Hello Siegfried, I do not think this was an accident, see https://issues.sonatype.org/plugins/servlet/mobile#issue/MVNCENTRAL-760.
The relocation does break builds as the package is different as well. I am not a lawyer but at I think it is not a nice move to cause breaking builds and licensing issues two years after something is published. Regards Mirko -- Sent from my mobile Am 19.01.2016 23:58 schrieb "Siegfried Goeschl" <sgoes...@gmx.at>: > Hi folks, > > I have a simple simple question - is it possible/legal to change the > software licence by simply re-distributing a POM a couple of years later? > > During a code review I came across a project using itext-4.2.0-jar. > > AFAIK iText 2.1.7 was the last version under MPL/LGPL and later they moved > to AGPL V3 - I suggested to remove the library but the developer insisted > that the library was indeed under MPL :-O > > * He showed me itext-4.2.0.jar/META-INF/maven/com.lowagie/itext/pom.xml > clearly displaying a MPL/LGPL licence > * I pointed him to > http://search.maven.org/#artifactdetails%7Ccom.lowagie%7Citext%7C4.2.0%7Cpom > clearly displaying a AGPL V3 licence > > But the > http://search.maven.org/remotecontent?filepath=com/lowagie/itext/4.2.0/itext-4.2.0.pom > actually contains a "relocation" section > > <licenses> > <license> > <name>GNU Affero General Public License v3</name> > <url>http://www.fsf.org/licensing/licenses/agpl-3.0.html</url> > </license> > </licenses> > <distributionManagement> > <relocation> > <groupId>com.itextpdf</groupId> > <artifactId>itextpdf</artifactId> > <version>5.5.6</version> > <message>After release 2.1.7, iText moved from the MPLicense to > the AGPLicense. > The groupId changed from com.lowagie to com.itextpdf and the > artifactId from itext to itextpdf. > See http://itextpdf.com/functionalitycomparison for more > information.</message> > </relocation> > </distributionManagement> > > Mhmm, that puzzled me because itext-4.2.0.jar still has "com.lowagie" > package name so I started digging through Maven Central > > > 1) What Maven Central Says > =============================================================== > > http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/ > > itext-4.2.0-bundle.jar.asc 20-Sep-2012 16:34 > 490 > itext-4.2.0-bundle.jar.asc.md5 20-Sep-2012 16:34 > 32 > itext-4.2.0-bundle.jar.asc.sha1 20-Sep-2012 16:34 > 40 > itext-4.2.0-javadoc.jar 20-Sep-2012 16:34 > 4498819 > itext-4.2.0-javadoc.jar.asc 20-Sep-2012 16:34 > 490 > itext-4.2.0-javadoc.jar.asc.md5 20-Sep-2012 16:34 > 32 > itext-4.2.0-javadoc.jar.asc.sha1 20-Sep-2012 16:34 > 40 > itext-4.2.0-javadoc.jar.md5 20-Sep-2012 16:34 > 32 > itext-4.2.0-javadoc.jar.sha1 20-Sep-2012 16:34 > 40 > itext-4.2.0-sources.jar 20-Sep-2012 16:34 > 4061295 > itext-4.2.0-sources.jar.asc 20-Sep-2012 16:34 > 490 > itext-4.2.0-sources.jar.asc.md5 20-Sep-2012 16:34 > 32 > itext-4.2.0-sources.jar.asc.sha1 20-Sep-2012 16:34 > 40 > itext-4.2.0-sources.jar.md5 20-Sep-2012 16:34 > 32 > itext-4.2.0-sources.jar.sha1 20-Sep-2012 16:34 > 40 > itext-4.2.0.jar 20-Sep-2012 16:34 > 2243043 > itext-4.2.0.jar.asc 20-Sep-2012 16:34 > 490 > itext-4.2.0.jar.asc.md5 20-Sep-2012 16:34 > 32 > itext-4.2.0.jar.asc.sha1 20-Sep-2012 16:34 > 40 > itext-4.2.0.jar.md5 20-Sep-2012 16:34 > 32 > itext-4.2.0.jar.sha1 20-Sep-2012 16:34 > 40 > itext-4.2.0.pom 10-Jul-2015 08:16 > 2156 > itext-4.2.0.pom.asc 10-Jul-2015 08:16 > 821 > itext-4.2.0.pom.asc.md5 09-Jul-2015 12:33 > 32 > itext-4.2.0.pom.asc.sha1 09-Jul-2015 12:33 > 40 > itext-4.2.0.pom.md5 10-Jul-2015 08:16 > 32 > itext-4.2.0.pom.sha1 10-Jul-2015 08:16 > 40 > > Interesting - the pom.xml was re-distributed a couple of months ago while > the iText library is still from 2012. I guess the redistribution was caused > by the additional "relocation" section of the pom.xml > > > wget > http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar > > wget > http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar.asc > > gpg --verify itext-4.2.0.jar.asc > > itext> gpg --verify itext-4.2.0.jar.asc > gpg: assuming signed data in `itext-4.2.0.jar' > gpg: Signature made Thu Sep 20 17:24:41 2012 CEST using RSA key ID 5FC3427B > gpg: Can't check signature: public key not found > > > wget > http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.pom > > wget > http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.pom.asc > > gpg --verify itext-4.2.0.pom.asc > gpg: assuming signed data in `itext-4.2.0.pom' > gpg: Signature made Fri Jul 10 10:15:36 2015 CEST using RSA key ID D401AB61 > gpg: Can't check signature: public key not found > > > 2) Checking the itext-4.2.0.jar metadata > =============================================================== > > A closer look at the itext-4.2.0.jar shows the following pom.xml > > <project> > <licenses> > <license> > <name>GNU General Lesser Public License (LGPL) version > 3.0</name> > <url>http://www.gnu.org/licenses/lgpl.html</url> > <distribution>repo</distribution> > </license> > <license> > <name>Mozilla Public License Version 2.0</name> > <url>http://www.mozilla.org/MPL/2.0/</url> > <distribution>repo</distribution> > </license> > </licenses> > > <name>iText-4.2.0</name> > <url>https://github.com/weiyeh/iText-4.2.0</url> > <description>This is a build of the last MPL version of iText. > </description> > <scm> > <url>scm:git:https://github.com/weiyeh/iText-4.2.0.git</url> > <connection>scm:git:https://github.com/weiyeh/iText-4.2.0.git > </connection> > <developerConnection>scm:git: > https://github.com/weiyeh/iText-4.2.0.git</developerConnection> > </scm> > > </project> > > Looking at https://github.com/weiyeh/iText-4.2.0 shows that this is a > fork of static mirror of the original iText project > > So this is actually not an official build from the iText developers so I > checked the "official" SourceForge SVN repo > > > 3) What SourceForge Says > =============================================================== > > I digged through the SourceForge SVN repo and there is indeed a tag > "Unofficial release: iText 4.2.0" > > * > http://sourceforge.net/p/itext/code/HEAD/tree/tags/iText_4_2_0/www/lowagie/ > * > http://sourceforge.net/p/itext/code/HEAD/tree/tags/iText_4_2_0/src/core/com/lowagie/text/Anchor.java > > clearly states that the project at that time was under MPL/LGPL > > > 4) Open Questions > =============================================================== > > Could anyone clarify the issue > > * Is this only an accident and we just need to upload the old pom.xml? > * Is the current itext-4.2.0.jar legally dangerous and should be removed > from Maven Central? > * Could a re-distribution of pom.xml indeed the change the licence terms > many years later? > * What are the legal implication in this case if a LGPL library suddenly > turns into viral GPL? Legal hell? Cease and desist letters? > > > Thanks in advance > > Siegfried Goeschl > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > >
