couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Davies <>
Subject Re: Dependencies in SVN
Date Mon, 10 Aug 2009 13:22:32 GMT
Hi Curt,

Thank you for bringing up the issue of third-party licensing.  I wrote  
the OAuth patch that was recently merged into trunk.  After your  
various e-mails on the subject, I've spent quite a bit of time  
researching how things are handled at the ASF, even to the extent of  
thinking we need to request a software grant agreement (SGA) from the  
original authors of the third-party libraries that we use, as this is  
mentioned in the "IP Clearance" page.  This did seem rather ridiculous  
as all the third-party libraries that we bundle are ASL-compatible.   
For example, consider the jQuery library: do all ASF projects really  
need to ask John Resig to personally sign a SGA?  What if he is on  

So I asked for further clarification about this on the legal-discuss@  
mailing list.  The answer is crystal clear: we do NOT need IP  
clearance for unmodified third-party libraries.  No vote thread is  
needed, no SGAs.  We just need an ASL-compatible license (which I had  
already checked for) and that is sufficient (and of course, add the  
appropriate entries to NOTICE and LICENSE, which we have now done).

I have included the full message below as the legal-discuss archives  
haven't updated yet.  I hope this clears up the issue for you and  
anyone else who was curious about this.

Hash: SHA1

Jason Davies wrote:
> Hi again,
> The first time I read
> I got the  
> impression
> that a SGA is required before *any* third-party libraries can be
> imported into SVN.  However, if the library is simply a dependency and
> is copied without changes simply to allow bundling, is a SGA really
> required?
> For example, I have just realised that we also bundle the jQuery
> JavaScript library, which is released under the BSD (modified)  
> license.
> Do we need to ask the author to sign a SGA too?  And what if we cannot
> contact the author of such a library, does that mean we cannot  
> import it
> into SVN even if it was released under an ASL-compatible license?

IP clearance is for code bases which are being imported into apache for
future development. it's not required for unmodified third party library
dependencies. if you do distribution third party libraries, you do need
to follow

- - robert
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Jason Davies

On 6 Aug 2009, at 05:45, Curt Arnold wrote:

> The CouchDB now has at least snapshots of three non-ASL licensed,  
> non-ASF developed projects in the SVN.  The following message  
> suggests that mochiweb in the CouchDB repo is forked and  
> incompatible with the main distribution:
> Having an external code base in the SVN is an invitation to fork  
> which results in the ASF effectively publishing software under a  
> license other the the ASL v2.  That is a whole different animal than  
> having a dependency on an non-ASL'd licensed piece of software.
> erlang-oauth was introduced into the SVN yesterday to support the  
> couch_http_oauth authentication handler.  It is optional, the  
> recently added oauth authentication handler would fail to load  
> without it but that should be all.  There was no mention that the  
> patch included third-party developed software, no dev list  
> discussion or vote or Incubator PMC clearance.  I have requested  
> that it be removed from the SVN pending review.
> ibrowse was added initially added to the SVN in January and is an  
> HTTP client used in replication.  I was unable to find any mailing  
> list discussion or Incubator review on the addition of this code base.
> mochiweb was added in March 2008 and provides the http server  
> included in CouchDB.  The Incubator PMC was aware of this dependency  
> based on the April 2008 Incubator PMC board report.  In addition to  
> the http server, CouchDB also uses mochiweb routines for parsing  
> query strings, url encoding, etc.
> Most of the other dependencies are used in the Futon management  
> client.
> To minimize the amount of effort that a user has to perform to  
> satisfy their license issues, I think we should consider  
> modularizing couchdb so that a user who isn't interested in OAuth  
> does not have to research its license, etc.
> I'd see the parts as:
> core: The database and non-network core of CouchDB.  I would hope  
> this code have no dependencies other than OTP.
> http: The http server dependent on MochiWeb's http services and core.
> replicator: dependent on core and ibrowse
> futon: HTTP admin console
> oauth: OAuth authenticator, dependent on erlang-oauth
> Ideally, the interfaces with mochiweb, ibrowse and the like should  
> be designed so that other providers could be substituted without  
> huge effort.
> I do think the Incubator PMC should review the situation, but it  
> would be good to understand the issues and discuss a path forward  
> before asking for review.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message