I don't believe that points 4 and 5 are violated by "package org.apache.xmlform" any more than the statement "import org.apache.xmlform"; the license precludes neither one of these things.
There is a huge difference between
package org.apache.xmlform;
and
import org.apache.xmlform.*;
and the reason is that the first is a describer, the second is a reference.
If you describe your stuff with a name or trademark or sign that is owned by somebody else and it can be shown that you do *harm* to the trademark owner when you do, you can get sued for damages.
If you reference an entity with its name, this is fair use and cannot cause any harm if properly placed in context.
The reason why 'package org.apache...' can harm the foundation is, for example, name clashing. A package name is a unique identifier for a class, if there is a package name collision in the classloader, it is impossible to reference one class from another.
So, if apache decides to use the org.apache.whatever package and somebody else used it already, there is potential harm.
The policy of protecting the package name is to avoid further problems down the road.
But defining an package and import it (or extend it) are two entirely different things because they can't do any harm.
Stefano.
