Re: iText 4.2.0 - Could a software licence be changed from MPL/LGPL to AGPL by simply redistributing the pom.xml?

2016-01-21 Thread Mirko Friedenhagen 
Hello Siegfried,

I do not think this was an accident, see
https://issues.sonatype.org/plugins/servlet/mobile#issue/MVNCENTRAL-760.

The relocation does break builds as the package is different as well. I am
not a lawyer but at I think it is not a nice move to cause breaking builds
and licensing issues two years after something is published.
Regards
Mirko
-- 
Sent from my mobile
Am 19.01.2016 23:58 schrieb "Siegfried Goeschl" :

> Hi folks,
>
> I have a simple simple question - is it possible/legal to change the
> software licence by simply re-distributing a POM a couple of years later?
>
> During a code review I came across a project using itext-4.2.0-jar.
>
> AFAIK iText 2.1.7 was the last version under MPL/LGPL and later they moved
> to AGPL V3 - I suggested to remove the library but the developer insisted
> that the library was indeed under MPL :-O
>
> * He showed me itext-4.2.0.jar/META-INF/maven/com.lowagie/itext/pom.xml
> clearly displaying a MPL/LGPL licence
> * I pointed him to
> http://search.maven.org/#artifactdetails%7Ccom.lowagie%7Citext%7C4.2.0%7Cpom
> clearly displaying a AGPL V3 licence
>
> But the
> http://search.maven.org/remotecontent?filepath=com/lowagie/itext/4.2.0/itext-4.2.0.pom
> actually contains a "relocation" section
>
> 
> 
> GNU Affero General Public License v3
> http://www.fsf.org/licensing/licenses/agpl-3.0.html
> 
> 
> 
> 
> com.itextpdf
> itextpdf
> 5.5.6
> After release 2.1.7, iText moved from the MPLicense to
> the AGPLicense.
> The groupId changed from com.lowagie to com.itextpdf and the
> artifactId from itext to itextpdf.
> See http://itextpdf.com/functionalitycomparison for more
> information.
> 
> 
>
> Mhmm, that puzzled me because itext-4.2.0.jar still has "com.lowagie"
> package name so I started digging through Maven Central
>
>
> 1) What Maven Central Says
> ===
>
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/
>
> itext-4.2.0-bundle.jar.asc 20-Sep-2012 16:34
>490
> itext-4.2.0-bundle.jar.asc.md5 20-Sep-2012 16:34
> 32
> itext-4.2.0-bundle.jar.asc.sha120-Sep-2012 16:34
> 40
> itext-4.2.0-javadoc.jar20-Sep-2012 16:34
>4498819
> itext-4.2.0-javadoc.jar.asc20-Sep-2012 16:34
>490
> itext-4.2.0-javadoc.jar.asc.md520-Sep-2012 16:34
> 32
> itext-4.2.0-javadoc.jar.asc.sha1   20-Sep-2012 16:34
> 40
> itext-4.2.0-javadoc.jar.md520-Sep-2012 16:34
> 32
> itext-4.2.0-javadoc.jar.sha1   20-Sep-2012 16:34
> 40
> itext-4.2.0-sources.jar20-Sep-2012 16:34
>4061295
> itext-4.2.0-sources.jar.asc20-Sep-2012 16:34
>490
> itext-4.2.0-sources.jar.asc.md520-Sep-2012 16:34
> 32
> itext-4.2.0-sources.jar.asc.sha1   20-Sep-2012 16:34
> 40
> itext-4.2.0-sources.jar.md520-Sep-2012 16:34
> 32
> itext-4.2.0-sources.jar.sha1   20-Sep-2012 16:34
> 40
> itext-4.2.0.jar20-Sep-2012 16:34
>2243043
> itext-4.2.0.jar.asc20-Sep-2012 16:34
>490
> itext-4.2.0.jar.asc.md520-Sep-2012 16:34
> 32
> itext-4.2.0.jar.asc.sha1   20-Sep-2012 16:34
> 40
> itext-4.2.0.jar.md520-Sep-2012 16:34
> 32
> itext-4.2.0.jar.sha1   20-Sep-2012 16:34
> 40
> itext-4.2.0.pom10-Jul-2015 08:16
>   2156
> itext-4.2.0.pom.asc10-Jul-2015 08:16
>821
> itext-4.2.0.pom.asc.md509-Jul-2015 12:33
> 32
> itext-4.2.0.pom.asc.sha1   09-Jul-2015 12:33
> 40
> itext-4.2.0.pom.md510-Jul-2015 08:16
> 32
> itext-4.2.0.pom.sha1   10-Jul-2015 08:16
> 40
>
> Interesting - the pom.xml was re-distributed a couple of months ago while
> the iText library is still from 2012. I guess the redistribution was caused
> by the additional "relocation" section of the pom.xml
>
> > wget
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar
> > wget
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar.asc
> > gpg --verify itext-4.2.0.jar.asc
>
> itext> gpg --verify itext-4.2.0.jar.asc
> gpg: assuming signed data in `itext-4.2.0.jar'
> gpg: Signature made Thu Sep 20 17:24:41 2012 CEST using

Re: iText 4.2.0 - Could a software licence be changed from MPL/LGPL to AGPL by simply redistributing the pom.xml?

2016-01-19 Thread Dan Tran 
For my case, my Legal folks as my team to remove it

Best to consult with your IP attorney

-Dan

On Tue, Jan 19, 2016 at 2:58 PM, Siegfried Goeschl  wrote:

> Hi folks,
>
> I have a simple simple question - is it possible/legal to change the
> software licence by simply re-distributing a POM a couple of years later?
>
> During a code review I came across a project using itext-4.2.0-jar.
>
> AFAIK iText 2.1.7 was the last version under MPL/LGPL and later they moved
> to AGPL V3 - I suggested to remove the library but the developer insisted
> that the library was indeed under MPL :-O
>
> * He showed me itext-4.2.0.jar/META-INF/maven/com.lowagie/itext/pom.xml
> clearly displaying a MPL/LGPL licence
> * I pointed him to
> http://search.maven.org/#artifactdetails%7Ccom.lowagie%7Citext%7C4.2.0%7Cpom
> clearly displaying a AGPL V3 licence
>
> But the
> http://search.maven.org/remotecontent?filepath=com/lowagie/itext/4.2.0/itext-4.2.0.pom
> actually contains a "relocation" section
>
> 
> 
> GNU Affero General Public License v3
> http://www.fsf.org/licensing/licenses/agpl-3.0.html
> 
> 
> 
> 
> com.itextpdf
> itextpdf
> 5.5.6
> After release 2.1.7, iText moved from the MPLicense to
> the AGPLicense.
> The groupId changed from com.lowagie to com.itextpdf and the
> artifactId from itext to itextpdf.
> See http://itextpdf.com/functionalitycomparison for more
> information.
> 
> 
>
> Mhmm, that puzzled me because itext-4.2.0.jar still has "com.lowagie"
> package name so I started digging through Maven Central
>
>
> 1) What Maven Central Says
> ===
>
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/
>
> itext-4.2.0-bundle.jar.asc 20-Sep-2012 16:34
>490
> itext-4.2.0-bundle.jar.asc.md5 20-Sep-2012 16:34
> 32
> itext-4.2.0-bundle.jar.asc.sha120-Sep-2012 16:34
> 40
> itext-4.2.0-javadoc.jar20-Sep-2012 16:34
>4498819
> itext-4.2.0-javadoc.jar.asc20-Sep-2012 16:34
>490
> itext-4.2.0-javadoc.jar.asc.md520-Sep-2012 16:34
> 32
> itext-4.2.0-javadoc.jar.asc.sha1   20-Sep-2012 16:34
> 40
> itext-4.2.0-javadoc.jar.md520-Sep-2012 16:34
> 32
> itext-4.2.0-javadoc.jar.sha1   20-Sep-2012 16:34
> 40
> itext-4.2.0-sources.jar20-Sep-2012 16:34
>4061295
> itext-4.2.0-sources.jar.asc20-Sep-2012 16:34
>490
> itext-4.2.0-sources.jar.asc.md520-Sep-2012 16:34
> 32
> itext-4.2.0-sources.jar.asc.sha1   20-Sep-2012 16:34
> 40
> itext-4.2.0-sources.jar.md520-Sep-2012 16:34
> 32
> itext-4.2.0-sources.jar.sha1   20-Sep-2012 16:34
> 40
> itext-4.2.0.jar20-Sep-2012 16:34
>2243043
> itext-4.2.0.jar.asc20-Sep-2012 16:34
>490
> itext-4.2.0.jar.asc.md520-Sep-2012 16:34
> 32
> itext-4.2.0.jar.asc.sha1   20-Sep-2012 16:34
> 40
> itext-4.2.0.jar.md520-Sep-2012 16:34
> 32
> itext-4.2.0.jar.sha1   20-Sep-2012 16:34
> 40
> itext-4.2.0.pom10-Jul-2015 08:16
>   2156
> itext-4.2.0.pom.asc10-Jul-2015 08:16
>821
> itext-4.2.0.pom.asc.md509-Jul-2015 12:33
> 32
> itext-4.2.0.pom.asc.sha1   09-Jul-2015 12:33
> 40
> itext-4.2.0.pom.md510-Jul-2015 08:16
> 32
> itext-4.2.0.pom.sha1   10-Jul-2015 08:16
> 40
>
> Interesting - the pom.xml was re-distributed a couple of months ago while
> the iText library is still from 2012. I guess the redistribution was caused
> by the additional "relocation" section of the pom.xml
>
> > wget
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar
> > wget
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar.asc
> > gpg --verify itext-4.2.0.jar.asc
>
> itext> gpg --verify itext-4.2.0.jar.asc
> gpg: assuming signed data in `itext-4.2.0.jar'
> gpg: Signature made Thu Sep 20 17:24:41 2012 CEST using RSA key ID 5FC3427B
> gpg: Can't check signature: public key not found
>
> > wget
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.pom
> > wget
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.pom.asc
> > gpg --verify

Re: iText 4.2.0 - Could a software licence be changed from MPL/LGPL to AGPL by simply redistributing the pom.xml?

2016-01-19 Thread Anton Tanasenko 
This is weird indeed.
iText changed license/package starting from 5 and onwards.
4.2.0 wasn't officially released but sources are there and they are still
under MPL/LGPL and anyone can always build the jar himself [1] and I guess
nothing disallows one to distribute such jar, right?
Someone must've built and uploaded 4.2.0 unofficially to central in 2012.

The relocation in the recent pom, however, means that when you try depend
on 4.2.0 version, maven will actually download the AGPLed 5.5.6 version
which would be a serious problem.
I think the pom for 4.2.0 in central must be restored to its original state
[2].

[1]
http://sourceforge.net/p/itext/code/6803/log/?path=/tags/iText_4_2_0/src/ant/pom.xml
[2]
http://sourceforge.net/p/itext/code/4107/tree/tags/iText_4_2_0/src/ant/pom.xml


2016-01-20 2:38 GMT+02:00 Dan Tran :

> For my case, my Legal folks as my team to remove it
>
> Best to consult with your IP attorney
>
> -Dan
>
> On Tue, Jan 19, 2016 at 2:58 PM, Siegfried Goeschl 
> wrote:
>
> > Hi folks,
> >
> > I have a simple simple question - is it possible/legal to change the
> > software licence by simply re-distributing a POM a couple of years later?
> >
> > During a code review I came across a project using itext-4.2.0-jar.
> >
> > AFAIK iText 2.1.7 was the last version under MPL/LGPL and later they
> moved
> > to AGPL V3 - I suggested to remove the library but the developer insisted
> > that the library was indeed under MPL :-O
> >
> > * He showed me itext-4.2.0.jar/META-INF/maven/com.lowagie/itext/pom.xml
> > clearly displaying a MPL/LGPL licence
> > * I pointed him to
> >
> http://search.maven.org/#artifactdetails%7Ccom.lowagie%7Citext%7C4.2.0%7Cpom
> > clearly displaying a AGPL V3 licence
> >
> > But the
> >
> http://search.maven.org/remotecontent?filepath=com/lowagie/itext/4.2.0/itext-4.2.0.pom
> > actually contains a "relocation" section
> >
> > 
> > 
> > GNU Affero General Public License v3
> > http://www.fsf.org/licensing/licenses/agpl-3.0.html
> > 
> > 
> > 
> > 
> > com.itextpdf
> > itextpdf
> > 5.5.6
> > After release 2.1.7, iText moved from the MPLicense to
> > the AGPLicense.
> > The groupId changed from com.lowagie to com.itextpdf and the
> > artifactId from itext to itextpdf.
> > See http://itextpdf.com/functionalitycomparison for more
> > information.
> > 
> > 
> >
> > Mhmm, that puzzled me because itext-4.2.0.jar still has "com.lowagie"
> > package name so I started digging through Maven Central
> >
> >
> > 1) What Maven Central Says
> > ===
> >
> > http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/
> >
> > itext-4.2.0-bundle.jar.asc 20-Sep-2012 16:34
> >490
> > itext-4.2.0-bundle.jar.asc.md5 20-Sep-2012 16:34
> > 32
> > itext-4.2.0-bundle.jar.asc.sha120-Sep-2012 16:34
> > 40
> > itext-4.2.0-javadoc.jar20-Sep-2012 16:34
> >4498819
> > itext-4.2.0-javadoc.jar.asc20-Sep-2012 16:34
> >490
> > itext-4.2.0-javadoc.jar.asc.md520-Sep-2012 16:34
> > 32
> > itext-4.2.0-javadoc.jar.asc.sha1   20-Sep-2012 16:34
> > 40
> > itext-4.2.0-javadoc.jar.md520-Sep-2012 16:34
> > 32
> > itext-4.2.0-javadoc.jar.sha1   20-Sep-2012 16:34
> > 40
> > itext-4.2.0-sources.jar20-Sep-2012 16:34
> >4061295
> > itext-4.2.0-sources.jar.asc20-Sep-2012 16:34
> >490
> > itext-4.2.0-sources.jar.asc.md520-Sep-2012 16:34
> > 32
> > itext-4.2.0-sources.jar.asc.sha1   20-Sep-2012 16:34
> > 40
> > itext-4.2.0-sources.jar.md520-Sep-2012 16:34
> > 32
> > itext-4.2.0-sources.jar.sha1   20-Sep-2012 16:34
> > 40
> > itext-4.2.0.jar20-Sep-2012 16:34
> >2243043
> > itext-4.2.0.jar.asc20-Sep-2012 16:34
> >490
> > itext-4.2.0.jar.asc.md520-Sep-2012 16:34
> > 32
> > itext-4.2.0.jar.asc.sha1   20-Sep-2012 16:34
> > 40
> > itext-4.2.0.jar.md520-Sep-2012 16:34
> > 32
> > itext-4.2.0.jar.sha1   20-Sep-2012 16:34
> > 40
> > itext-4.2.0.pom10-Jul-2015 08:16
> >   2156
> > itext-4.2.0.pom.asc10-Jul-2015 08:16
> >821
> > itext-4.2.0.pom.asc.md509-Jul-2015 12:33
> > 32
> > itext-4.2.0.pom.asc.sha1