On Mon, Mar 31, 2008 at 2:05 PM, Stefano Bagnara <[EMAIL PROTECTED]> wrote: > Robert Burrell Donkin ha scritto: > > On Mon, Mar 31, 2008 at 12:43 AM, Stefano Bagnara <[EMAIL PROTECTED]> wrote:
<snip> > >> I clearly understand that downloading an artifact from a website as part > >> of an automated process is DIFFERENT (for the US law, for many other > >> jurisdictions, for the ASF policies, and for everything else) from > >> redistributing the same artifact as part of another product. > >> > >> My point is that if you don't know what the license is I don't see why > >> downloading automatically is *THE* right choice. I understand that the > >> legal complications of redistributing are bigger than the one of > >> automatically download, but the fact is that we don't know the license, > >> so there are even minimal possibilities that also the automatic download > >> is not allowed by the license we don't know. > > > > ok > > > > i'm going to assume that we're talking about the automatic download > > which happen when maven builds the project. > > > > i am not concerned by the automatic download because i trust the maven > > team to act responsibly enough to allow me to use their application in > > good faith. though the public audit trail is not clear and so i cannot > > independently verify this faith, i am in a similar position with most > > of the software i use. > > > > maven is not tied to a single repository. if the people running the > > central repository end up having a problem with the IP of the > > documents they distribute then this is a problem for them and not me. > > apache does not run the repository and so i don't believe that this is > > an issue that need concern the members. i trust that the people who do > > run the central repository understand enough US law to ensure that > > they are not taking too many risky. IMHO this is not an unreasonable > > assumption. > > This is clear. > > If I understand it correctly you say that we didn't add central in our > redistributable because central is something "hardcoded" in maven, so > what it automatically download is a concern of maven project and the > maven users and not a problem for us. In fact we simply declare a > dependency in our pom.xml and do not declare a way to retrieve that > dependency. yes > Would you think the same if we had to declare the central repository url > in our pom? i'm not sure but i think that it would come down to ethics. i have no reason to believe that the central repository distributes artifacts without rights, i just have no ability to audit that claim. > If I understand your statement you also say that "*they* are not taking > too many risky" (by redistributing that pom via central) but you > wouldn't take the same risks by redistributing the pom as part of our > release, right? were i to act for myself alone, then i think that this risk is reasonable. under current US law, there is very little realistic chance of prosecution providing that you respond in a timely fashion to requests to remove material. > >> The funny thing is that all of this thread is about a "stupid" pom that > >> even my father could write as is if I explain him the pom > >> semantic+syntax and I tell him to describe junit-3.8.1.jar. This is what > >> scare me: the fact that we don't have a clear way to rewrite this > >> f***ing xml from scratch and release jSPF-0.9.7. under US copyright law, only the expression and not the facts would have been copyrightable. if it were me, i would have simply created a clean room implementation and been done with it. or just deleted the pom altogether > >> For the record the other funny thing is that I don't need a jSPF release > >> and I don't use jSPF in any of my projects. My involvement in jSPF > >> started mainly because I had problems releasing JAMES Server and need a > >> way to work together Norman to better understand his skills and try to > >> help him joining the JAMES project. > > > > note that i didn't -1 the release: if i thought that it posed a > > significant danger then i would have done so > > > > i audit a lot of releases and have my own policies. i will not +1 a > > release unless i am convinced that the IP is know and fully audited. > > this is different from -1ing a release that i consider to be actively > > dangerous. other people judge things differently. > > You may have noticed that we only get 2 +1 ;-) > So I'd like to know what exactly we have to do to get the 3rd +1, either > by you or by someone of the other PMC members! i count +1s from yourself danny and norman: that should be sufficient - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
