repo paintakingly looking at files for licensing
> >>>>
> >>>> concerns and anything else that could be odd for whatever reason. And
> >>>
> >>> then
> >>>
> >>>> the concerns discovered need to be discussed and handled.
> >>>
> >>> Good news is that in case of html4j repository I received the review
> >>> comments
> >>>
> >>> and addressed them as well as I could. Today I've merged the fixes into
> >>> the
> >>>
> >>> donation_review branch: https://hg.netbeans.org/
> html4j/rev/929563230c07
> >>>
> >>>
> >>>
> >>> I have good feelings about the review process. The review identified
> >>> things
> >>>
> >>> that really cannot be donated (knockout.js or safari_logo.png files
> being
> >>> two
> >>>
> >>> examples). I have managed to address these issues and still keep the
> code
> >>>
> >>> buildable and functional.
> >>>
> >>>> Yes, this is taking time -- still, once done we'll know for sure that
> >>>>
> >>>> things are good and ready.
> >>>
> >>> The html4j repository is just a single step, but it seems to indicate
> that
> >>> we
> >>>
> >>> are moving in the right direction.
> >>>
> >>>
> >>>
> >>> -jt
> >>>
> >>>> Yes, this is taking time -- still, once done we'll know for sure that
> >>>>
> >>>> things are good and ready. We're doing something right now that I had
> >>>>
> >>>> thought we'd be doing throughout incubation in the Apache Git repo.
> >>>
> >>> Instead
> >>>
> >>>> of that, we're doing it before getting it into the Apache Git repo.
> This
> >>>
> >>> is
> >>>
> >>>> something that Oracle wants and must do, itself, i.e., no one else,
> >>>
> >>> outside
> >>>
> >>>> Oracle, should be involved in this since it is Oracle that is donating
> >>>
> >>> the
> >>>
> >>>> code and not anyone else.
> >>>>
> >>>>
> >>>>
> >>>> Hard to give a time estimate for the above, though I imagine some
> weeks
> >>>
> >>> at
> >>>
> >>>> least are involved.
> >>>>
> >>>>
> >>>>
> >>>> We're moving along and there is progress and the end is clear. In the
> >>>> end
> >>>>
> >>>> this will have been a good process for its thoroughness and for having
> >>>>
> >>>> avoided situations with unknown unknowns, since everything will
> >>>
> >>> ultimately
> >>>
> >>>> come to light as this investigation continues.
> >>>>
> >>>>
> >>>>
> >>>> Gj
> >
> >
>
>

Re: Cannot donate MIT code was: Status of Apache NetBeans code donation

[Geertjan Wielenga <ge...@googlemail.com>]

On  Tue, Jan 3, 2017 at 5:20 PM, Emilian Bold wrote:

Looking forward to the code grant. Perhaps we should throw a party or
> something!


Definitely. :-)

Gj

On Tue, Jan 3, 2017 at 5:20 PM, Emilian Bold <em...@gmail.com> wrote:

> About technical dependencies:
>
> You seem to have included knockout-3.4.0.js for no reason. Deleting the
> file doesn't seem to need any other reference change so it was just a code
> cleanup?
>
> For env.nashorn.1.2-debug.js though you should add the file on
> bits.netbeans.org or somewhere better. It's only a test though but having
> the test dependency like this is not good:
>
> +        URL envNashorn = new URL("
> https://bugs.openjdk.java.net/secure/attachment/11894/env.
> nashorn.1.2-debug.js
> ");
>
> About technical dependencies from a legal angle:
>
> I can't force a given interpretation on Oracle Legal but dependencies are
> dependencies and we know how to handle that. Not too long ago all
> dependencies were traditionally stored in the same project tree under a
> lib/ folder or some such. Of course donating such a project would not imply
> donating the dependencies under lib/ too!
>
> Logos are different since there is no copyright header on them. It might be
> a good idea to do this 3rd party logo cleanup.
>
> Anyhow, good to know you have a system in place. Looking forward to the
> code grant. Perhaps we should throw a party or something!
>
>
>
> --emi
>
> On Tue, Jan 3, 2017 at 4:49 PM, Mark Struberg <st...@yahoo.de.invalid>
> wrote:
>
> > I share your conclusio. Nemo plus iuris transferre potest quam ipse
> habet.
> > Oracle cannot grant us anythong which they don't own.
> >
> > Apart from that there is a separate question where any ASF project can
> add
> > MIT based code. And the answer is yes, we can [1].
> > Of course we have to add it to our NOTICE file and we also have to add
> the
> > MIT license as MIT requires attribution.
> >
> > So while Oracle cannot grant it to us we can still use it.
> > Probably it's easier to have a list of grant-exclusions and keep it in
> GIT
> > than removing it (leaving a disfunctional project) and then re-adding it
> > again?
> >
> > LieGrue,
> > strub
> >
> > [1] https://www.apache.org/legal/resolved
> >
> >
> >
> > > Am 03.01.2017 um 14:49 schrieb Jaroslav Tulach <
> > jaroslav.tulach@oracle.com>:
> > >
> > > Hello Emilian,
> > > great question. Possibly something for Apache mentors to help us
> explain.
> > >
> > > On úterý 3. ledna 2017 11:54:37 CET Emilian Bold wrote:
> > >> Why did you remove 2 compatible dependencies which were MIT licensed?
> > >
> > > Originally this puzzled me as well. However it seems logical to me now.
> > Oracle
> > > cannot donate knockout.js (even if licensed under compatible MIT
> > license) to
> > > Apache as Oracle doesn't own any rights to knockout.js.
> > >
> > >> Downloading the JS from the URL just obfuscates the dependency.
> > >
> > > The dependency is of course still there, but by not having the actual
> > code
> > > under the version control system, Oracle could now say:
> > >
> > > --- begin ---
> > > All the files that are result of
> > >
> > > $ hg clone https://hg.netbeans.org/html4j/
> > > $ cd html4j
> > > $ hg update -C 929563230c07
> > >
> > > are being donated to Apache.
> > > --- end ---
> > >
> > > Such simple and exact statement was not possible before.
> > >
> > > It is sort of similar to 3rd party JAR dependencies where the version
> > control
> > > system contains only SHA reference to the binary and the actual binary
> is
> > > downloaded during the build.
> > >
> > > -jt
> > >
> > > Btw. wouldn't you be so kind to convert the html4j repository to git?
> > >
> > >> În mar., 3 ian. 2017 la 12:57 Jaroslav Tulach <
> > jaroslav.tulach@oracle.com>
> > >>
> > >> a scris:
> > >>> Hello NetBeans fans!
> > >>>
> > >>> Here is a few more details on top of Geertjan's  report:
> > >>>
> > >>> On pátek 23. prosince 2016 15:27:37 CET Geertjan Wielenga wrote:
> > >>>> Hi all,
> > >>>>
> > >>>>
> > >>>>
> > >>>> We've identified the following repos as being the repos we want to
> > >>>> donate
> > >>>>
> > >>>> to Apache:
> > >>>>
> > >>>>
> > >>>>
> > >>>> community-ruby (2376 files)
> > >>>>
> > >>>> community-soa (11770 files files)
> > >>>>
> > >>>> community-uml (6365 files)
> > >>>>
> > >>>> community-visualweb (6339 files)
> > >>>>
> > >>>> community-xml (2326 files)
> > >>>>
> > >>>> html4j (280 files)
> > >>>>
> > >>>> jackpot30 (964 files)
> > >>>>
> > >>>> (main)contrib
> > >>>>
> > >>>> (main)misc (5076 files)
> > >>>>
> > >>>> plsql-support (2341 files)
> > >>>>
> > >>>> releases (100548 files)
> > >>>>
> > >>>> releases-l10n (33348 files)
> > >>>
> > >>> If you look at repositories listed at http://hg.netbeans.org you may
> > find
> > >>>
> > >>> "donation_review" branches in some of them.
> > >>>
> > >>>> However, we can't contribute something we haven't reviewed. We can
> > only
> > >>>>
> > >>>> give to Apache what is ours to give. We can't make licensing
> decisions
> > >>>
> > >>> for
> > >>>
> > >>>> someone else's code. E.g., we can't donate Oracle logos, for
> example.
> > >>>> And
> > >>>>
> > >>>> there are several other logos too. We can't donate all kinds of
> things
> > >>>> if
> > >>>>
> > >>>> they're not actually ours to donate.
> > >>>
> > >>> The idea is to cleanup the code and put the fixes into the
> > donation_review
> > >>>
> > >>> branch that should then contain files officially donate-able by
> Oracle
> > to
> > >>> Apache
> > >>>
> > >>> (insert all the legal warnings describing everything that can go
> wrong
> > >>> here).
> > >>>
> > >>>> Starting from the smallest repo, i.e., 'html4j', the repos are being
> > >>>>
> > >>>> reviewed. That particular repo took less than a day to review, yes,
> > >>>
> > >>> someone
> > >>>
> > >>>> is going through the repo paintakingly looking at files for
> licensing
> > >>>>
> > >>>> concerns and anything else that could be odd for whatever reason.
> And
> > >>>
> > >>> then
> > >>>
> > >>>> the concerns discovered need to be discussed and handled.
> > >>>
> > >>> Good news is that in case of html4j repository I received the review
> > >>> comments
> > >>>
> > >>> and addressed them as well as I could. Today I've merged the fixes
> into
> > >>> the
> > >>>
> > >>> donation_review branch: https://hg.netbeans.org/
> > html4j/rev/929563230c07
> > >>>
> > >>>
> > >>>
> > >>> I have good feelings about the review process. The review identified
> > >>> things
> > >>>
> > >>> that really cannot be donated (knockout.js or safari_logo.png files
> > being
> > >>> two
> > >>>
> > >>> examples). I have managed to address these issues and still keep the
> > code
> > >>>
> > >>> buildable and functional.
> > >>>
> > >>>> Yes, this is taking time -- still, once done we'll know for sure
> that
> > >>>>
> > >>>> things are good and ready.
> > >>>
> > >>> The html4j repository is just a single step, but it seems to indicate
> > that
> > >>> we
> > >>>
> > >>> are moving in the right direction.
> > >>>
> > >>>
> > >>>
> > >>> -jt
> > >>>
> > >>>> Yes, this is taking time -- still, once done we'll know for sure
> that
> > >>>>
> > >>>> things are good and ready. We're doing something right now that I
> had
> > >>>>
> > >>>> thought we'd be doing throughout incubation in the Apache Git repo.
> > >>>
> > >>> Instead
> > >>>
> > >>>> of that, we're doing it before getting it into the Apache Git repo.
> > This
> > >>>
> > >>> is
> > >>>
> > >>>> something that Oracle wants and must do, itself, i.e., no one else,
> > >>>
> > >>> outside
> > >>>
> > >>>> Oracle, should be involved in this since it is Oracle that is
> donating
> > >>>
> > >>> the
> > >>>
> > >>>> code and not anyone else.
> > >>>>
> > >>>>
> > >>>>
> > >>>> Hard to give a time estimate for the above, though I imagine some
> > weeks
> > >>>
> > >>> at
> > >>>
> > >>>> least are involved.
> > >>>>
> > >>>>
> > >>>>
> > >>>> We're moving along and there is progress and the end is clear. In
> the
> > >>>> end
> > >>>>
> > >>>> this will have been a good process for its thoroughness and for
> having
> > >>>>
> > >>>> avoided situations with unknown unknowns, since everything will
> > >>>
> > >>> ultimately
> > >>>
> > >>>> come to light as this investigation continues.
> > >>>>
> > >>>>
> > >>>>
> > >>>> Gj
> > >
> > >
> >
> >
>

Re: Cannot donate MIT code was: Status of Apache NetBeans code donation

[Emilian Bold <em...@gmail.com>]

About technical dependencies:

You seem to have included knockout-3.4.0.js for no reason. Deleting the
file doesn't seem to need any other reference change so it was just a code
cleanup?

For env.nashorn.1.2-debug.js though you should add the file on
bits.netbeans.org or somewhere better. It's only a test though but having
the test dependency like this is not good:

+        URL envNashorn = new URL("
https://bugs.openjdk.java.net/secure/attachment/11894/env.nashorn.1.2-debug.js
");

About technical dependencies from a legal angle:

I can't force a given interpretation on Oracle Legal but dependencies are
dependencies and we know how to handle that. Not too long ago all
dependencies were traditionally stored in the same project tree under a
lib/ folder or some such. Of course donating such a project would not imply
donating the dependencies under lib/ too!

Logos are different since there is no copyright header on them. It might be
a good idea to do this 3rd party logo cleanup.

Anyhow, good to know you have a system in place. Looking forward to the
code grant. Perhaps we should throw a party or something!



--emi

On Tue, Jan 3, 2017 at 4:49 PM, Mark Struberg <st...@yahoo.de.invalid>
wrote:

> I share your conclusio. Nemo plus iuris transferre potest quam ipse habet.
> Oracle cannot grant us anythong which they don't own.
>
> Apart from that there is a separate question where any ASF project can add
> MIT based code. And the answer is yes, we can [1].
> Of course we have to add it to our NOTICE file and we also have to add the
> MIT license as MIT requires attribution.
>
> So while Oracle cannot grant it to us we can still use it.
> Probably it's easier to have a list of grant-exclusions and keep it in GIT
> than removing it (leaving a disfunctional project) and then re-adding it
> again?
>
> LieGrue,
> strub
>
> [1] https://www.apache.org/legal/resolved
>
>
>
> > Am 03.01.2017 um 14:49 schrieb Jaroslav Tulach <
> jaroslav.tulach@oracle.com>:
> >
> > Hello Emilian,
> > great question. Possibly something for Apache mentors to help us explain.
> >
> > On úterý 3. ledna 2017 11:54:37 CET Emilian Bold wrote:
> >> Why did you remove 2 compatible dependencies which were MIT licensed?
> >
> > Originally this puzzled me as well. However it seems logical to me now.
> Oracle
> > cannot donate knockout.js (even if licensed under compatible MIT
> license) to
> > Apache as Oracle doesn't own any rights to knockout.js.
> >
> >> Downloading the JS from the URL just obfuscates the dependency.
> >
> > The dependency is of course still there, but by not having the actual
> code
> > under the version control system, Oracle could now say:
> >
> > --- begin ---
> > All the files that are result of
> >
> > $ hg clone https://hg.netbeans.org/html4j/
> > $ cd html4j
> > $ hg update -C 929563230c07
> >
> > are being donated to Apache.
> > --- end ---
> >
> > Such simple and exact statement was not possible before.
> >
> > It is sort of similar to 3rd party JAR dependencies where the version
> control
> > system contains only SHA reference to the binary and the actual binary is
> > downloaded during the build.
> >
> > -jt
> >
> > Btw. wouldn't you be so kind to convert the html4j repository to git?
> >
> >> În mar., 3 ian. 2017 la 12:57 Jaroslav Tulach <
> jaroslav.tulach@oracle.com>
> >>
> >> a scris:
> >>> Hello NetBeans fans!
> >>>
> >>> Here is a few more details on top of Geertjan's  report:
> >>>
> >>> On pátek 23. prosince 2016 15:27:37 CET Geertjan Wielenga wrote:
> >>>> Hi all,
> >>>>
> >>>>
> >>>>
> >>>> We've identified the following repos as being the repos we want to
> >>>> donate
> >>>>
> >>>> to Apache:
> >>>>
> >>>>
> >>>>
> >>>> community-ruby (2376 files)
> >>>>
> >>>> community-soa (11770 files files)
> >>>>
> >>>> community-uml (6365 files)
> >>>>
> >>>> community-visualweb (6339 files)
> >>>>
> >>>> community-xml (2326 files)
> >>>>
> >>>> html4j (280 files)
> >>>>
> >>>> jackpot30 (964 files)
> >>>>
> >>>> (main)contrib
> >>>>
> >>>> (main)misc (5076 files)
> >>>>
> >>>> plsql-support (2341 files)
> >>>>
> >>>> releases (100548 files)
> >>>>
> >>>> releases-l10n (33348 files)
> >>>
> >>> If you look at repositories listed at http://hg.netbeans.org you may
> find
> >>>
> >>> "donation_review" branches in some of them.
> >>>
> >>>> However, we can't contribute something we haven't reviewed. We can
> only
> >>>>
> >>>> give to Apache what is ours to give. We can't make licensing decisions
> >>>
> >>> for
> >>>
> >>>> someone else's code. E.g., we can't donate Oracle logos, for example.
> >>>> And
> >>>>
> >>>> there are several other logos too. We can't donate all kinds of things
> >>>> if
> >>>>
> >>>> they're not actually ours to donate.
> >>>
> >>> The idea is to cleanup the code and put the fixes into the
> donation_review
> >>>
> >>> branch that should then contain files officially donate-able by Oracle
> to
> >>> Apache
> >>>
> >>> (insert all the legal warnings describing everything that can go wrong
> >>> here).
> >>>
> >>>> Starting from the smallest repo, i.e., 'html4j', the repos are being
> >>>>
> >>>> reviewed. That particular repo took less than a day to review, yes,
> >>>
> >>> someone
> >>>
> >>>> is going through the repo paintakingly looking at files for licensing
> >>>>
> >>>> concerns and anything else that could be odd for whatever reason. And
> >>>
> >>> then
> >>>
> >>>> the concerns discovered need to be discussed and handled.
> >>>
> >>> Good news is that in case of html4j repository I received the review
> >>> comments
> >>>
> >>> and addressed them as well as I could. Today I've merged the fixes into
> >>> the
> >>>
> >>> donation_review branch: https://hg.netbeans.org/
> html4j/rev/929563230c07
> >>>
> >>>
> >>>
> >>> I have good feelings about the review process. The review identified
> >>> things
> >>>
> >>> that really cannot be donated (knockout.js or safari_logo.png files
> being
> >>> two
> >>>
> >>> examples). I have managed to address these issues and still keep the
> code
> >>>
> >>> buildable and functional.
> >>>
> >>>> Yes, this is taking time -- still, once done we'll know for sure that
> >>>>
> >>>> things are good and ready.
> >>>
> >>> The html4j repository is just a single step, but it seems to indicate
> that
> >>> we
> >>>
> >>> are moving in the right direction.
> >>>
> >>>
> >>>
> >>> -jt
> >>>
> >>>> Yes, this is taking time -- still, once done we'll know for sure that
> >>>>
> >>>> things are good and ready. We're doing something right now that I had
> >>>>
> >>>> thought we'd be doing throughout incubation in the Apache Git repo.
> >>>
> >>> Instead
> >>>
> >>>> of that, we're doing it before getting it into the Apache Git repo.
> This
> >>>
> >>> is
> >>>
> >>>> something that Oracle wants and must do, itself, i.e., no one else,
> >>>
> >>> outside
> >>>
> >>>> Oracle, should be involved in this since it is Oracle that is donating
> >>>
> >>> the
> >>>
> >>>> code and not anyone else.
> >>>>
> >>>>
> >>>>
> >>>> Hard to give a time estimate for the above, though I imagine some
> weeks
> >>>
> >>> at
> >>>
> >>>> least are involved.
> >>>>
> >>>>
> >>>>
> >>>> We're moving along and there is progress and the end is clear. In the
> >>>> end
> >>>>
> >>>> this will have been a good process for its thoroughness and for having
> >>>>
> >>>> avoided situations with unknown unknowns, since everything will
> >>>
> >>> ultimately
> >>>
> >>>> come to light as this investigation continues.
> >>>>
> >>>>
> >>>>
> >>>> Gj
> >
> >
>
>

Re: Cannot donate MIT code was: Status of Apache NetBeans code donation

[Mark Struberg <st...@yahoo.de.INVALID>]

I share your conclusio. Nemo plus iuris transferre potest quam ipse habet. Oracle cannot grant us anythong which they don't own.

Apart from that there is a separate question where any ASF project can add MIT based code. And the answer is yes, we can [1].
Of course we have to add it to our NOTICE file and we also have to add the MIT license as MIT requires attribution.

So while Oracle cannot grant it to us we can still use it. 
Probably it's easier to have a list of grant-exclusions and keep it in GIT than removing it (leaving a disfunctional project) and then re-adding it again?

LieGrue,
strub

[1] https://www.apache.org/legal/resolved



> Am 03.01.2017 um 14:49 schrieb Jaroslav Tulach <ja...@oracle.com>:
> 
> Hello Emilian,
> great question. Possibly something for Apache mentors to help us explain.
> 
> On úterý 3. ledna 2017 11:54:37 CET Emilian Bold wrote:
>> Why did you remove 2 compatible dependencies which were MIT licensed?
> 
> Originally this puzzled me as well. However it seems logical to me now. Oracle 
> cannot donate knockout.js (even if licensed under compatible MIT license) to 
> Apache as Oracle doesn't own any rights to knockout.js.
> 
>> Downloading the JS from the URL just obfuscates the dependency.
> 
> The dependency is of course still there, but by not having the actual code 
> under the version control system, Oracle could now say: 
> 
> --- begin ---
> All the files that are result of
> 
> $ hg clone https://hg.netbeans.org/html4j/
> $ cd html4j
> $ hg update -C 929563230c07
> 
> are being donated to Apache. 
> --- end ---
> 
> Such simple and exact statement was not possible before.
> 
> It is sort of similar to 3rd party JAR dependencies where the version control 
> system contains only SHA reference to the binary and the actual binary is 
> downloaded during the build.
> 
> -jt
> 
> Btw. wouldn't you be so kind to convert the html4j repository to git?
> 
>> În mar., 3 ian. 2017 la 12:57 Jaroslav Tulach <ja...@oracle.com>
>> 
>> a scris:
>>> Hello NetBeans fans!
>>> 
>>> Here is a few more details on top of Geertjan's  report:
>>> 
>>> On pátek 23. prosince 2016 15:27:37 CET Geertjan Wielenga wrote:
>>>> Hi all,
>>>> 
>>>> 
>>>> 
>>>> We've identified the following repos as being the repos we want to
>>>> donate
>>>> 
>>>> to Apache:
>>>> 
>>>> 
>>>> 
>>>> community-ruby (2376 files)
>>>> 
>>>> community-soa (11770 files files)
>>>> 
>>>> community-uml (6365 files)
>>>> 
>>>> community-visualweb (6339 files)
>>>> 
>>>> community-xml (2326 files)
>>>> 
>>>> html4j (280 files)
>>>> 
>>>> jackpot30 (964 files)
>>>> 
>>>> (main)contrib
>>>> 
>>>> (main)misc (5076 files)
>>>> 
>>>> plsql-support (2341 files)
>>>> 
>>>> releases (100548 files)
>>>> 
>>>> releases-l10n (33348 files)
>>> 
>>> If you look at repositories listed at http://hg.netbeans.org you may find
>>> 
>>> "donation_review" branches in some of them.
>>> 
>>>> However, we can't contribute something we haven't reviewed. We can only
>>>> 
>>>> give to Apache what is ours to give. We can't make licensing decisions
>>> 
>>> for
>>> 
>>>> someone else's code. E.g., we can't donate Oracle logos, for example.
>>>> And
>>>> 
>>>> there are several other logos too. We can't donate all kinds of things
>>>> if
>>>> 
>>>> they're not actually ours to donate.
>>> 
>>> The idea is to cleanup the code and put the fixes into the donation_review
>>> 
>>> branch that should then contain files officially donate-able by Oracle to
>>> Apache
>>> 
>>> (insert all the legal warnings describing everything that can go wrong
>>> here).
>>> 
>>>> Starting from the smallest repo, i.e., 'html4j', the repos are being
>>>> 
>>>> reviewed. That particular repo took less than a day to review, yes,
>>> 
>>> someone
>>> 
>>>> is going through the repo paintakingly looking at files for licensing
>>>> 
>>>> concerns and anything else that could be odd for whatever reason. And
>>> 
>>> then
>>> 
>>>> the concerns discovered need to be discussed and handled.
>>> 
>>> Good news is that in case of html4j repository I received the review
>>> comments
>>> 
>>> and addressed them as well as I could. Today I've merged the fixes into
>>> the
>>> 
>>> donation_review branch: https://hg.netbeans.org/html4j/rev/929563230c07
>>> 
>>> 
>>> 
>>> I have good feelings about the review process. The review identified
>>> things
>>> 
>>> that really cannot be donated (knockout.js or safari_logo.png files being
>>> two
>>> 
>>> examples). I have managed to address these issues and still keep the code
>>> 
>>> buildable and functional.
>>> 
>>>> Yes, this is taking time -- still, once done we'll know for sure that
>>>> 
>>>> things are good and ready.
>>> 
>>> The html4j repository is just a single step, but it seems to indicate that
>>> we
>>> 
>>> are moving in the right direction.
>>> 
>>> 
>>> 
>>> -jt
>>> 
>>>> Yes, this is taking time -- still, once done we'll know for sure that
>>>> 
>>>> things are good and ready. We're doing something right now that I had
>>>> 
>>>> thought we'd be doing throughout incubation in the Apache Git repo.
>>> 
>>> Instead
>>> 
>>>> of that, we're doing it before getting it into the Apache Git repo. This
>>> 
>>> is
>>> 
>>>> something that Oracle wants and must do, itself, i.e., no one else,
>>> 
>>> outside
>>> 
>>>> Oracle, should be involved in this since it is Oracle that is donating
>>> 
>>> the
>>> 
>>>> code and not anyone else.
>>>> 
>>>> 
>>>> 
>>>> Hard to give a time estimate for the above, though I imagine some weeks
>>> 
>>> at
>>> 
>>>> least are involved.
>>>> 
>>>> 
>>>> 
>>>> We're moving along and there is progress and the end is clear. In the
>>>> end
>>>> 
>>>> this will have been a good process for its thoroughness and for having
>>>> 
>>>> avoided situations with unknown unknowns, since everything will
>>> 
>>> ultimately
>>> 
>>>> come to light as this investigation continues.
>>>> 
>>>> 
>>>> 
>>>> Gj
> 
> 

Cannot donate MIT code was: Status of Apache NetBeans code donation

[Jaroslav Tulach <ja...@oracle.com>]

Hello Emilian,
great question. Possibly something for Apache mentors to help us explain.

On úterý 3. ledna 2017 11:54:37 CET Emilian Bold wrote:
> Why did you remove 2 compatible dependencies which were MIT licensed?

Originally this puzzled me as well. However it seems logical to me now. Oracle 
cannot donate knockout.js (even if licensed under compatible MIT license) to 
Apache as Oracle doesn't own any rights to knockout.js.

> Downloading the JS from the URL just obfuscates the dependency.

The dependency is of course still there, but by not having the actual code 
under the version control system, Oracle could now say: 

--- begin ---
All the files that are result of

$ hg clone https://hg.netbeans.org/html4j/
$ cd html4j
$ hg update -C 929563230c07

are being donated to Apache. 
--- end ---
 
Such simple and exact statement was not possible before.

It is sort of similar to 3rd party JAR dependencies where the version control 
system contains only SHA reference to the binary and the actual binary is 
downloaded during the build.

-jt

Btw. wouldn't you be so kind to convert the html4j repository to git?

> În mar., 3 ian. 2017 la 12:57 Jaroslav Tulach <ja...@oracle.com>
> 
> a scris:
> > Hello NetBeans fans!
> > 
> > Here is a few more details on top of Geertjan's  report:
> > 
> > On pátek 23. prosince 2016 15:27:37 CET Geertjan Wielenga wrote:
> > > Hi all,
> > > 
> > > 
> > > 
> > > We've identified the following repos as being the repos we want to
> > > donate
> > > 
> > > to Apache:
> > > 
> > > 
> > > 
> > > community-ruby (2376 files)
> > > 
> > > community-soa (11770 files files)
> > > 
> > > community-uml (6365 files)
> > > 
> > > community-visualweb (6339 files)
> > > 
> > > community-xml (2326 files)
> > > 
> > > html4j (280 files)
> > > 
> > > jackpot30 (964 files)
> > > 
> > > (main)contrib
> > > 
> > > (main)misc (5076 files)
> > > 
> > > plsql-support (2341 files)
> > > 
> > > releases (100548 files)
> > > 
> > > releases-l10n (33348 files)
> > 
> > If you look at repositories listed at http://hg.netbeans.org you may find
> > 
> > "donation_review" branches in some of them.
> > 
> > > However, we can't contribute something we haven't reviewed. We can only
> > > 
> > > give to Apache what is ours to give. We can't make licensing decisions
> > 
> > for
> > 
> > > someone else's code. E.g., we can't donate Oracle logos, for example.
> > > And
> > > 
> > > there are several other logos too. We can't donate all kinds of things
> > > if
> > > 
> > > they're not actually ours to donate.
> > 
> > The idea is to cleanup the code and put the fixes into the donation_review
> > 
> > branch that should then contain files officially donate-able by Oracle to
> > Apache
> > 
> > (insert all the legal warnings describing everything that can go wrong
> > here).
> > 
> > > Starting from the smallest repo, i.e., 'html4j', the repos are being
> > > 
> > > reviewed. That particular repo took less than a day to review, yes,
> > 
> > someone
> > 
> > > is going through the repo paintakingly looking at files for licensing
> > > 
> > > concerns and anything else that could be odd for whatever reason. And
> > 
> > then
> > 
> > > the concerns discovered need to be discussed and handled.
> > 
> > Good news is that in case of html4j repository I received the review
> > comments
> > 
> > and addressed them as well as I could. Today I've merged the fixes into
> > the
> > 
> > donation_review branch: https://hg.netbeans.org/html4j/rev/929563230c07
> > 
> > 
> > 
> > I have good feelings about the review process. The review identified
> > things
> > 
> > that really cannot be donated (knockout.js or safari_logo.png files being
> > two
> > 
> > examples). I have managed to address these issues and still keep the code
> > 
> > buildable and functional.
> > 
> > > Yes, this is taking time -- still, once done we'll know for sure that
> > > 
> > > things are good and ready.
> > 
> > The html4j repository is just a single step, but it seems to indicate that
> > we
> > 
> > are moving in the right direction.
> > 
> > 
> > 
> > -jt
> > 
> > > Yes, this is taking time -- still, once done we'll know for sure that
> > > 
> > > things are good and ready. We're doing something right now that I had
> > > 
> > > thought we'd be doing throughout incubation in the Apache Git repo.
> > 
> > Instead
> > 
> > > of that, we're doing it before getting it into the Apache Git repo. This
> > 
> > is
> > 
> > > something that Oracle wants and must do, itself, i.e., no one else,
> > 
> > outside
> > 
> > > Oracle, should be involved in this since it is Oracle that is donating
> > 
> > the
> > 
> > > code and not anyone else.
> > > 
> > > 
> > > 
> > > Hard to give a time estimate for the above, though I imagine some weeks
> > 
> > at
> > 
> > > least are involved.
> > > 
> > > 
> > > 
> > > We're moving along and there is progress and the end is clear. In the
> > > end
> > > 
> > > this will have been a good process for its thoroughness and for having
> > > 
> > > avoided situations with unknown unknowns, since everything will
> > 
> > ultimately
> > 
> > > come to light as this investigation continues.
> > > 
> > > 
> > > 
> > > Gj

Re: Status of Apache NetBeans code donation

[Emilian Bold <em...@gmail.com>]

Why did you remove 2 compatible dependencies which were MIT licensed?

Downloading the JS from the URL just obfuscates the dependency.

În mar., 3 ian. 2017 la 12:57 Jaroslav Tulach <ja...@oracle.com>
a scris:

> Hello NetBeans fans!
>
> Here is a few more details on top of Geertjan's  report:
>
>
>
> On pátek 23. prosince 2016 15:27:37 CET Geertjan Wielenga wrote:
>
> > Hi all,
>
> >
>
> > We've identified the following repos as being the repos we want to donate
>
> > to Apache:
>
> >
>
> > community-ruby (2376 files)
>
> > community-soa (11770 files files)
>
> > community-uml (6365 files)
>
> > community-visualweb (6339 files)
>
> > community-xml (2326 files)
>
> > html4j (280 files)
>
> > jackpot30 (964 files)
>
> > (main)contrib
>
> > (main)misc (5076 files)
>
> > plsql-support (2341 files)
>
> > releases (100548 files)
>
> > releases-l10n (33348 files)
>
>
>
> If you look at repositories listed at http://hg.netbeans.org you may find
>
> "donation_review" branches in some of them.
>
>
>
> > However, we can't contribute something we haven't reviewed. We can only
>
> > give to Apache what is ours to give. We can't make licensing decisions
> for
>
> > someone else's code. E.g., we can't donate Oracle logos, for example. And
>
> > there are several other logos too. We can't donate all kinds of things if
>
> > they're not actually ours to donate.
>
>
>
> The idea is to cleanup the code and put the fixes into the donation_review
>
> branch that should then contain files officially donate-able by Oracle to
> Apache
>
> (insert all the legal warnings describing everything that can go wrong
> here).
>
>
>
> > Starting from the smallest repo, i.e., 'html4j', the repos are being
>
> > reviewed. That particular repo took less than a day to review, yes,
> someone
>
> > is going through the repo paintakingly looking at files for licensing
>
> > concerns and anything else that could be odd for whatever reason. And
> then
>
> > the concerns discovered need to be discussed and handled.
>
>
>
> Good news is that in case of html4j repository I received the review
> comments
>
> and addressed them as well as I could. Today I've merged the fixes into the
>
> donation_review branch: https://hg.netbeans.org/html4j/rev/929563230c07
>
>
>
> I have good feelings about the review process. The review identified things
>
> that really cannot be donated (knockout.js or safari_logo.png files being
> two
>
> examples). I have managed to address these issues and still keep the code
>
> buildable and functional.
>
>
>
> > Yes, this is taking time -- still, once done we'll know for sure that
>
> > things are good and ready.
>
>
>
> The html4j repository is just a single step, but it seems to indicate that
> we
>
> are moving in the right direction.
>
>
>
> -jt
>
>
>
> > Yes, this is taking time -- still, once done we'll know for sure that
>
> > things are good and ready. We're doing something right now that I had
>
> > thought we'd be doing throughout incubation in the Apache Git repo.
> Instead
>
> > of that, we're doing it before getting it into the Apache Git repo. This
> is
>
> > something that Oracle wants and must do, itself, i.e., no one else,
> outside
>
> > Oracle, should be involved in this since it is Oracle that is donating
> the
>
> > code and not anyone else.
>
> >
>
> > Hard to give a time estimate for the above, though I imagine some weeks
> at
>
> > least are involved.
>
> >
>
> > We're moving along and there is progress and the end is clear. In the end
>
> > this will have been a good process for its thoroughness and for having
>
> > avoided situations with unknown unknowns, since everything will
> ultimately
>
> > come to light as this investigation continues.
>
> >
>
> > Gj
>
>
>
>
>
>