maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anton Tanasenko <atg.sleepl...@gmail.com>
Subject Re: iText 4.2.0 - Could a software licence be changed from MPL/LGPL to AGPL by simply redistributing the pom.xml?
Date Wed, 20 Jan 2016 07:06:35 GMT
This is weird indeed.
iText changed license/package starting from 5 and onwards.
4.2.0 wasn't officially released but sources are there and they are still
under MPL/LGPL and anyone can always build the jar himself [1] and I guess
nothing disallows one to distribute such jar, right?
Someone must've built and uploaded 4.2.0 unofficially to central in 2012.

The relocation in the recent pom, however, means that when you try depend
on 4.2.0 version, maven will actually download the AGPLed 5.5.6 version
which would be a serious problem.
I think the pom for 4.2.0 in central must be restored to its original state
[2].

[1]
http://sourceforge.net/p/itext/code/6803/log/?path=/tags/iText_4_2_0/src/ant/pom.xml
[2]
http://sourceforge.net/p/itext/code/4107/tree/tags/iText_4_2_0/src/ant/pom.xml


2016-01-20 2:38 GMT+02:00 Dan Tran <dantran@gmail.com>:

> For my case, my Legal folks as my team to remove it
>
> Best to consult with your IP attorney
>
> -Dan
>
> On Tue, Jan 19, 2016 at 2:58 PM, Siegfried Goeschl <sgoeschl@gmx.at>
> wrote:
>
> > Hi folks,
> >
> > I have a simple simple question - is it possible/legal to change the
> > software licence by simply re-distributing a POM a couple of years later?
> >
> > During a code review I came across a project using itext-4.2.0-jar.
> >
> > AFAIK iText 2.1.7 was the last version under MPL/LGPL and later they
> moved
> > to AGPL V3 - I suggested to remove the library but the developer insisted
> > that the library was indeed under MPL :-O
> >
> > * He showed me itext-4.2.0.jar/META-INF/maven/com.lowagie/itext/pom.xml
> > clearly displaying a MPL/LGPL licence
> > * I pointed him to
> >
> http://search.maven.org/#artifactdetails%7Ccom.lowagie%7Citext%7C4.2.0%7Cpom
> > clearly displaying a AGPL V3 licence
> >
> > But the
> >
> http://search.maven.org/remotecontent?filepath=com/lowagie/itext/4.2.0/itext-4.2.0.pom
> > actually contains a "relocation" section
> >
> > <licenses>
> >     <license>
> >         <name>GNU Affero General Public License v3</name>
> >         <url>http://www.fsf.org/licensing/licenses/agpl-3.0.html</url>
> >     </license>
> > </licenses>
> > <distributionManagement>
> >     <relocation>
> >         <groupId>com.itextpdf</groupId>
> >         <artifactId>itextpdf</artifactId>
> >         <version>5.5.6</version>
> >         <message>After release 2.1.7, iText moved from the MPLicense to
> > the AGPLicense.
> >         The groupId changed from com.lowagie to com.itextpdf and the
> > artifactId from itext to itextpdf.
> >         See http://itextpdf.com/functionalitycomparison for more
> > information.</message>
> >     </relocation>
> > </distributionManagement>
> >
> > Mhmm, that puzzled me because itext-4.2.0.jar still has "com.lowagie"
> > package name so I started digging through Maven Central
> >
> >
> > 1) What Maven Central Says
> > ===============================================================
> >
> > http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/
> >
> > itext-4.2.0-bundle.jar.asc                         20-Sep-2012 16:34
> >            490
> > itext-4.2.0-bundle.jar.asc.md5                     20-Sep-2012 16:34
> >             32
> > itext-4.2.0-bundle.jar.asc.sha1                    20-Sep-2012 16:34
> >             40
> > itext-4.2.0-javadoc.jar                            20-Sep-2012 16:34
> >        4498819
> > itext-4.2.0-javadoc.jar.asc                        20-Sep-2012 16:34
> >            490
> > itext-4.2.0-javadoc.jar.asc.md5                    20-Sep-2012 16:34
> >             32
> > itext-4.2.0-javadoc.jar.asc.sha1                   20-Sep-2012 16:34
> >             40
> > itext-4.2.0-javadoc.jar.md5                        20-Sep-2012 16:34
> >             32
> > itext-4.2.0-javadoc.jar.sha1                       20-Sep-2012 16:34
> >             40
> > itext-4.2.0-sources.jar                            20-Sep-2012 16:34
> >        4061295
> > itext-4.2.0-sources.jar.asc                        20-Sep-2012 16:34
> >            490
> > itext-4.2.0-sources.jar.asc.md5                    20-Sep-2012 16:34
> >             32
> > itext-4.2.0-sources.jar.asc.sha1                   20-Sep-2012 16:34
> >             40
> > itext-4.2.0-sources.jar.md5                        20-Sep-2012 16:34
> >             32
> > itext-4.2.0-sources.jar.sha1                       20-Sep-2012 16:34
> >             40
> > itext-4.2.0.jar                                    20-Sep-2012 16:34
> >        2243043
> > itext-4.2.0.jar.asc                                20-Sep-2012 16:34
> >            490
> > itext-4.2.0.jar.asc.md5                            20-Sep-2012 16:34
> >             32
> > itext-4.2.0.jar.asc.sha1                           20-Sep-2012 16:34
> >             40
> > itext-4.2.0.jar.md5                                20-Sep-2012 16:34
> >             32
> > itext-4.2.0.jar.sha1                               20-Sep-2012 16:34
> >             40
> > itext-4.2.0.pom                                    10-Jul-2015 08:16
> >           2156
> > itext-4.2.0.pom.asc                                10-Jul-2015 08:16
> >            821
> > itext-4.2.0.pom.asc.md5                            09-Jul-2015 12:33
> >             32
> > itext-4.2.0.pom.asc.sha1                           09-Jul-2015 12:33
> >             40
> > itext-4.2.0.pom.md5                                10-Jul-2015 08:16
> >             32
> > itext-4.2.0.pom.sha1                               10-Jul-2015 08:16
> >             40
> >
> > Interesting - the pom.xml was re-distributed a couple of months ago while
> > the iText library is still from 2012. I guess the redistribution was
> caused
> > by the additional "relocation" section of the pom.xml
> >
> > > wget
> > http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar
> > > wget
> >
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar.asc
> > > gpg --verify itext-4.2.0.jar.asc
> >
> > itext> gpg --verify itext-4.2.0.jar.asc
> > gpg: assuming signed data in `itext-4.2.0.jar'
> > gpg: Signature made Thu Sep 20 17:24:41 2012 CEST using RSA key ID
> 5FC3427B
> > gpg: Can't check signature: public key not found
> >
> > > wget
> > http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.pom
> > > wget
> >
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.pom.asc
> > > gpg --verify itext-4.2.0.pom.asc
> > gpg: assuming signed data in `itext-4.2.0.pom'
> > gpg: Signature made Fri Jul 10 10:15:36 2015 CEST using RSA key ID
> D401AB61
> > gpg: Can't check signature: public key not found
> >
> >
> > 2) Checking the itext-4.2.0.jar metadata
> > ===============================================================
> >
> > A closer look at the itext-4.2.0.jar shows the following pom.xml
> >
> > <project>
> >     <licenses>
> >         <license>
> >             <name>GNU General Lesser Public License (LGPL) version
> > 3.0</name>
> >             <url>http://www.gnu.org/licenses/lgpl.html</url>
> >             <distribution>repo</distribution>
> >         </license>
> >         <license>
> >             <name>Mozilla Public License Version 2.0</name>
> >             <url>http://www.mozilla.org/MPL/2.0/</url>
> >             <distribution>repo</distribution>
> >         </license>
> >     </licenses>
> >
> >     <name>iText-4.2.0</name>
> >     <url>https://github.com/weiyeh/iText-4.2.0</url>
> >     <description>This is a build of the last MPL version of iText.
> > </description>
> >     <scm>
> >         <url>scm:git:https://github.com/weiyeh/iText-4.2.0.git</url>
> >         <connection>scm:git:https://github.com/weiyeh/iText-4.2.0.git
> > </connection>
> >         <developerConnection>scm:git:
> > https://github.com/weiyeh/iText-4.2.0.git</developerConnection>
> >     </scm>
> >
> > </project>
> >
> > Looking at https://github.com/weiyeh/iText-4.2.0 shows that this is a
> > fork of static mirror of the original iText project
> >
> > So this is actually not an official build from the iText developers so I
> > checked the "official" SourceForge SVN repo
> >
> >
> > 3) What SourceForge Says
> > ===============================================================
> >
> > I digged through the SourceForge SVN repo and there is indeed a tag
> > "Unofficial release: iText 4.2.0"
> >
> > *
> >
> http://sourceforge.net/p/itext/code/HEAD/tree/tags/iText_4_2_0/www/lowagie/
> > *
> >
> http://sourceforge.net/p/itext/code/HEAD/tree/tags/iText_4_2_0/src/core/com/lowagie/text/Anchor.java
> >
> > clearly states that the project at that time was under MPL/LGPL
> >
> >
> > 4) Open Questions
> > ===============================================================
> >
> > Could anyone clarify the issue
> >
> > * Is this only an accident and we just need to upload the old pom.xml?
> > * Is the current itext-4.2.0.jar legally dangerous and should be removed
> > from Maven Central?
> > * Could a re-distribution of pom.xml indeed the change the licence terms
> > many years later?
> > * What are the legal implication in this case if a LGPL library suddenly
> > turns into viral GPL? Legal hell? Cease and desist letters?
> >
> >
> > Thanks in advance
> >
> > Siegfried Goeschl
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> > For additional commands, e-mail: users-help@maven.apache.org
> >
> >
>



-- 
Regards,
Anton.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message