It all depends on how the corporate legal brains interpret these things. Advocate #1: jar files are just dynamic link libraries... most of the open source licenses (including AFAIR the GPL) say dynamic linking is ok, static linking is less so... there is no problem here!
Advocate #2: What about if you build a war or ear and have the jar in the lib folder? Now your code is statically linked to that jar. There is a problem here! Advocate #1: Ahh but the war and ear specs allow and expect for deployers to repackage, it's just a zip file after all, so they can replace a jar with a non-restrictive license, therefore it is dynamic linking. Are you saying that if I zip up a GPL product and a non-GPL product in the same zip file that my non-GPL is now GPL'ed? There is no problem here! Advocate #2: [More legal speak]... I've worked for companies where they take #1's side and others where it's #2 who wins. Additionally, there are issues with patents. In reality, an ethical developer should ensure that each shipped dependency is OK'ed by legal before you ship. OK'ed that the license is compatible with the company, OK'ed that the license terms have been met with, OK'ed that the dependency does not knowingly infringe any patents to which the company does not have a license (in the economic areas that the company intends to ship) What I think you need, therefore, is a maven-prerelease-legal-check-plugin that checks all dependencies against a "dependency is ok" legal database held by the company. The "dependency is ok" would just be a simple list of artifacts with version ranges. -Stephen On Nov 23, 2007 8:18 AM, maarten roosendaal <[EMAIL PROTECTED]> wrote: > Hi, > > I was wondering that if you make an application for a large corporate firm > using Maven 2, what problems can you expect regarding licenses of > (transitive) dependencies. Some licenses force you to make the application > you made, based on their open source product, open source and make it > available to the community. The corporate firm probably will not be amused by > this but it could lead to legal issues. I'm not too familair with all > licenses but this point was made by someone who does know a lot. > > Is there a way to enforce this with Maven (probably not) or should you do > something with the blacklist of say Archiva. > > Your thoughts on this? > > Maarten > > > > > > ____________________________________________________________________________________ > Get easy, one-click access to your favorites. > Make Yahoo! your homepage. > http://www.yahoo.com/r/hs --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
