https://bz.apache.org/bugzilla/show_bug.cgi?id=65345
--- Comment #5 from J.M. (Martijn) Kruithof <j...@apache.org> --- The URL is not part of the license, the URL in the notice tells where to find the license. Strictly speaking there is not even a license at the http://www.apache.org/licenses/LICENSE-2.0 url anymore. Using https solves a security issue, not a legal issue and there was/is no legal issue with referring to the location where the user can find the license using https. Reading the comments in both other issues provided in the initial report and in https://issues.apache.org/jira/browse/LEGAL-457 the concern is there might be automated license checkers that might not recognize the apache license in case an https, but most likely would recognize those anyway. No concern has been expressed regarding legal / license issues if changed (it was even explicitly stated that this change would not affect the license / legal meaning, see also the discussion in LEGAL-457) Reading the discussion in LEGAL-457, no strong benefit is seen changing from http to https and a weak drawback is seen that there might be a license checker that might not correctly recognize, put most likely this wouldn't be a problem. Given I have been confronted with MiTM attacks on http connections, where this is abused from relatively benign ad-insertion to banking session manipulation and attempts to install malware I probably am biased towards the security aspect over an argument that there might be a license checker that might not recognize due to this change. -- You are receiving this mail because: You are the assignee for the bug.
