Re: Central repository, bundle-create and distribution of licenses
On Tue, May 18, 2010 at 07:52:48PM +0100, Bruno Harbulot wrote: I'm not saying that the central repo should investigate each and every case to check that it's indeed true, but it should make it mandatory to have a licence at least so as to avoid to put software that is mistakenly unattributed (and thus often in breach of the licence). What is the URL for the license to software which is placed in the public domain? If you can answer that, then yes, I'd agree that it would be reasonable for a repo. to check that the POM lists a license and even that the link is not broken. What is *in* that target document is probably beyond the scope of the present software. If it's a copy of Jabberwocky or Lorem Ipsum, that's the submitter's problem. As a publisher of a piece of software, I did put the LICENSE.txt file in my bundle linked from http://jira.codehaus.org/browse/MAVENUPLOAD-2293 (via the default settings of maven-repository-plugin 2.0 at the time), having the expectation that it would be distributed along with the artifacts in the bundle. What led you to believe that this would happen? If you put it into a src/main/resources directory then it should have been packed up into the archive, but I don't see anything which says that anything else shall be done with it. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Balance your desire for bells and whistles with the reality that only a little more than 2 percent of world population has broadband. -- Ledford and Tyler, _Google Analytics 2.0_ pgppbMvNnITRI.pgp Description: PGP signature
Re: Central repository, bundle-create and distribution of licenses
Hi, I've just submitted this issue: http://jira.codehaus.org/browse/MNG-4680 However, I'm told this wasn't the right place to submit. I'm not sure. To me, one of the key features of Apache Maven (if not the main feature) is its repository mechanism. This makes the redistribution of software via those repository a core function of Maven. In addition, Maven's success is largely based on its central repository I think (would anyone disagree?), which distributes mostly open-source software, which in turn has licences that apply to its redistribution in most cases. In appears that the distribution model hasn't fully taken into consideration the problem of licences. Considering that the central repository is in breach of a number of such OSS licences, I'd say there's something wrong with the model in that respect (hence filing the issue with the core framework MNG). On 16/05/10 02:00, Brian Fox wrote: What I meant by usually was that if someone wants to include the license text, it's done inside the archives. Take a look at any recent apache jar for example and you'll find LICENSE and NOTICE prominently included. Indeed, some projects have it in the META-INF directory, even with the binary distribution. (It's not bad, but it's not an obvious place. Putting them along with the POM would make it a bit clearer.) There is definitely something wrong with the convention over configuration aspect. Whether that's strictly MNG domain or not is debatable indeed. However, if you follow the guidelines in the guides (e.g. licence placed as described in [1]), the licence doesn't end up either in META-INF or anywhere in the repository. Is it just a documentation shortcoming, or is it a flaw in the architecture of Maven? There definitely is a flaw in the central repository, since it's clearly redistributing some software without the adequate licence. I think these things are definitely fixable, and I'm not after an immediate fix, but I think the issue needs more consideration w.r.t. documentation or design of Maven, rather than saying it's the packager's or the repository's problem. Best wishes, Bruno. [1] http://maven.apache.org/guides/introduction/introduction-to-the-standard-directory-layout.html - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
I thought it was well-established that you should include the license inside binary and source artifacts. What exactly is your reason for thinking this isn't a good idea? Saying that it isn't obvious doesn't really count IMHO as this is highly subjective. Justin On 5/18/10 1:09 PM, Bruno Harbulot wrote: Hi, I've just submitted this issue: http://jira.codehaus.org/browse/MNG-4680 However, I'm told this wasn't the right place to submit. I'm not sure. To me, one of the key features of Apache Maven (if not the main feature) is its repository mechanism. This makes the redistribution of software via those repository a core function of Maven. In addition, Maven's success is largely based on its central repository I think (would anyone disagree?), which distributes mostly open-source software, which in turn has licences that apply to its redistribution in most cases. In appears that the distribution model hasn't fully taken into consideration the problem of licences. Considering that the central repository is in breach of a number of such OSS licences, I'd say there's something wrong with the model in that respect (hence filing the issue with the core framework MNG). On 16/05/10 02:00, Brian Fox wrote: What I meant by usually was that if someone wants to include the license text, it's done inside the archives. Take a look at any recent apache jar for example and you'll find LICENSE and NOTICE prominently included. Indeed, some projects have it in the META-INF directory, even with the binary distribution. (It's not bad, but it's not an obvious place. Putting them along with the POM would make it a bit clearer.) There is definitely something wrong with the convention over configuration aspect. Whether that's strictly MNG domain or not is debatable indeed. However, if you follow the guidelines in the guides (e.g. licence placed as described in [1]), the licence doesn't end up either in META-INF or anywhere in the repository. Is it just a documentation shortcoming, or is it a flaw in the architecture of Maven? There definitely is a flaw in the central repository, since it's clearly redistributing some software without the adequate licence. I think these things are definitely fixable, and I'm not after an immediate fix, but I think the issue needs more consideration w.r.t. documentation or design of Maven, rather than saying it's the packager's or the repository's problem. Best wishes, Bruno. [1] http://maven.apache.org/guides/introduction/introduction-to-the-standard-directory-layout.html - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
On 18/05/2010 1:09 PM, Bruno Harbulot wrote: Hi, I've just submitted this issue: http://jira.codehaus.org/browse/MNG-4680 However, I'm told this wasn't the right place to submit. I'm not sure. To me, one of the key features of Apache Maven (if not the main feature) is its repository mechanism. This makes the redistribution of software via those repository a core function of Maven. In addition, Maven's success is largely based on its central repository I think (would anyone disagree?), which distributes mostly open-source software, which in turn has licences that apply to its redistribution in most cases. In appears that the distribution model hasn't fully taken into consideration the problem of licences. Considering that the central repository is in breach of a number of such OSS licences, I'd say there's something wrong with the model in that respect (hence filing the issue with the core framework MNG). On 16/05/10 02:00, Brian Fox wrote: What I meant by usually was that if someone wants to include the license text, it's done inside the archives. Take a look at any recent apache jar for example and you'll find LICENSE and NOTICE prominently included. Indeed, some projects have it in the META-INF directory, even with the binary distribution. (It's not bad, but it's not an obvious place. Putting them along with the POM would make it a bit clearer.) There is definitely something wrong with the convention over configuration aspect. Whether that's strictly MNG domain or not is debatable indeed. However, if you follow the guidelines in the guides (e.g. licence placed as described in [1]), the licence doesn't end up either in META-INF or anywhere in the repository. Is it just a documentation shortcoming, or is it a flaw in the architecture of Maven? There definitely is a flaw in the central repository, since it's clearly redistributing some software without the adequate licence. I think these things are definitely fixable, and I'm not after an immediate fix, but I think the issue needs more consideration w.r.t. documentation or design of Maven, rather than saying it's the packager's or the repository's problem. 1) If people are distributing their own software in violation of their own licensing, it is their problem. 2) If people are distributing other people's software in violation of the licencing, they should stop. Hard to see how this is a Maven problem or how Maven could fix it. Case #1 is clearly the prerogative of the owner of the software. Case#2 would be hard to detect without having a big investigation for every package being uploaded to be sure that it is a violation before rejecting it. Very difficult to automate. Lots of projects have lots of committers and who owns an open source project would be more a question of ego than law in many cases. More trouble than it is worth and more likely to do more damage than good. Ron Best wishes, Bruno. [1] http://maven.apache.org/guides/introduction/introduction-to-the-standard-directory-layout.html - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
On 18/05/2010 18:25, Justin Edelson wrote: I thought it was well-established that you should include the license inside binary and source artifacts. What exactly is your reason for thinking this isn't a good idea? Saying that it isn't obvious doesn't really count IMHO as this is highly subjective. I'm not sure if that's well-established. There are a number of artifacts in the central repository that clearly don't, so that's subjective too. You're right, the only reason I think it's better outside the jar itself is to make it a bit more visible. Whether the licence is within the jar's META-INF or next to the jar is a minute detail indeed. Having it within the jar would make it distributed with the jar of course (which is a good thing). Clarification of the documentation and/or mechanisms on how to redistribute the licences properly with the software is what I'm suggesting. In terms of core Maven mechanism, that could consist of an improvement with respect to the convention over configuration principle that Maven follows. Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
On 18/05/2010 18:33, Ron Wheeler wrote: 1) If people are distributing their own software in violation of their own licensing, it is their problem. 2) If people are distributing other people's software in violation of the licencing, they should stop. Hard to see how this is a Maven problem or how Maven could fix it. Case #1 is clearly the prerogative of the owner of the software. True. Case#2 would be hard to detect without having a big investigation for every package being uploaded to be sure that it is a violation before rejecting it. Very difficult to automate. I'm not saying that the central repo should investigate each and every case to check that it's indeed true, but it should make it mandatory to have a licence at least so as to avoid to put software that is mistakenly unattributed (and thus often in breach of the licence). There's a shortcoming in terms of mechanism in place. It is the responsibility of whoever's hosting a Maven repository (in particular the central repository) to check that they redistribute software under the suitable licence. The central repository clearly fails in that respect. Once again, I don't see why people don't seem to realise that the central repository is redistributing software. Isn't that obvious? I would like Maven (documentation or design) to have more guidance or an in-built mechanism to help publishers and more often distributors not to break those licences. (Some convention over configuration would be good here.) As a publisher of a piece of software, I did put the LICENSE.txt file in my bundle linked from http://jira.codehaus.org/browse/MAVENUPLOAD-2293 (via the default settings of maven-repository-plugin 2.0 at the time), having the expectation that it would be distributed along with the artifacts in the bundle. While I'm not expecting the central repository a big investigation to find that licence, I would expect the bare minimum of using what was automatically bundled when following the official guidelines, more so considering that including that LICENSE.txt file was mandatory with the maven-repository-plugin version at the time. The content of the bundle did end up in the central repository, except the licence. Subsequently, when people put this artifact's ID in their POM and that Maven downloads it from the central repository, the central repository redistribute those files without the licence: that's a breach of the licence. The point here is that I'm not really arguing there should be a better system to protect our interests, I'm arguing there should be a better system to protect Maven repositories, especially the central one: they're the ones redistributing software and they're the ones at fault. Lots of projects have lots of committers and who owns an open source project would be more a question of ego than law in many cases. (True, but that's what contributor licence agreements are for.) Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
On 5/18/10 2:50 PM, Bruno Harbulot wrote: On 18/05/2010 18:25, Justin Edelson wrote: I thought it was well-established that you should include the license inside binary and source artifacts. What exactly is your reason for thinking this isn't a good idea? Saying that it isn't obvious doesn't really count IMHO as this is highly subjective. I'm not sure if that's well-established. There are a number of artifacts in the central repository that clearly don't, so that's subjective too. We can't change the past. But I think (almost) every Apache project is now doing the right thing. You're right, the only reason I think it's better outside the jar itself is to make it a bit more visible. Whether the licence is within the jar's META-INF or next to the jar is a minute detail indeed. Having it within the jar would make it distributed with the jar of course (which is a good thing). Clarification of the documentation and/or mechanisms on how to redistribute the licences properly with the software is what I'm suggesting. In terms of core Maven mechanism, that could consist of an improvement with respect to the convention over configuration principle that Maven follows. I agree that the documentation can be improved with respect to this. You can certainly submit some documentation patches on this point. I'm not sure what core changes would be involved. There's probably some possible enforcer plugin, but ultimately it's not Maven's job to interpret the semantics of a license - that's something developers need to be responsible for. Justin Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
On 18/05/2010 2:52 PM, Bruno Harbulot wrote: On 18/05/2010 18:33, Ron Wheeler wrote: 1) If people are distributing their own software in violation of their own licensing, it is their problem. 2) If people are distributing other people's software in violation of the licencing, they should stop. Hard to see how this is a Maven problem or how Maven could fix it. Case #1 is clearly the prerogative of the owner of the software. True. Case#2 would be hard to detect without having a big investigation for every package being uploaded to be sure that it is a violation before rejecting it. Very difficult to automate. I'm not saying that the central repo should investigate each and every case to check that it's indeed true, but it should make it mandatory to have a licence at least so as to avoid to put software that is mistakenly unattributed (and thus often in breach of the licence). There's a shortcoming in terms of mechanism in place. It is the responsibility of whoever's hosting a Maven repository (in particular the central repository) to check that they redistribute software under the suitable licence. The central repository clearly fails in that respect. Once again, I don't see why people don't seem to realise that the central repository is redistributing software. Isn't that obvious? I would like Maven (documentation or design) to have more guidance or an in-built mechanism to help publishers and more often distributors not to break those licences. (Some convention over configuration would be good here.) As a publisher of a piece of software, I did put the LICENSE.txt file in my bundle linked from http://jira.codehaus.org/browse/MAVENUPLOAD-2293 (via the default settings of maven-repository-plugin 2.0 at the time), having the expectation that it would be distributed along with the artifacts in the bundle. While I'm not expecting the central repository a big investigation to find that licence, I would expect the bare minimum of using what was automatically bundled when following the official guidelines, more so considering that including that LICENSE.txt file was mandatory with the maven-repository-plugin version at the time. The content of the bundle did end up in the central repository, except the licence. Subsequently, when people put this artifact's ID in their POM and that Maven downloads it from the central repository, the central repository redistribute those files without the licence: that's a breach of the licence. That makes sense. Modifying an uploaded package to remove licenses can not be a good thing The point here is that I'm not really arguing there should be a better system to protect our interests, I'm arguing there should be a better system to protect Maven repositories, especially the central one: they're the ones redistributing software and they're the ones at fault. Lots of projects have lots of committers and who owns an open source project would be more a question of ego than law in many cases. (True, but that's what contributor licence agreements are for.) But how is a repository to know 1) Who is allowed to upload? 2) What, if any, license scheme the person uses. I can make up my own license and I don't think that copyright or any law depends on a copy of the license being included. 3) Does the committer have all the contributor licenses for the stuff that they uploading that they did not write personally. Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
On 18/05/2010 20:45, Ron Wheeler wrote: On 18/05/2010 2:52 PM, Bruno Harbulot wrote: But how is a repository to know 1) Who is allowed to upload? 2) What, if any, license scheme the person uses. I can make up my own license and I don't think that copyright or any law depends on a copy of the license being included. 3) Does the committer have all the contributor licenses for the stuff that they uploading that they did not write personally. Sure, that can be tricky. I'm not suggesting there will be a perfect solution. Cases where there's foul play will always be a problem. It's for cases where everyone's trying to play fairly that I think the default mechanism should make things go more smoothly. I reckon that Maven's success is based on the fact that it's a model for distributing software (that's at least a key element of the mechanism) and that most of the software is open-source and falls broadly into Apache, GPL, LGPL, MIT, BSD licences. Considering that all these have in common some terms regarding the distribution of the software (redistribution, conveying, distributing, I'm not a lawyer, but the ideas seems fairly clear), it just seems surprising that having a mechanism that enables all parties involved (in particular software publishers and repositories) to respect those licences seems to have come as an after-thought. On 18/05/2010 19:52, Bruno Harbulot wrote: On 18/05/2010 18:33, Ron Wheeler wrote: 1) If people are distributing their own software in violation of their own licensing, it is their problem. 2) If people are distributing other people's software in violation of the licencing, they should stop. Hard to see how this is a Maven problem or how Maven could fix it. Case #1 is clearly the prerogative of the owner of the software. True. Actually, I think I got that bit wrong, sorry. If the copyright holder of some software publishes it without a licence or copyright notice, they can. However, I don't think this grants any right to whoever gets it, maybe using it, but almost definitely not redistributing it. On 18/05/2010 20:33, Justin Edelson wrote: Clarification of the documentation and/or mechanisms on how to redistribute the licences properly with the software is what I'm suggesting. In terms of core Maven mechanism, that could consist of an improvement with respect to the convention over configuration principle that Maven follows. I agree that the documentation can be improved with respect to this. You can certainly submit some documentation patches on this point. I'm not sure what core changes would be involved. There's probably some possible enforcer plugin, but ultimately it's not Maven's job to interpret the semantics of a license - that's something developers need to be responsible for. That's exactly the point: saying it's someone else's problem is just denial of the problem. A publisher's omission to include a licence doesn't grant whoever gets hold of that software a licence to redistribute unconditionally. The problem with most OSS licences (as I was saying above), is that a developer's mistake ends up putting the burden on the distributors. Since the Maven system overall relies on the tool, the repository and owners (or people allowed to distribute) to publish their software, this is a problem that has to be considered as a whole, I think. I'm not arguing for perfection, just convenience in what I think are the common cases. Assuming that developers might be a little bit lazy sometimes and that most OSS software do have a least a requirement of quoting their licence with their copies, if a developer/publisher follows the default layout (that is, LICENSE.txt next pom.xml according to the documentation), this licence should end up automatically in what's going to be fetched by the tool when a user puts it as a dependency in their own software, unlike what happens at the moment. (I guess including some licence text could easily apply to closed/proprietary software too.) I think that would be a more sensible default behaviour for the whole workflow, and that's what makes it a problem for the core Maven. Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
On Tue, May 18, 2010 at 5:48 PM, Bruno Harbulot bruno.harbu...@manchester.ac.uk wrote: On 18/05/2010 20:33, Justin Edelson wrote: Clarification of the documentation and/or mechanisms on how to redistribute the licences properly with the software is what I'm suggesting. In terms of core Maven mechanism, that could consist of an improvement with respect to the convention over configuration principle that Maven follows. I agree that the documentation can be improved with respect to this. You can certainly submit some documentation patches on this point. I'm not sure what core changes would be involved. There's probably some possible enforcer plugin, but ultimately it's not Maven's job to interpret the semantics of a license - that's something developers need to be responsible for. That's exactly the point: saying it's someone else's problem is just denial of the problem. You have this backwards... saying it is Maven's problem is denying that developers need to be cognizant of the requirement of the license they have chosen for their project. Maven cannot give legal advice, which is essentially what you are asking it to do. A publisher's omission to include a licence doesn't grant whoever gets hold of that software a licence to redistribute unconditionally. This is your interpretation of a legal document. The problem with most OSS licences (as I was saying above), is that a developer's mistake ends up putting the burden on the distributors. And if the operators of Central were concerned about this burden, I suppose they would have done something about it. Since the Maven system overall relies on the tool, the repository and owners (or people allowed to distribute) to publish their software, this is a problem that has to be considered as a whole, I think. This is a misunderstanding. Maven is not dependent upon the existence of Central. I'm not arguing for perfection, just convenience in what I think are the common cases. Assuming that developers might be a little bit lazy sometimes and that most OSS software do have a least a requirement of quoting their licence with their copies, if a developer/publisher follows the default layout (that is, LICENSE.txt next pom.xml according to the documentation), this licence should end up automatically in what's going to be fetched by the tool when a user puts it as a dependency in their own software, unlike what happens at the moment. (I guess including some licence text could easily apply to closed/proprietary software too.) I don't disagree with any of this. By default, the resources plugin probably should copy /LICENSE.txt to target/classes/META-INF/LICENSE.txt if src/main/resources/META-INF/LICENSE.txt doesn't exist. I think that would be a more sensible default behaviour for the whole workflow, and that's what makes it a problem for the core Maven. As Benjamin said, this isn't what core Maven does. You are describing a plugin feature. Justin Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
The MAVENUPLOAD issue you refer to was processed by hand. This is something we've worked to stop and automate, so it's not really relevant what happened it was 2 years ago. That said, I don't know if LICENSE.txt inside the new bundle format would be handled any differently because LICENSE.txt is not a proper maven artifact. foo-1.0-licence.txt is another story. Put that inside a bundle and it will be preserved. Any solution that includes the license as a file inside the m2 namespace will have to follow the m2 namespace conventions. Maven Central gets all of its artifacts via rsync connections to various repos. If developers put stuff without the license in their sync source, well then it won't have it when we sync it. The rsyncs as I mentioned before is something we are actively working on winding down, but we can't just flip the switch overnite, projects need time to update to a forge and to update their process. This is an iterative process, I'd love to flip a switch tomorrow and have all artifacts subject to a new standard but it's not practical. It's been an ongoing battle just getting basic validation and gpg signatures. All that said, I don't know how beneficial the addition of a license as a file in the repo really is. Instead the license inside the pom should be validated, and if appropriate included inside the jars. We _do not_ modify artifacts that are uploaded, and I'll make sure our automated approach rejects jars that have files with non-conforming files in them. Unfortunately this means a bundle with LICENSE inside it will be rejected, but then you would at least know to use foo-xx-license.txt instead if you want it to be included with your artifacts. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
On 19/05/2010 00:41, Brian Fox wrote: The MAVENUPLOAD issue you refer to was processed by hand. This is something we've worked to stop and automate, so it's not really relevant what happened it was 2 years ago. That said, I don't know if LICENSE.txt inside the new bundle format would be handled any differently because LICENSE.txt is not a proper maven artifact. foo-1.0-licence.txt is another story. Put that inside a bundle and it will be preserved. Any solution that includes the license as a file inside the m2 namespace will have to follow the m2 namespace conventions. Maven Central gets all of its artifacts via rsync connections to various repos. If developers put stuff without the license in their sync source, well then it won't have it when we sync it. The rsyncs as I mentioned before is something we are actively working on winding down, but we can't just flip the switch overnite, projects need time to update to a forge and to update their process. This is an iterative process, I'd love to flip a switch tomorrow and have all artifacts subject to a new standard but it's not practical. I understand it's not easy. That's great work and I appreciate the effort. It's been an ongoing battle just getting basic validation and gpg signatures. Indeed, trust management and validation are always problematic. All that said, I don't know how beneficial the addition of a license as a file in the repo really is. Instead the license inside the pom should be validated, and if appropriate included inside the jars. We _do not_ modify artifacts that are uploaded, and I'll make sure our automated approach rejects jars that have files with non-conforming files in them. Unfortunately this means a bundle with LICENSE inside it will be rejected, but then you would at least know to use foo-xx-license.txt instead if you want it to be included with your artifacts. Ah great, so sorry, that's what I didn't really understand and was asking clarifications about in the first place. I guess that's mainly a documentation issue then, considering the blog entry you sent wasn't clearly linked from the maven.apache.org site (as far as I could tell) and that I couldn't work out how Sonatype [would] perform some due diligence to make sure that the artifact has a license compatible with unrestricted distribution. For my next release which I'm planning to bundle over the next few days, I've put the licence within the comments element: http://jsslutils.googlecode.com/svn/trunk/jsslutils/pom.xml Does that follow more or less the new guidelines? Are you saying that I should have jsslutils-1.0-licence.txt next to the other jars in the bundle instead (sorry, I can't see licence files in the screenshots on that blog entry). Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
Does that follow more or less the new guidelines? Are you saying that I should have jsslutils-1.0-licence.txt next to the other jars in the bundle instead (sorry, I can't see licence files in the screenshots on that blog entry). No, I'm saying if you wanted the license sitting in the folder next to your jar, it would need to be jsslutils-1.0-license.txt. Otherwise, you should have the name and url in the pom for your license. Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
On 15/05/2010 21:56, Benson Margulies wrote: I think that perhaps there's an important distinction being missed here. Central doesn't vacuum up artifacts from unsuspecting authors. Other people put them there. If the authors of code choose to deposit jar files on central, then it's not central who is 'distributing' them -- it's the authors. In this case, it's people who download from central and then repackage on their own who are responsible for worrying about tracking down and including licenses. The tricky case here is the non-author publishers, as with the recently-announced mechanism. If I take a jar of OSS from its author's distro, and push it to central without a license file, I am probably violating the license. It's not clear to me that Sonatype is. Thus, what I take from this thread is that it would be a kindness for Sonatype to add a feature to the new publication mechanism to upload the actual license. It could then be added to META-INF or just published as an accompanying artifact, either way, and then no one would have anything to complain about. I don't think I would have made the publisher/distributor distinction in that order. If a publisher publishes a book, bookshops are the ones distributing it. You are certainly right there's a grey area there, though. To some extent, the central repository situation may be similar to other services that host content (and practically, they can't always check everything indeed, in my opinion). This being said, I'm not sure it makes sense to argue that the central repository does not distribute software; to me it clearly does. I also think that it's not sufficient to say that because the authors are the ones asking for it to be distributed, it's OK. It's not always all the authors or all the copyright holders. Pieces of OSS often include other pieces of OSS, from other projects, that may have been included under the same or other licences. The full list of copyright holders that may extend beyond the list of people being involved in a particular project. Coming back to a case I know well: http://jira.codehaus.org/browse/MAVENUPLOAD-2293 Admittedly, it's a small drop in the ocean of open-source software. Nevertheless, the bundle linked from the JIRA entry (jsslutils-0.5.1-bundle.jar), which was produced with maven-repository-plugin-2.0 did include a LICENSE.txt file (made mandatory by that version of the plugin). (a) This licence file never made it to the central repository. (b) This feature was removed from maven-repository-plugin-2.1 and following versions: LICENSE.txt files and no longer included in the bundles as far as I can tell. I'm allowed by my management to release this software under a BSD-style licence, but the copyright holder still is my institution: the institution is licensing users to do what the licence say they can do, not me as an individual. One of the reasons I'm allowed to publish this code and ask to have it placed in the Maven repository, is that there's an expectation that the licence will be respected. The problem is that, when copyright holders (individual or institution) realise that the OSS licence they've granted isn't respected, they might be less keen to publish OSS again. It might be worth doing this just to avoid those voices in the wide world who like to write alarmist postings about Maven distribution (e.g. Saxon's author). (Sorry, I'm not aware of the postings you're referring to.) Don't get me wrong, I'm very happy to have the software I write distributed on the central repository, and I'm happy to use the content of the repository too. Maven isn't perfect, but it's very useful. One of the main reasons it's useful is the amount of software available in the central repository. It's a system that's good for authors (it makes it easy to encourage usage of their work), good for whoever promotes Maven (presumably Sonatype) and of course good for its users. What I'd like to see is a bit more action towards the respect of the licence, which is what makes OSS work in the end. I'd therefore like Sonatype to improve the publication of licenses as they were bundled and to put that feature (or something similar) back in the following versions of the plugin. Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
On 16/05/2010 02:00, Brian Fox wrote: On Sat, May 15, 2010 at 4:56 PM, Benson Marguliesbimargul...@gmail.com wrote: Yes, these are good ideas. Well, I'm not sure this is just about good ideas, it sounds more like a legal requirement. This being said, I'm not a lawyer, it's just the way I interpret the BSD licence (for example) when I read it. We currently require that the license be specified in the pom but aren't validating that it is correct automatically. As far as I know, only the licence name is required, for example nameBSD/name. I've been saying this in this thread before, but that's just a *type* of licence, not an actual licence. What would be the point of the BSD licence otherwise? Self-propagation of its own terms? The important part is the acknowledgement of the copyright holder. Anyway, pending further development of the plugin and repository management, for my next release, I'll put the text full text of the licence in the comments/ element within the POM file (it's only about 30 lines). It seems reasonable. Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
Usually? I'm not sure really. NOTICE and LICENSE files are fine in source bundles, but they don't seem to be put into the source jars with the current bundling process. They probably don't belong to the binary jars anyway (unless perhaps in the META-INF directory, somewhere?). Anyway, I don't really have to look far for counter-examples, where this notice isn't present. Just taking the first one in alphabetical order http://repo2.maven.org/maven2/abbot/abbot/0.13.0/: - No mention of licence - No reference to the original project - No licence file in the jar file itself After looking it up on Google, it looks like this project's licence is this: http://abbot.sourceforge.net/doc/CPL.html. I'll draw you attention to section 3, which maven.org seems to infringe on: there are no disclaimers or information on how to get the source are present, as required. I haven't looked through all of them, but it's not an isolated case. I think the bundling process should make sure the licences are there, but it currently isn't. Even when the licence is referenced, as I was saying, putting the licence type isn't enough. For example, BSD really means BSD-style; not all software released under a BSD-style licence has the Regents of the University of California as copyright holders. What you find here http://www.opensource.org/licenses/bsd-license.php for example is a template, not the actual licence. I don't think it's realistic to expect Sonatype to go through all the jars to make sure there's a licence file somewhere. The practicality of Maven is something that I really enjoy, and I wouldn't like to see this practicality affected. However, what could be done to make things clearer is to enable (and perhaps force) the inclusion of a LICENSE file (or similar) during the bundling process, so as to make sure it's published in Maven repositories. Otherwise, people who redistribute software by providing the central Maven repository (and mirrors) are in breach of those licences. Again, the blog post you mentioned talks about unrestricted distribution. No OSS is strictly compatible with unrestricted distribution except when it's in the public domain. All have restrictions stating that distribution must at least comply with their licence (which most of the time requires to quote the licence itself). All I'm suggesting is to have a mechanism to improve that in Maven. I have no doubt that what's being done now is done in good faith with the reasonable expectations that people can Google to find the actual project page, but this situation could be made right, I think. Best wishes, Bruno. On 15/05/2010 03:17, Brian Fox wrote: Usually this is handled by inserting NOTICE and LICENSE into the jar files themselves. In theory you could attach the license file to the main artifact using the license classifier but normally this isn't done. On Fri, May 14, 2010 at 7:20 PM, Bruno Harbulot bruno.harbu...@manchester.ac.uk wrote: Thanks for the link. Perhaps someone could put it on this page: http://maven.apache.org/guides/mini/guide-central-repository-upload.html Nevertheless, this doesn't really answer my question. The point I was making was that, with the current model, licences are missing in most projects as far as I can tell. There's often at best a URL to a licence file hosted elsewhere than the repository. Most OSS licences are fairly clear: the licence must be distributed along with the software, whether in binary or source form (depending on the content of the licence). The fact that Sonatype will perform some due diligence to make sure that the artifact has a license compatible with unrestricted distribution, and we will then promote the uploaded artifacts to the Central Maven repository. [from your link] doesn't make the text of those licences appear from thin air, and the bundling process doesn't seem to bundle those files. 'licensenameBSD/name/license' often doesn't refer to the actual same licence for example. The copyright holder will be different from one project to another, and redistributing software released under such a licence, but without it, is effectively in breach of this licence (and there are plenty of those in the central repository). One of the main point of OSS licences is to acknowledge the copyright holders, at the very least. I suppose one way to solve it would be to put the actual text within the description/ element of thelicense/ element in the POM file that's with the jars in the repository. I'm just suggesting there should be, along with the POM file and the jars, a place for a LICENSE.txt (and perhaps NOTICE.txt as some licences use) to make this clearer. (Downloading them along with the artifacts would be a plus, again, for the sake of abiding by these licences.) Does this mechanism already exist? How is it done? Best wishes, Bruno. On 14/05/2010 22:39, Brian Fox wrote:
Re: Central repository, bundle-create and distribution of licenses
I think that perhaps there's an important distinction being missed here. Central doesn't vacuum up artifacts from unsuspecting authors. Other people put them there. If the authors of code choose to deposit jar files on central, then it's not central who is 'distributing' them -- it's the authors. In this case, it's people who download from central and then repackage on their own who are responsible for worrying about tracking down and including licenses. The tricky case here is the non-author publishers, as with the recently-announced mechanism. If I take a jar of OSS from its author's distro, and push it to central without a license file, I am probably violating the license. It's not clear to me that Sonatype is. Thus, what I take from this thread is that it would be a kindness for Sonatype to add a feature to the new publication mechanism to upload the actual license. It could then be added to META-INF or just published as an accompanying artifact, either way, and then no one would have anything to complain about. It might be worth doing this just to avoid those voices in the wide world who like to write alarmist postings about Maven distribution (e.g. Saxon's author). - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
On Sat, May 15, 2010 at 4:56 PM, Benson Margulies bimargul...@gmail.com wrote: I think that perhaps there's an important distinction being missed here. Central doesn't vacuum up artifacts from unsuspecting authors. Other people put them there. If the authors of code choose to deposit jar files on central, then it's not central who is 'distributing' them -- it's the authors. In this case, it's people who download from central and then repackage on their own who are responsible for worrying about tracking down and including licenses. The tricky case here is the non-author publishers, as with the recently-announced mechanism. If I take a jar of OSS from its author's distro, and push it to central without a license file, I am probably violating the license. It's not clear to me that Sonatype is. Thus, what I take from this thread is that it would be a kindness for Sonatype to add a feature to the new publication mechanism to upload the actual license. It could then be added to META-INF or just published as an accompanying artifact, either way, and then no one would have anything to complain about. Yes, these are good ideas. We currently require that the license be specified in the pom but aren't validating that it is correct automatically. The vast majority of artifacts in Central come in over wide open rsyncs so garbage in the source repo = garbage in central. This gaping hole is slowly being closed by requiring projects to go through forges that have the proper validation procedures before getting into Central. What I meant by usually was that if someone wants to include the license text, it's done inside the archives. Take a look at any recent apache jar for example and you'll find LICENSE and NOTICE prominently included. Requiring this of all artifacts is probably a good idea. It might be worth doing this just to avoid those voices in the wide world who like to write alarmist postings about Maven distribution (e.g. Saxon's author). - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Central repository, bundle-create and distribution of licenses
Hello, Is there a way to prepare a bundle to be uploaded to the central repository so that it also contains the licence file? Ideally, I'd like a licence file along these files, for example: http://repo1.maven.org/maven2/org/jsslutils/jsslutils/0.5.1/ My POM contains this: licenses license nameBSD/name urlLICENSE.txt/url distributionrepo/distribution /license /licenses The licence file is next to the POM in the source tree, but it's never included in the bundle or any of its inner jar files. I guess it could be an absolute URL that points to it, but it would be good to have a licence file bundled and uploaded with the other files, at least to respect the terms of the licence itself. Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
http://www.sonatype.com/people/2010/04/uploading-artifacts-to-the-central-maven-repository-diy/ On Fri, May 14, 2010 at 11:46 AM, Bruno Harbulot bruno.harbu...@manchester.ac.uk wrote: Hello, Is there a way to prepare a bundle to be uploaded to the central repository so that it also contains the licence file? Ideally, I'd like a licence file along these files, for example: http://repo1.maven.org/maven2/org/jsslutils/jsslutils/0.5.1/ My POM contains this: licenses license nameBSD/name urlLICENSE.txt/url distributionrepo/distribution /license /licenses The licence file is next to the POM in the source tree, but it's never included in the bundle or any of its inner jar files. I guess it could be an absolute URL that points to it, but it would be good to have a licence file bundled and uploaded with the other files, at least to respect the terms of the licence itself. Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
Thanks for the link. Perhaps someone could put it on this page: http://maven.apache.org/guides/mini/guide-central-repository-upload.html Nevertheless, this doesn't really answer my question. The point I was making was that, with the current model, licences are missing in most projects as far as I can tell. There's often at best a URL to a licence file hosted elsewhere than the repository. Most OSS licences are fairly clear: the licence must be distributed along with the software, whether in binary or source form (depending on the content of the licence). The fact that Sonatype will perform some due diligence to make sure that the artifact has a license compatible with unrestricted distribution, and we will then promote the uploaded artifacts to the Central Maven repository. [from your link] doesn't make the text of those licences appear from thin air, and the bundling process doesn't seem to bundle those files. 'licensenameBSD/name/license' often doesn't refer to the actual same licence for example. The copyright holder will be different from one project to another, and redistributing software released under such a licence, but without it, is effectively in breach of this licence (and there are plenty of those in the central repository). One of the main point of OSS licences is to acknowledge the copyright holders, at the very least. I suppose one way to solve it would be to put the actual text within the description/ element of the license/ element in the POM file that's with the jars in the repository. I'm just suggesting there should be, along with the POM file and the jars, a place for a LICENSE.txt (and perhaps NOTICE.txt as some licences use) to make this clearer. (Downloading them along with the artifacts would be a plus, again, for the sake of abiding by these licences.) Does this mechanism already exist? How is it done? Best wishes, Bruno. On 14/05/2010 22:39, Brian Fox wrote: http://www.sonatype.com/people/2010/04/uploading-artifacts-to-the-central-maven-repository-diy/ On Fri, May 14, 2010 at 11:46 AM, Bruno Harbulot bruno.harbu...@manchester.ac.uk wrote: Hello, Is there a way to prepare a bundle to be uploaded to the central repository so that it also contains the licence file? Ideally, I'd like a licence file along these files, for example: http://repo1.maven.org/maven2/org/jsslutils/jsslutils/0.5.1/ My POM contains this: licenses license nameBSD/name urlLICENSE.txt/url distributionrepo/distribution /license /licenses The licence file is next to the POM in the source tree, but it's never included in the bundle or any of its inner jar files. I guess it could be an absolute URL that points to it, but it would be good to have a licence file bundled and uploaded with the other files, at least to respect the terms of the licence itself. Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Central repository, bundle-create and distribution of licenses
Usually this is handled by inserting NOTICE and LICENSE into the jar files themselves. In theory you could attach the license file to the main artifact using the license classifier but normally this isn't done. On Fri, May 14, 2010 at 7:20 PM, Bruno Harbulot bruno.harbu...@manchester.ac.uk wrote: Thanks for the link. Perhaps someone could put it on this page: http://maven.apache.org/guides/mini/guide-central-repository-upload.html Nevertheless, this doesn't really answer my question. The point I was making was that, with the current model, licences are missing in most projects as far as I can tell. There's often at best a URL to a licence file hosted elsewhere than the repository. Most OSS licences are fairly clear: the licence must be distributed along with the software, whether in binary or source form (depending on the content of the licence). The fact that Sonatype will perform some due diligence to make sure that the artifact has a license compatible with unrestricted distribution, and we will then promote the uploaded artifacts to the Central Maven repository. [from your link] doesn't make the text of those licences appear from thin air, and the bundling process doesn't seem to bundle those files. 'licensenameBSD/name/license' often doesn't refer to the actual same licence for example. The copyright holder will be different from one project to another, and redistributing software released under such a licence, but without it, is effectively in breach of this licence (and there are plenty of those in the central repository). One of the main point of OSS licences is to acknowledge the copyright holders, at the very least. I suppose one way to solve it would be to put the actual text within the description/ element of the license/ element in the POM file that's with the jars in the repository. I'm just suggesting there should be, along with the POM file and the jars, a place for a LICENSE.txt (and perhaps NOTICE.txt as some licences use) to make this clearer. (Downloading them along with the artifacts would be a plus, again, for the sake of abiding by these licences.) Does this mechanism already exist? How is it done? Best wishes, Bruno. On 14/05/2010 22:39, Brian Fox wrote: http://www.sonatype.com/people/2010/04/uploading-artifacts-to-the-central-maven-repository-diy/ On Fri, May 14, 2010 at 11:46 AM, Bruno Harbulot bruno.harbu...@manchester.ac.uk wrote: Hello, Is there a way to prepare a bundle to be uploaded to the central repository so that it also contains the licence file? Ideally, I'd like a licence file along these files, for example: http://repo1.maven.org/maven2/org/jsslutils/jsslutils/0.5.1/ My POM contains this: licenses license nameBSD/name urlLICENSE.txt/url distributionrepo/distribution /license /licenses The licence file is next to the POM in the source tree, but it's never included in the bundle or any of its inner jar files. I guess it could be an absolute URL that points to it, but it would be good to have a licence file bundled and uploaded with the other files, at least to respect the terms of the licence itself. Best wishes, Bruno. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
