I’ve been meaning to ask this for a while: why is this process in place given that the legal status of both licenses and their inclusion is well understood?
Apache certainly doesn’t do this. They just have a pretty clear page (https://www.apache.org/legal/resolved.html ) of what can and cannot be done. Only if something is not on that page does it require a review (after which, it’s added to that page). For common licenses, this sort of thing is even listed on Wikipedia: https://en.wikipedia.org/wiki/License_compatibility I’m trying to be critical, just trying to understand what I’m (legally) missing here. Thanks Moh From: [email protected] [mailto:[email protected]] On Behalf Of Wayne Beaton Sent: Tuesday, September 26, 2017 10:30 PM To: Discussions for new Eclipse projects Subject: Re: [incubation] IP policy for transitive dependencies All content must be taken through the Eclipse IP Due Diligence Process. This includes all dependencies, dependencies of dependencies, etc. [recursive]. FWIW, the operating system and virtual machine are technically dependencies, but we classify them "exempt pre-reqs" per the Guidelines for the Review of Third Party Dependencies<https://urldefense.proofpoint.com/v2/url?u=https-3A__eclipse.org_org_documents_Eclipse-5FPolicy-5Fand-5FProcedure-5Ffor-5F3rd-5FParty-5FDependencies-5FFinal.pdf&d=DwMFaQ&c=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4&r=WO9SQd1Mj_MLmgtN0ygndwVT53kakt6AadiaNwh95V0&m=Ift-td_VxXB4yKfOmnJxq0G8HWYhstwpubb_MeMfbfM&s=NRiP16eXl9843RrUrDAhbyrIaxGxVvpuYtfMEDfSzvw&e=> (implied, because we don't bother with actual CQs). This is easy to think about in the context of a monolithic packaged deliverable. Basically anything that's in that hypothetical monolithic package must be taken through the Eclipse IP Due Diligence Process. It's a little harder to think about when you distribute, say, a Maven JAR. Strictly speaking, you are only distributing that one JAR. But in the process of resolving that JAR, the consumer will need all sorts of other third party content; this content is all "pre-req dependencies" that we need the Eclipse IP Team to review. Perhaps the most general way of thinking about it is that you need a CQ for all third party content related to your project code that will end up in a product built using your project's technology. It's on this basis that we can, for example, categorize build and test dependencies<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.eclipse.org_Development-5FResources_IP_Test-5Fand-5FBuild-5FDependencies&d=DwMFaQ&c=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4&r=WO9SQd1Mj_MLmgtN0ygndwVT53kakt6AadiaNwh95V0&m=Ift-td_VxXB4yKfOmnJxq0G8HWYhstwpubb_MeMfbfM&s=dR6liVvgLmHqWNEj6Idw8hOg5NGmm4E3TOC8Lasupo4&e=> as "works with". I suspect, however, that I'm venturing off topic... HTH, Wayne On Tue, Sep 26, 2017 at 8:07 AM, Hudalla Kai (INST/ECS4) <[email protected]<mailto:[email protected]>> wrote: Hi, in the IoT PMC we often review CQs by projects for components which the project relies on during runtime (not optionally but as a full pre-req). Some of these components themselves rely on many other components. We are often asked, whether the project needs to create CQs for all of these transitive dependencies as well (given that they are not optional but required during runtime). The project handbook [1] states that "All third-party libraries required by project code will have to be checked and approved by the IP Team." Following is a list of cases which constitute a "library required by the project". That list is described as "non-exhaustive" and in fact does not explicitly mention transitive dependencies. My understanding is that transitive deps definitely need to be checked/approved, but I would like to get some feedback e.g. frmo Wayne whether this is actually the case. -- Mit freundlichen Grüßen / Best regards Kai Hudalla Chief Software Architect Bosch Software Innovations GmbH Ullsteinstraße 128 12109 Berlin GERMANY www.bosch-si.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bosch-2Dsi.com&d=DwMFaQ&c=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4&r=WO9SQd1Mj_MLmgtN0ygndwVT53kakt6AadiaNwh95V0&m=Ift-td_VxXB4yKfOmnJxq0G8HWYhstwpubb_MeMfbfM&s=Oil70U6Nnt3EpRudARHHim4M6prk0nR5y4dBDkzZwY0&e=> Registered Office: Berlin, Registration Court: Amtsgericht Charlottenburg; HRB 148411 B Chairman of the Supervisory Board: Dr.-Ing. Thorsten Lücke; Managing Directors: Dr.-Ing. Rainer Kallenbach, Michael Hahn [Image removed by sender. EclipseCon Europe 2017]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.eclipsecon.org_europe2017&d=DwMFaQ&c=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4&r=WO9SQd1Mj_MLmgtN0ygndwVT53kakt6AadiaNwh95V0&m=Ift-td_VxXB4yKfOmnJxq0G8HWYhstwpubb_MeMfbfM&s=bkKjqSgk1HouU82dPQIL64iypnAF6fJY2oa9XJhr-t0&e=> _______________________________________________ incubation mailing list [email protected]<mailto:[email protected]> To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/incubation<https://urldefense.proofpoint.com/v2/url?u=https-3A__dev.eclipse.org_mailman_listinfo_incubation&d=DwMFaQ&c=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4&r=WO9SQd1Mj_MLmgtN0ygndwVT53kakt6AadiaNwh95V0&m=Ift-td_VxXB4yKfOmnJxq0G8HWYhstwpubb_MeMfbfM&s=zUbgBY2Eihm6DlLIR5txvR4DrgQ4MywHItN3A7w7aCE&e=> -- Wayne Beaton Director of Open Source Projects The Eclipse Foundation
_______________________________________________ incubation mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/incubation
