On Fri, Mar 28, 2008 at 11:07 AM, Stefano Bagnara <[EMAIL PROTECTED]> wrote: > Robert Burrell Donkin ha scritto: > > > the substantial issue is not dependency but distribution. maven may > > download documents of unknown provenance at runtime but this is very > > different from distributing such a document. > > > > AIUI the download is likely to be covered by fair use and if an > > infringement occurs then it is the original uploader who is at fault. > > by distributing such an artifact, US law makes apache responsible for > > ensuring that we have the required license. we know that we lack the > > license. this is risky from a copyright perspective. > > I understand that there is difference between downloading and > distributing, but this difference IMHO exists when the license is known > and the license itself make a difference (most licenses do). I don't > agree that by downloading and *using* files under an unknown license you > make "fair use" and it is ok
copyright law distinguishes between these two cases (downloading and distributing). copying works is often only arguably illegal. distributing a copy without a license to do so is clearly illegal. for example, in order to view a web page, a local copy must be made. few web pages explicitly license this copying. however, in most jurisdictions this act would be covered by the fair use of the implied license. this is very different from distributing the same page for example by hosting a complete copy on your website. > (and you told me once that we can't do > *anything* with a file with an unknown license, don't you remember? this is apache policy not a general legal requirement. it's a good policy since it reduces friction by ensure that our users are supplied with the license automatically and allows public auditing. > we > was talking about NOTICE/LICENSE file in our repository and what people > can do with files downloaded from a website if they don't find the > license/copyright statements: you told me they have no rights unless > they find a file giving them some right). that paraphrasing isn't right: your rights depend on the jurisdiction. in the USA (for example) the constitution contains gaurantees about your right to copy. some jurisdications may grant you an implied license based on the actions of the other party. however, by default now all documents are covered by copyright (whether it's stated or not) and have all rights reserved. it's no longer necessary for the document to contain a license and copyright notice for the author to be able to enforce copyright. > Otherwise everyone would sell proprietary projects that simply download > their GPL dependencies at the first run. this might be lawful (but unethical). the GPL contains clever legal arguments intended to prevent this but these remain untested in court. > If someone upload a non redistributable, non usable copyrighted file to > MAVENUPLOAD, someone else put it in central and you use it via remote > downloading during your build *my* *opinion* is that every of the 3 > actors involved are wrong and cannot do what they do because they all > distribute or use a file for which they don't have rights. i can't speak for those involve with the maven external repository. just because the document does not contain an embedded license does not contain a license does not mean that a license does not exist for that document. at apache, we ask for embedded licenses since this makes it much easier to understand. it may well be that the process is sound but just hard to audit. it's reasonable to act in good faith. if someone claims to have the required copyright and grants an appropriate license (for example by filling in a JIRA) then the rest are acting perfectly reasonably. > BTW, my opinion doesn't matter as I'm not a lawyer. lawyers are unlikely to give public opinions on anything as general as this > BUT, our specific issue is the pom.xml for junit, so I prefer to solve > this very specific issue now, and then try to solve the more generic > issue just after as everyone of our maven based projects include the > stage folder and redistribute poms downloaded from central or even > java.net repository. Every other problematic pom has been tracked down > now (I also updated the license headers for the files I wrote myself). > > I guess that the pom.xml for junit has been uploaded to central by some > ASF committer either direclty or uploaded via JIRA: how can we track > down this? > > I checked MAVENUPLOAD and the first reference about junit is: > http://jira.codehaus.org/browse/MAVENUPLOAD-1168 > And it is about junit 4.1: the submitter say he took the pom from 4.0 > and updated it.. so this doesn't help for now. IF the original junit pom > was under the CPL then probably that user was not entitled in altering > the content and submit it to the ASF and the ASF should not have > uploaded it to central (is this right?). codehaus is not apache. any source use from codehaus needs to come in via the incubator IP clearance. - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
