Handling lack of access to upstream license files (Was: Fwd: Git repository for "azure-annotations" library is missing/private/incorrect)

[Mike Jumper <mj...@apache.org>]

Hello,

I am currently working on finalizing vault support for Apache
Guacamole, which initially includes support for Azure KeyVault. While
the various libraries involved from Microsoft are all open source, one
library ("azure-annotations") is missing a public copy of its license
file.

The "azure-annotations" library is publicly declared as MIT-licensed
within Maven Central and its pom.xml, and its source is available
within a source .jar on Maven Central, but the actual GitHub
repository for the library is marked private. Since the source .jar
only contains the Java source and no other files, there is no current
way to obtain the "License.txt" referenced within the source.

See: https://github.com/apache/guacamole-client/pull/336#issuecomment-997156397

Any idea how to best proceed? Or are we blocked from moving forward
until we have access to a copy of the "License.txt" file?

Thanks,

- Mike

---------- Forwarded message ---------
From: Mike Jumper <mj...@apache.org>
Date: Fri, Dec 17, 2021 at 1:39 PM
Subject: Re: Git repository for "azure-annotations" library is
missing/private/incorrect
To: Jeff Wilcox <je...@microsoft.com>
Cc: Open Source at Microsoft <op...@microsoft.com>


Thanks for the quick response, Jeff.

Assuming that the repository won't be able to be switched over to
public anytime soon due to the holidays, and assuming that you or
others have access internally, would it be possible for you to send
the relevant "License.txt" file my way?

That would allow me to move forward with Azure Keyvault support for
the time being, as we otherwise have processes in place that would
prevent including that support absent 100% of the licensing and
copyright information. The "License.txt" file is (unfortunately) not
part of the source .jar that is publicly available via Maven Central,
though it is referenced by source comments within that .jar.

- Mike

On Fri, Dec 17, 2021, 09:02 Jeff Wilcox <Je...@microsoft.com> wrote:
>
> Mike,
>
> Thanks for your message. I can confirm that is a private repository right now, and am going to reach out offline to the owners of the repo to share your note.
>
> Given the holidays, I’m not sure we’ll have an answer too quickly.
>
> Jeff
>
> From: Mike Jumper <mj...@apache.org>
> Date: Friday, December 17, 2021 at 3:35 AM
> To: Open Source at Microsoft <op...@microsoft.com>
> Subject: Git repository for "azure-annotations" library is missing/private/incorrect
>
> Hello,
>
> I've been trying to track down the open source license information for the various transitive dependencies of the "azure-keyvault" library, but this information is not fully available. One of the transitive dependencies, "azure-annotations", points to a GitHub repository that either does not exist or is private, producing a 404 when visited:
>
> https://github.com/Microsoft/java-api-annotations
>
> The above repository is declared within the pom.xml for "azure-annotations" as found at Maven Central:
>
> https://search.maven.org/artifact/com.microsoft.azure/azure-annotations/1.10.0/jar
>
> Is there a correct public repository where the full sources, including license information, can be found? Has the relevant repository simply been inadvertently marked as private?
>
> Thanks,
>
> - Mike
>

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Handling lack of access to upstream license files (Was: Fwd: Git repository for "azure-annotations" library is missing/private/incorrect)

[Roman Shaposhnik <ro...@shaposhnik.org>]

Is there any particular rush in not allowing it to works its way through
MSFT?

Thanks,
Roman.

On Wed, Dec 22, 2021 at 5:51 PM Mike Jumper <mj...@apache.org> wrote:

> Hello,
>
> I am currently working on finalizing vault support for Apache
> Guacamole, which initially includes support for Azure KeyVault. While
> the various libraries involved from Microsoft are all open source, one
> library ("azure-annotations") is missing a public copy of its license
> file.
>
> The "azure-annotations" library is publicly declared as MIT-licensed
> within Maven Central and its pom.xml, and its source is available
> within a source .jar on Maven Central, but the actual GitHub
> repository for the library is marked private. Since the source .jar
> only contains the Java source and no other files, there is no current
> way to obtain the "License.txt" referenced within the source.
>
> See:
> https://github.com/apache/guacamole-client/pull/336#issuecomment-997156397
>
> Any idea how to best proceed? Or are we blocked from moving forward
> until we have access to a copy of the "License.txt" file?
>
> Thanks,
>
> - Mike
>
> ---------- Forwarded message ---------
> From: Mike Jumper <mj...@apache.org>
> Date: Fri, Dec 17, 2021 at 1:39 PM
> Subject: Re: Git repository for "azure-annotations" library is
> missing/private/incorrect
> To: Jeff Wilcox <je...@microsoft.com>
> Cc: Open Source at Microsoft <op...@microsoft.com>
>
>
> Thanks for the quick response, Jeff.
>
> Assuming that the repository won't be able to be switched over to
> public anytime soon due to the holidays, and assuming that you or
> others have access internally, would it be possible for you to send
> the relevant "License.txt" file my way?
>
> That would allow me to move forward with Azure Keyvault support for
> the time being, as we otherwise have processes in place that would
> prevent including that support absent 100% of the licensing and
> copyright information. The "License.txt" file is (unfortunately) not
> part of the source .jar that is publicly available via Maven Central,
> though it is referenced by source comments within that .jar.
>
> - Mike
>
> On Fri, Dec 17, 2021, 09:02 Jeff Wilcox <Je...@microsoft.com> wrote:
> >
> > Mike,
> >
> > Thanks for your message. I can confirm that is a private repository
> right now, and am going to reach out offline to the owners of the repo to
> share your note.
> >
> > Given the holidays, I’m not sure we’ll have an answer too quickly.
> >
> > Jeff
> >
> > From: Mike Jumper <mj...@apache.org>
> > Date: Friday, December 17, 2021 at 3:35 AM
> > To: Open Source at Microsoft <op...@microsoft.com>
> > Subject: Git repository for "azure-annotations" library is
> missing/private/incorrect
> >
> > Hello,
> >
> > I've been trying to track down the open source license information for
> the various transitive dependencies of the "azure-keyvault" library, but
> this information is not fully available. One of the transitive
> dependencies, "azure-annotations", points to a GitHub repository that
> either does not exist or is private, producing a 404 when visited:
> >
> > https://github.com/Microsoft/java-api-annotations
> >
> > The above repository is declared within the pom.xml for
> "azure-annotations" as found at Maven Central:
> >
> >
> https://search.maven.org/artifact/com.microsoft.azure/azure-annotations/1.10.0/jar
> >
> > Is there a correct public repository where the full sources, including
> license information, can be found? Has the relevant repository simply been
> inadvertently marked as private?
> >
> > Thanks,
> >
> > - Mike
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>

Re: Handling lack of access to upstream license files (Was: Fwd: Git repository for "azure-annotations" library is missing/private/incorrect)

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> and its source is available within a source .jar on Maven Central


Sorry I missed that bit, so I guess it does meets the minimum requirements.

Currently how would you would you make a PR to this project?  Do we know roughly when the repo will be made public?

Kind Regards,
Justin

Re: Handling lack of access to upstream license files (Was: Fwd: Git repository for "azure-annotations" library is missing/private/incorrect)

[Gary Gregory <ga...@gmail.com>]

A "-source" jar on Maven central will rarely build indeed, since it won't
normally contain build files like a POM or Ant build file. It is only used
as a view on the classes. A "src" or "bin" zip file can sometimes but
rarely be found on Central. Those might sometimes be helpful depending on
what you are trying to do.

The only way to build is from git or from an "src" zip or gz file. The zip
files you get from an Apache project's download page or a mirror.

Gary

On Thu, Jan 6, 2022, 10:04 Ralph Goers <ra...@dslextreme.com> wrote:

> A source jar on Maven central is not necessarily a buildable version of
> the source. Typically, it is enough to let you view the source in your IDE
> but may not have all the other stuff required to perform a build.
>
> Ralph
>
> > On Dec 26, 2021, at 1:59 PM, David Jencks <da...@gmail.com>
> wrote:
> >
> > ? To quote,
> >
> > and its source is available
> > within a source .jar on Maven Central
> >
> > My understanding of how Apache works is that only the source in released
> artifacts is supported by any legal protection by the Foundation and that
> the VCS serves as an internal way of helping PMC members track whether they
> are willing to vote yes on a proposed release artifact.  I don’t think the
> open source status of our products would be affected by making all the
> Apache VCS repositories unavailable to the public.  Anyone can take the
> released source, put it into a VCS of their choice, work on it, and submit
> a patch via email. Probably no one would, but this is a thought experiment.
> >
> > David Jencks
> >
> >> On Dec 26, 2021, at 12:15 PM, Justin Mclean <ju...@classsoftware.com>
> wrote:
> >>
> >> Hi,
> >>
> >> I’m concerned that this software is not open source. It may have a
> permissive OS license but if the source code is not publicly available how
> can it be open source?
> >>
> >> Kind Regards,
> >> Justin
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> For additional commands, e-mail: legal-discuss-help@apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > For additional commands, e-mail: legal-discuss-help@apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>

Re: Handling lack of access to upstream license files (Was: Fwd: Git repository for "azure-annotations" library is missing/private/incorrect)

[Ralph Goers <ra...@dslextreme.com>]

A source jar on Maven central is not necessarily a buildable version of the source. Typically, it is enough to let you view the source in your IDE but may not have all the other stuff required to perform a build.

Ralph

> On Dec 26, 2021, at 1:59 PM, David Jencks <da...@gmail.com> wrote:
> 
> ? To quote,
> 
> and its source is available
> within a source .jar on Maven Central
> 
> My understanding of how Apache works is that only the source in released artifacts is supported by any legal protection by the Foundation and that the VCS serves as an internal way of helping PMC members track whether they are willing to vote yes on a proposed release artifact.  I don’t think the open source status of our products would be affected by making all the Apache VCS repositories unavailable to the public.  Anyone can take the released source, put it into a VCS of their choice, work on it, and submit a patch via email. Probably no one would, but this is a thought experiment.
> 
> David Jencks
> 
>> On Dec 26, 2021, at 12:15 PM, Justin Mclean <ju...@classsoftware.com> wrote:
>> 
>> Hi,
>> 
>> I’m concerned that this software is not open source. It may have a permissive OS license but if the source code is not publicly available how can it be open source?
>> 
>> Kind Regards,
>> Justin
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Handling lack of access to upstream license files (Was: Fwd: Git repository for "azure-annotations" library is missing/private/incorrect)

[David Jencks <da...@gmail.com>]

? To quote,

and its source is available
within a source .jar on Maven Central

My understanding of how Apache works is that only the source in released artifacts is supported by any legal protection by the Foundation and that the VCS serves as an internal way of helping PMC members track whether they are willing to vote yes on a proposed release artifact.  I don’t think the open source status of our products would be affected by making all the Apache VCS repositories unavailable to the public.  Anyone can take the released source, put it into a VCS of their choice, work on it, and submit a patch via email. Probably no one would, but this is a thought experiment.

David Jencks

> On Dec 26, 2021, at 12:15 PM, Justin Mclean <ju...@classsoftware.com> wrote:
> 
> Hi,
> 
> I’m concerned that this software is not open source. It may have a permissive OS license but if the source code is not publicly available how can it be open source?
> 
> Kind Regards,
> Justin
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Handling lack of access to upstream license files (Was: Fwd: Git repository for "azure-annotations" library is missing/private/incorrect)

[Justin Mclean <ju...@classsoftware.com>]

Hi,

I’m concerned that this software is not open source. It may have a permissive OS license but if the source code is not publicly available how can it be open source?

Kind Regards,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Handling lack of access to upstream license files (Was: Fwd: Git repository for "azure-annotations" library is missing/private/incorrect)

["Roy T. Fielding" <fi...@gbiv.com>]

A public copy of its license file is not necessary if the copyright owner
declares that it has been licensed under known public terms. MIT is certainly
a well known set of license terms. However, only the copyright owner can
make such a declaration.

Think of it this way: Only the copyright owner has standing to sue for
infringement. We can rely on anything the copyright owner writes, to us
or to the public, regarding its license (permission to do what copyright
otherwise reserves to the owner). If the copyright owner is vague
about the terms, they are responsible for that vagueness because
they chose the terms. However, an owner can change their terms
at a later time and give people reasonable time to adhere or cease
redistribution.

OTOH, if there are multiple copyright owners, it is far safer to have a
written set of license terms that all contributors have agreed to. One
way to prove that such terms exist to be able to point to a file containing
them in the distribution.

....Roy

> On Dec 22, 2021, at 5:50 PM, Mike Jumper <mj...@apache.org> wrote:
> 
> Hello,
> 
> I am currently working on finalizing vault support for Apache
> Guacamole, which initially includes support for Azure KeyVault. While
> the various libraries involved from Microsoft are all open source, one
> library ("azure-annotations") is missing a public copy of its license
> file.
> 
> The "azure-annotations" library is publicly declared as MIT-licensed
> within Maven Central and its pom.xml, and its source is available
> within a source .jar on Maven Central, but the actual GitHub
> repository for the library is marked private. Since the source .jar
> only contains the Java source and no other files, there is no current
> way to obtain the "License.txt" referenced within the source.
> 
> See: https://github.com/apache/guacamole-client/pull/336#issuecomment-997156397
> 
> Any idea how to best proceed? Or are we blocked from moving forward
> until we have access to a copy of the "License.txt" file?
> 
> Thanks,
> 
> - Mike
> 
> ---------- Forwarded message ---------
> From: Mike Jumper <mj...@apache.org>
> Date: Fri, Dec 17, 2021 at 1:39 PM
> Subject: Re: Git repository for "azure-annotations" library is
> missing/private/incorrect
> To: Jeff Wilcox <je...@microsoft.com>
> Cc: Open Source at Microsoft <op...@microsoft.com>
> 
> 
> Thanks for the quick response, Jeff.
> 
> Assuming that the repository won't be able to be switched over to
> public anytime soon due to the holidays, and assuming that you or
> others have access internally, would it be possible for you to send
> the relevant "License.txt" file my way?
> 
> That would allow me to move forward with Azure Keyvault support for
> the time being, as we otherwise have processes in place that would
> prevent including that support absent 100% of the licensing and
> copyright information. The "License.txt" file is (unfortunately) not
> part of the source .jar that is publicly available via Maven Central,
> though it is referenced by source comments within that .jar.
> 
> - Mike
> 
> On Fri, Dec 17, 2021, 09:02 Jeff Wilcox <Je...@microsoft.com> wrote:
>> 
>> Mike,
>> 
>> Thanks for your message. I can confirm that is a private repository right now, and am going to reach out offline to the owners of the repo to share your note.
>> 
>> Given the holidays, I’m not sure we’ll have an answer too quickly.
>> 
>> Jeff
>> 
>> From: Mike Jumper <mj...@apache.org>
>> Date: Friday, December 17, 2021 at 3:35 AM
>> To: Open Source at Microsoft <op...@microsoft.com>
>> Subject: Git repository for "azure-annotations" library is missing/private/incorrect
>> 
>> Hello,
>> 
>> I've been trying to track down the open source license information for the various transitive dependencies of the "azure-keyvault" library, but this information is not fully available. One of the transitive dependencies, "azure-annotations", points to a GitHub repository that either does not exist or is private, producing a 404 when visited:
>> 
>> https://github.com/Microsoft/java-api-annotations
>> 
>> The above repository is declared within the pom.xml for "azure-annotations" as found at Maven Central:
>> 
>> https://search.maven.org/artifact/com.microsoft.azure/azure-annotations/1.10.0/jar
>> 
>> Is there a correct public repository where the full sources, including license information, can be found? Has the relevant repository simply been inadvertently marked as private?
>> 
>> Thanks,
>> 
>> - Mike
>> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org