Dan Diephouse wrote:
People should have a resonable expectation that building an ASF
project should not involve the download of materials in violation of
their licenses or the incurring of any additional obligations.
Enforcement of this policy via Maven or simply by peer review of POMs
are acceptable way of achieving this goal.
Now I am honestly confused. Everyone (not just on the list, but those
on irc that I have talked to also) seems confused. I just want to
clarify if we are debating the following points and what are the
answers. I'll put what I think are the answers down and people can
correct as needed.
For brevity, I'll omit the points I agree with, and address the ones
that I have concerns with. IANAL, but I am answering the following to
the best of my knowledge with respect to the guidance and policy that
have been stated by the likes of Roy and Ken. In short, this means that
I might later be corrected, but for what it is worth:
2. Can ASF Projects use GPL/LGPL Projects?
Yes. But, they cannot distribute them.
ASF projects can use GPL/LGPL code during the build process so long as
there is no runtime dependency in the code produced. Programs like
checkstyle are OK. Imports of classes covered by GPL/LGPL are not.
This last statement needs to be interpreted as a transitive closure.
Moving graph from jakarta commons sandbox to werken would not make it OK
for Maven to use graph.
5. Can ibiblio put Sun licensed jars on their repository?
Yes, but see the answer to the next question.
It is my belief that placing jars such as jsse.jar on ibibilio is in
violation of the license for that jar. There appear to be a number of
of suspect packages on
http://www.ibiblio.org/maven/. dIon is trying to
do a review of them all, but as in many cases the jars were put there
without documentation, he is having difficulty. If those who placed the
jars there could help out, it would be most appreciated.
7. Can maven pull down GPL/LGPL jars from the repository when a user is
using it to build their project? Or, is maven responsible to make sure
that users use the it to only pull down licenses which they agree to
when building their project?
No. It is ultimately the user's responsiblity. But, it would be a very
nice feature if it did that.
Agreed, however it is the responsibility of ASF projects to ensure that
none of their POMs involve such a download.
8. Can maven as part of its own build system pull down GPL/LGPL jars
when building itself?
Sam you said, "People should have a resonable expectation that building
an ASF project should not involve the download of materials in violation
of their licenses or the incurring of any additional obligations." Is
this what situation you meant to apply it to?
I would believe that Maven can depend on LGPL/GPL jars and pull them
down when needed to build itself. Can you clarify?
I hope that the previous answers clarify why this is a No.
- Sam Ruby
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
