Hi peeps,
talks about this have been on the infrastructure, the community, the
jakarta-general and the cocoon-dev list recently (and possibly other
places as well I'm not tracking).
first of: IANAL and I hate having to worry about licensing issues. I'll
be contacting Sun to complain about the rediculous complexity of their
licensing.
---
recent board decree (saw it first on the infrastructure list)
(paraphrasing): the ASF must not distribute software packages (in any
form) licensed under LGPL, GPL or Sun Binary Code License in any way.
Licenses which have been specifically identified as okay include IBM
Public License and MPL. I assume ASL-style and BSD-style are also okay
(relevant for our inclusion and redistribution of qdox, mx4j). Two
public domain packages, namely DougLea's threadutils and antlr have also
been marked as acceptable. But all this has not been stated as strongly
just yet. An attempt is now underway to get this sorted.
---
What is more or less clear at this point is that the current setup I
just put in place for avalon-framework where some Sun BCL code is
downloaded from ibiblio is in breach of license (it won't work anymore
either, as the problematic jars have been removed, so I guess it is
already no longer in breach), whereas the setup we use in logkit (where
the user must actively agree to the BCL license and download the code
themselves) /seems/ to be acceptable.
I've identified the following jars in avalon CVS repositories which seem
like they should be removed based on the information above:
- checkstyle (jakarta-avalon-apps/tools/checkstyle-all.jar and
other places) (LGPL)
- hsqldb (jakarta-avalon-apps/hsql/lib/hsqldb.jar)
(custom license)
- jsch (jakarta-avalon-excalibur/altrmi/jsch-0-0-11.jar) (LGPL)
There are lots of jars all over the avalon CVS repositories for which
the license is perfectly acceptable but not specified, for example of
jars which are ASL-licensed, like xerces.
I am not done checking yet, but I believe none of the avalon
distributions provide any of these potentially problematic jars.
I've found more than a few jars under "non-standard" BSD-style or
ASL-style licenses, like jdom, mx4j, qdox, jing and isorelax which I am
relatively sure are okay but IANAL.
---
I think we should remove the checkstyle, hsqldb and jsch jars. We should
also make sure all "autofetch" functionality is only provided after the
user has agreed to the applicable license. For the Sun BCL, the user
must download and install the files themselves. For the "non-standard"
BSD-style and ASL-style licenses we must take part in the effort to get
this thing sorted and receive a green light from the board.
---
The board has asked that all apache contributors act proactively on this
matter, performing an audit of ASF distributions, and taking part in
clarifying and removing any licensing issues. I believe the goal is to
get things clarified and settled within two weeks, in time for the next
board meeting. Please follow-up on [EMAIL PROTECTED]
---
cheers & g'night,
- Leo
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
