[
https://issues.apache.org/jira/browse/INCUBATOR-253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17149872#comment-17149872
]
Leonard Lausen edited comment on INCUBATOR-253 at 7/2/20, 5:08 AM:
-------------------------------------------------------------------
I'm including below an excerpt from the MXNet report to the Incubator:
{code:java}
#### Issues with releases and distributions
##### Background
In May 2020 The MXNet PPMC has proactively initiated a ASF policy compliance
review [1] and a license review [2] with the Apache Legal team.
The license review uncovered that
- Building unmodified MXNet release source code with the optional NVidia GPU
support enabled results in a binary subject to restrictions of NVidia EULA.
- PPMC members and committers uploaded convenience releases to
repository.apache.org which contain Category-X components. Both GPL and
NVidia EULA components were found.
The policy review uncovered that:
- Prior ASF guidance to the PPMC (December 2018 legal review [3]) was incomplete
and did not include a reference to the "unwritten" rule that convenience
binary distributions created by third-parties using ASF Trademarks must not
include Category-X components. Based on this discovery, the Draft Downstream
Distribution Branding Policy was updated in June 2020 to include the
"unwritten" requirement. Based on the updated guidance, PPMC discovered
various third-party trademark infringements.
The policy review did not yet conclude on the questions if
- The PPMC may create nightly development builds (audience restricted to dev
list subscribers as per Release policy [4]) for the purpose of testing and
developing MXNet;
##### List of issues and their status
Justin classified the issues into 14 items.
1) Source and convenance binary releases containing Category X licensed code.
See summary from license review in Background section. Source code releases do
not contain Category X code; Takedown of binary releases on
repository.apache.org is pending on Apache Infra. (Trademark infringements of
3rd-parties such as on pypi are discussed separately)
2. Website giving access to downloads of non released/unapproved code.
Website contained links to nightly development builds which have been removed
[5];
Going forward the PPMC intends to begin periodical voting on Alpha and Beta
Releases which will then be linked from the website.
3. Website giving access to releases containing Category X licensed code.
Website contained links to third-party distributions incorporating Category-X
components (see summary from license review above). Disclaimers were added to
the website clarifying the third-party status of the releases and their
licenses. [5]
4. Web site doesn't given enough warning to users of the issues with non
(P)PMC releases or making it clear that these are not ASF releases.
Website contained links to third-party distributions incorporating Category-X
components (see summary from license review above). Disclaimers were added to
the website clarifying the third-party status of the releases and their
licenses. [5]
5. Maven releases containing Category X licensed code.
See summary from license review in Background section. Source code releases do
not contain Category X code; Takedown of binary releases on
repository.apache.org is pending on Apache Infra. [6] (Trademark infringements
of
3rd-parties are discussed separately)
6. PyPI releases containing Category X licensed code.
There are no PiPy releases by the PPMC. Please refer to the trademark
infringement section of the report.
7. Docker releases containing Category X licensed code.
There are no Docker releases by the PPMC. Please refer to the trademark
infringement section of the report.
8. Docker releases containing unreleased/unapproved code.
There are no Docker releases by the PPMC. The existence of third-party releases
containing unreleased code was approved in [3] and is also in line with the
current Downstream Distribution Branding Draft Policy. ("using any particular
revision from the development branch is OK" [3])
9. Trademark and branding issues with PiPy and Docker releases.
There are no PiPy releases by the PPMC. Please refer to the trademark
infringement section of the report.
10. Trademark and brand issues with naming of releases.
There are no binary releases by the PPMC besides the repository.apache.org
releases discussed above, which are being removed.
Please refer to the trademark infringement section of
the report.
11. Developer releases available to users and public searchable
https://repo.mxnet.io / https://dist.mxnet.io
Links to the nightly development builds were removed from the MXNet website and
a robot.txt file was added to prevent indexing of the sites. These websites are
removed from Google search index.
12. Releases and other nightly builds on
https://repo.mxnet.io / https://dist.mxnet.io containing category X licensed
code.
Neither of the two site contains Releases. It is an open question of the policy
review (see Background section above) if nightly development builds may or may
not contain Category X components.
13. Lack of clarity on all platforms for what is an ASF release and what is not.
https://github.com/apache/incubator-mxnet/releases?after=1.2.0 previously did
not distinguish MXNet releases prior to MXNet joining the Incubator. Disclaimers
were added. Other PPMC platforms do not contain references to non-ASF releases
(MXNet releases made prior to MXNet joining the ASF). The PPMC is aware of
old third-party releases created prior to MXNet joining the ASF which are still
available, but can be clearly separated from the ASF MXNet releases due to the
lack of reference to the Apache foundation. PPMC was able to find an exemplar
such release at [7]. If there are concerns from the Incubator, PPMC can request
the third-parties to take down these releases, as editing their Description to
include
references to events (MXNet joining Apache) is not
supported due to immutability constraints. [8]
14. Branding and release of 3rd parties containing unreleased code.
(e.g.
https://docs.nvidia.com/deeplearning/frameworks/mxnet-release-notes/rel_20-03.html)
Please refer to the trademark infringement section of the report.
[1]: https://issues.apache.org/jira/browse/LEGAL-515
[2]: https://issues.apache.org/jira/browse/LEGAL-516
[3]: https://s.apache.org/flvug
[4]: http://www.apache.org/legal/release-policy.html#publication
[5]:
https://github.com/apache/incubator-mxnet/commit/b6b40878f0aba2ba5509f3f3a4cd517a654847ce#diff-19bc831c1dab6d92d2efc3b87ec5c740
[6]: https://issues.apache.org/jira/browse/INFRA-20442
[7]: https://pypi.org/project/mxnet/0.9.5/
[8]: https://mail.python.org/pipermail/distutils-sig/2017-December/031826.html
#### Is the PPMC managing the podling's brand / trademarks?
Are 3rd parties respecting and correctly using the podlings name and brand? If
not what actions has the PPMC taken to correct this? Has the VP, Brand approved
the project name?
PPMC notes that there are multiple trademark infringements based on both the
redistribution of MXNet with addition of unreleased code and the redistribution
of MXNet with Category-X GPL and Category-X NVidia components. PPMC intends to
handle both issues separately:
##### Unauthorized redistribution of unreleased code by third-parties
PPMC members have reached out to the offending third parties (Nvidia Corporation
and Amazon Web Services) via inofficial channels and notified them of the
problem. If the problem is not resolved by the end of July 2020, PPMC will
request guidance from the Brand Management Team on how to formally notify the
offenders of their trademark infrigement.
##### Unauthorized redistribution of Category-X GPL and NVidia CUDA EULA
components by third-parties
PPMC members note that the issue of "NVidia CUDA EULA infecting any application
built with CUDA support" is an industry-wide problem. PPMC is not aware of any
individual or corporation correctly labeling their binary distributions subject
to the NVidia CUDA EULA. Instead, PPMC found that for example Facebook claims
distribution of PyTorch under BSD License (BSD-3) and Google claimns
distribution of Tensorflow under Apache 2.0 License, despite both being subject
to the CUDA EULA. Thus, PPMC has contacted NVidia Corporation and requested
NVidia Corporation to add clarifying language that applications based on the
CUDA SDK with material additional functionality may be licensed under a license
of the application owner's choice, consistent with existing industry "practice".
The issue was also discussed with NVidia and other Deep Learning Framework
implementers during the Nvidia Deep Learning Framework Developer Council
meeting,
during which NVidia promised to conclude their internal review and follow-up
with the PPMC.
PPMC thus recommends to give NVidia the chance to clarify and improve their
license. As NVidia employs a team for working on MXNet, the PPMC is optimistic
about receiving a detailed clarification and resolution from NVidia.
If NVidia fails to clarify their license or the resolution is unsatisfactory
within Q3 2020, the PPMC will notify any third-parties about their license
infringement and ask them to take down or rename their redistributions
containing Category-X pieces.
Due the substantial overhead of trademark-infringement takedown notices for any
involved party, PPMC is further awaiting NVidia's clarification prior to
contacting third-parties about trademark infringement due to inclusion of GPL
components. This is to avoid sending two separate takedown notices in case of
an unsatisfactory response by NVidia.
The following downstream software distributors are known to the PPMC to be using
the name MXNet while redistributing Category-X components
- pypi.org
- hub.docker.com
- ngc.nvidia.com
- aws.amazon.com
{code}
was (Author: lausen):
I'm including below an excerpt from the MXNet report to the Incubator:
#### Issues with releases and distributions
##### Background
In May 2020 The MXNet PPMC has proactively initiated a ASF policy compliance
review [1] and a license review [2] with the Apache Legal team.
The license review uncovered that
- Building unmodified MXNet release source code with the optional NVidia GPU
support enabled results in a binary subject to restrictions of NVidia EULA.
- PPMC members and committers uploaded convenience releases to
repository.apache.org which contain Category-X components. Both GPL and
NVidia EULA components were found.
The policy review uncovered that:
- Prior ASF guidance to the PPMC (December 2018 legal review [3]) was incomplete
and did not include a reference to the "unwritten" rule that convenience
binary distributions created by third-parties using ASF Trademarks must not
include Category-X components. Based on this discovery, the Draft Downstream
Distribution Branding Policy was updated in June 2020 to include the
"unwritten" requirement. Based on the updated guidance, PPMC discovered
various third-party trademark infringements.
The policy review did not yet conclude on the questions if
- The PPMC may create nightly development builds (audience restricted to dev
list subscribers as per Release policy [4]) for the purpose of testing and
developing MXNet;
##### List of issues and their status
Justin classified the issues into 14 items.
1) Source and convenance binary releases containing Category X licensed code.
See summary from license review in Background section. Source code releases do
not contain Category X code; Takedown of binary releases on
repository.apache.org is pending on Apache Infra. (Trademark infringements of
3rd-parties such as on pypi are discussed separately)
2. Website giving access to downloads of non released/unapproved code.
Website contained links to nightly development builds which have been removed
[5];
Going forward the PPMC intends to begin periodical voting on Alpha and Beta
Releases which will then be linked from the website.
3. Website giving access to releases containing Category X licensed code.
Website contained links to third-party distributions incorporating Category-X
components (see summary from license review above). Disclaimers were added to
the website clarifying the third-party status of the releases and their
licenses. [5]
4. Web site doesn't given enough warning to users of the issues with non
(P)PMC releases or making it clear that these are not ASF releases.
Website contained links to third-party distributions incorporating Category-X
components (see summary from license review above). Disclaimers were added to
the website clarifying the third-party status of the releases and their
licenses. [5]
5. Maven releases containing Category X licensed code.
See summary from license review in Background section. Source code releases do
not contain Category X code; Takedown of binary releases on
repository.apache.org is pending on Apache Infra. [6] (Trademark infringements
of
3rd-parties are discussed separately)
6. PyPI releases containing Category X licensed code.
There are no PiPy releases by the PPMC. Please refer to the trademark
infringement section of the report.
7. Docker releases containing Category X licensed code.
There are no Docker releases by the PPMC. Please refer to the trademark
infringement section of the report.
8. Docker releases containing unreleased/unapproved code.
There are no Docker releases by the PPMC. The existence of third-party releases
containing unreleased code was approved in [3] and is also in line with the
current Downstream Distribution Branding Draft Policy. ("using any particular
revision from the development branch is OK" [3])
9. Trademark and branding issues with PiPy and Docker releases.
There are no PiPy releases by the PPMC. Please refer to the trademark
infringement section of the report.
10. Trademark and brand issues with naming of releases.
There are no binary releases by the PPMC besides the repository.apache.org
releases discussed above, which are being removed.
Please refer to the trademark infringement section of
the report.
11. Developer releases available to users and public searchable
https://repo.mxnet.io / https://dist.mxnet.io
Links to the nightly development builds were removed from the MXNet website and
a robot.txt file was added to prevent indexing of the sites. These websites are
removed from Google search index.
12. Releases and other nightly builds on
https://repo.mxnet.io / https://dist.mxnet.io containing category X licensed
code.
Neither of the two site contains Releases. It is an open question of the policy
review (see Background section above) if nightly development builds may or may
not contain Category X components.
13. Lack of clarity on all platforms for what is an ASF release and what is not.
https://github.com/apache/incubator-mxnet/releases?after=1.2.0 previously did
not distinguish MXNet releases prior to MXNet joining the Incubator. Disclaimers
were added. Other PPMC platforms do not contain references to non-ASF releases
(MXNet releases made prior to MXNet joining the ASF). The PPMC is aware of
old third-party releases created prior to MXNet joining the ASF which are still
available, but can be clearly separated from the ASF MXNet releases due to the
lack of reference to the Apache foundation. PPMC was able to find an exemplar
such release at [7]. If there are concerns from the Incubator, PPMC can request
the third-parties to take down these releases, as editing their Description to
include
references to events (MXNet joining Apache) is not
supported due to immutability constraints. [8]
14. Branding and release of 3rd parties containing unreleased code.
(e.g.
https://docs.nvidia.com/deeplearning/frameworks/mxnet-release-notes/rel_20-03.html)
Please refer to the trademark infringement section of the report.
[1]: https://issues.apache.org/jira/browse/LEGAL-515
[2]: https://issues.apache.org/jira/browse/LEGAL-516
[3]: https://s.apache.org/flvug
[4]: http://www.apache.org/legal/release-policy.html#publication
[5]:
https://github.com/apache/incubator-mxnet/commit/b6b40878f0aba2ba5509f3f3a4cd517a654847ce#diff-19bc831c1dab6d92d2efc3b87ec5c740
[6]: https://issues.apache.org/jira/browse/INFRA-20442
[7]: https://pypi.org/project/mxnet/0.9.5/
[8]: https://mail.python.org/pipermail/distutils-sig/2017-December/031826.html
#### Is the PPMC managing the podling's brand / trademarks?
Are 3rd parties respecting and correctly using the podlings name and brand? If
not what actions has the PPMC taken to correct this? Has the VP, Brand approved
the project name?
PPMC notes that there are multiple trademark infringements based on both the
redistribution of MXNet with addition of unreleased code and the redistribution
of MXNet with Category-X GPL and Category-X NVidia components. PPMC intends to
handle both issues separately:
##### Unauthorized redistribution of unreleased code by third-parties
PPMC members have reached out to the offending third parties (Nvidia Corporation
and Amazon Web Services) via inofficial channels and notified them of the
problem. If the problem is not resolved by the end of July 2020, PPMC will
request guidance from the Brand Management Team on how to formally notify the
offenders of their trademark infrigement.
##### Unauthorized redistribution of Category-X GPL and NVidia CUDA EULA
components by third-parties
PPMC members note that the issue of "NVidia CUDA EULA infecting any application
built with CUDA support" is an industry-wide problem. PPMC is not aware of any
individual or corporation correctly labeling their binary distributions subject
to the NVidia CUDA EULA. Instead, PPMC found that for example Facebook claims
distribution of PyTorch under BSD License (BSD-3) and Google claimns
distribution of Tensorflow under Apache 2.0 License, despite both being subject
to the CUDA EULA. Thus, PPMC has contacted NVidia Corporation and requested
NVidia Corporation to add clarifying language that applications based on the
CUDA SDK with material additional functionality may be licensed under a license
of the application owner's choice, consistent with existing industry "practice".
The issue was also discussed with NVidia and other Deep Learning Framework
implementers during the Nvidia Deep Learning Framework Developer Council
meeting,
during which NVidia promised to conclude their internal review and follow-up
with the PPMC.
PPMC thus recommends to give NVidia the chance to clarify and improve their
license. As NVidia employs a team for working on MXNet, the PPMC is optimistic
about receiving a detailed clarification and resolution from NVidia.
If NVidia fails to clarify their license or the resolution is unsatisfactory
within Q3 2020, the PPMC will notify any third-parties about their license
infringement and ask them to take down or rename their redistributions
containing Category-X pieces.
Due the substantial overhead of trademark-infringement takedown notices for any
involved party, PPMC is further awaiting NVidia's clarification prior to
contacting third-parties about trademark infringement due to inclusion of GPL
components. This is to avoid sending two separate takedown notices in case of
an unsatisfactory response by NVidia.
The following downstream software distributors are known to the PPMC to be using
the name MXNet while redistributing Category-X components
- pypi.org
- hub.docker.com
- ngc.nvidia.com
- aws.amazon.com
> Issues with MXNet releases and their distribution
> -------------------------------------------------
>
> Key: INCUBATOR-253
> URL: https://issues.apache.org/jira/browse/INCUBATOR-253
> Project: Incubator
> Issue Type: Improvement
> Reporter: Justin Mclean
> Assignee: Justin Mclean
> Priority: Major
>
> The main issues are:
> 1. Source and convenance binary releases containing Category X licensed code.
> 2. Website giving access to downloads of non released/unapproved code.
> 3. Website giving access to releases containing Category X licensed code.
> 4. Web site doesn't given enough warning to users of the issues with non
> (P)PMC releases or making it clear that these are not ASF releases.
> 5. Maven releases containing Category X licensed code.
> 6. PiPy releases containing Category X licensed code.
> 7. Docker releases containing Category X licensed code.
> 8 Docker releases containing unreleased/unapproved code.
> 9. Trademark and branding issues with PiPy and Docker releases.
> 10. Trademark and brand issues with naming of releases.
> 11. Developer releases available to users and public searchable
> https://repo.mxnet.io / https://dist.mxnet.io
> 12. Releases and other nightly builds on https://repo.mxnet.io /
> https://dist.mxnet.io containing category X licensed code.
> 13. Lack of clarity on all platforms for what is an ASF release and what is
> not.
> 14. Branding and release of 3rd parties containing unreleased code. (e.g.
> https://docs.nvidia.com/deeplearning/frameworks/mxnet-release-notes/rel_20-03.html)
> For PiPy see:
> https://pypi.org/project/mxnet/
> For Docker see:
> https://hub.docker.com/u/mxnet
> For web site pages see:
> https://mxnet.apache.org/get_started?
> https://mxnet.apache.org/get_started/download
> I may of missed something, if so please add it.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
