maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Tran <dant...@gmail.com>
Subject Re: iText 4.2.0 - Could a software licence be changed from MPL/LGPL to AGPL by simply redistributing the pom.xml?
Date Wed, 20 Jan 2016 00:38:38 GMT
For my case, my Legal folks as my team to remove it

Best to consult with your IP attorney

-Dan

On Tue, Jan 19, 2016 at 2:58 PM, Siegfried Goeschl <sgoeschl@gmx.at> wrote:

> Hi folks,
>
> I have a simple simple question - is it possible/legal to change the
> software licence by simply re-distributing a POM a couple of years later?
>
> During a code review I came across a project using itext-4.2.0-jar.
>
> AFAIK iText 2.1.7 was the last version under MPL/LGPL and later they moved
> to AGPL V3 - I suggested to remove the library but the developer insisted
> that the library was indeed under MPL :-O
>
> * He showed me itext-4.2.0.jar/META-INF/maven/com.lowagie/itext/pom.xml
> clearly displaying a MPL/LGPL licence
> * I pointed him to
> http://search.maven.org/#artifactdetails%7Ccom.lowagie%7Citext%7C4.2.0%7Cpom
> clearly displaying a AGPL V3 licence
>
> But the
> http://search.maven.org/remotecontent?filepath=com/lowagie/itext/4.2.0/itext-4.2.0.pom
> actually contains a "relocation" section
>
> <licenses>
>     <license>
>         <name>GNU Affero General Public License v3</name>
>         <url>http://www.fsf.org/licensing/licenses/agpl-3.0.html</url>
>     </license>
> </licenses>
> <distributionManagement>
>     <relocation>
>         <groupId>com.itextpdf</groupId>
>         <artifactId>itextpdf</artifactId>
>         <version>5.5.6</version>
>         <message>After release 2.1.7, iText moved from the MPLicense to
> the AGPLicense.
>         The groupId changed from com.lowagie to com.itextpdf and the
> artifactId from itext to itextpdf.
>         See http://itextpdf.com/functionalitycomparison for more
> information.</message>
>     </relocation>
> </distributionManagement>
>
> Mhmm, that puzzled me because itext-4.2.0.jar still has "com.lowagie"
> package name so I started digging through Maven Central
>
>
> 1) What Maven Central Says
> ===============================================================
>
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/
>
> itext-4.2.0-bundle.jar.asc                         20-Sep-2012 16:34
>            490
> itext-4.2.0-bundle.jar.asc.md5                     20-Sep-2012 16:34
>             32
> itext-4.2.0-bundle.jar.asc.sha1                    20-Sep-2012 16:34
>             40
> itext-4.2.0-javadoc.jar                            20-Sep-2012 16:34
>        4498819
> itext-4.2.0-javadoc.jar.asc                        20-Sep-2012 16:34
>            490
> itext-4.2.0-javadoc.jar.asc.md5                    20-Sep-2012 16:34
>             32
> itext-4.2.0-javadoc.jar.asc.sha1                   20-Sep-2012 16:34
>             40
> itext-4.2.0-javadoc.jar.md5                        20-Sep-2012 16:34
>             32
> itext-4.2.0-javadoc.jar.sha1                       20-Sep-2012 16:34
>             40
> itext-4.2.0-sources.jar                            20-Sep-2012 16:34
>        4061295
> itext-4.2.0-sources.jar.asc                        20-Sep-2012 16:34
>            490
> itext-4.2.0-sources.jar.asc.md5                    20-Sep-2012 16:34
>             32
> itext-4.2.0-sources.jar.asc.sha1                   20-Sep-2012 16:34
>             40
> itext-4.2.0-sources.jar.md5                        20-Sep-2012 16:34
>             32
> itext-4.2.0-sources.jar.sha1                       20-Sep-2012 16:34
>             40
> itext-4.2.0.jar                                    20-Sep-2012 16:34
>        2243043
> itext-4.2.0.jar.asc                                20-Sep-2012 16:34
>            490
> itext-4.2.0.jar.asc.md5                            20-Sep-2012 16:34
>             32
> itext-4.2.0.jar.asc.sha1                           20-Sep-2012 16:34
>             40
> itext-4.2.0.jar.md5                                20-Sep-2012 16:34
>             32
> itext-4.2.0.jar.sha1                               20-Sep-2012 16:34
>             40
> itext-4.2.0.pom                                    10-Jul-2015 08:16
>           2156
> itext-4.2.0.pom.asc                                10-Jul-2015 08:16
>            821
> itext-4.2.0.pom.asc.md5                            09-Jul-2015 12:33
>             32
> itext-4.2.0.pom.asc.sha1                           09-Jul-2015 12:33
>             40
> itext-4.2.0.pom.md5                                10-Jul-2015 08:16
>             32
> itext-4.2.0.pom.sha1                               10-Jul-2015 08:16
>             40
>
> Interesting - the pom.xml was re-distributed a couple of months ago while
> the iText library is still from 2012. I guess the redistribution was caused
> by the additional "relocation" section of the pom.xml
>
> > wget
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar
> > wget
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar.asc
> > gpg --verify itext-4.2.0.jar.asc
>
> itext> gpg --verify itext-4.2.0.jar.asc
> gpg: assuming signed data in `itext-4.2.0.jar'
> gpg: Signature made Thu Sep 20 17:24:41 2012 CEST using RSA key ID 5FC3427B
> gpg: Can't check signature: public key not found
>
> > wget
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.pom
> > wget
> http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.pom.asc
> > gpg --verify itext-4.2.0.pom.asc
> gpg: assuming signed data in `itext-4.2.0.pom'
> gpg: Signature made Fri Jul 10 10:15:36 2015 CEST using RSA key ID D401AB61
> gpg: Can't check signature: public key not found
>
>
> 2) Checking the itext-4.2.0.jar metadata
> ===============================================================
>
> A closer look at the itext-4.2.0.jar shows the following pom.xml
>
> <project>
>     <licenses>
>         <license>
>             <name>GNU General Lesser Public License (LGPL) version
> 3.0</name>
>             <url>http://www.gnu.org/licenses/lgpl.html</url>
>             <distribution>repo</distribution>
>         </license>
>         <license>
>             <name>Mozilla Public License Version 2.0</name>
>             <url>http://www.mozilla.org/MPL/2.0/</url>
>             <distribution>repo</distribution>
>         </license>
>     </licenses>
>
>     <name>iText-4.2.0</name>
>     <url>https://github.com/weiyeh/iText-4.2.0</url>
>     <description>This is a build of the last MPL version of iText.
> </description>
>     <scm>
>         <url>scm:git:https://github.com/weiyeh/iText-4.2.0.git</url>
>         <connection>scm:git:https://github.com/weiyeh/iText-4.2.0.git
> </connection>
>         <developerConnection>scm:git:
> https://github.com/weiyeh/iText-4.2.0.git</developerConnection>
>     </scm>
>
> </project>
>
> Looking at https://github.com/weiyeh/iText-4.2.0 shows that this is a
> fork of static mirror of the original iText project
>
> So this is actually not an official build from the iText developers so I
> checked the "official" SourceForge SVN repo
>
>
> 3) What SourceForge Says
> ===============================================================
>
> I digged through the SourceForge SVN repo and there is indeed a tag
> "Unofficial release: iText 4.2.0"
>
> *
> http://sourceforge.net/p/itext/code/HEAD/tree/tags/iText_4_2_0/www/lowagie/
> *
> http://sourceforge.net/p/itext/code/HEAD/tree/tags/iText_4_2_0/src/core/com/lowagie/text/Anchor.java
>
> clearly states that the project at that time was under MPL/LGPL
>
>
> 4) Open Questions
> ===============================================================
>
> Could anyone clarify the issue
>
> * Is this only an accident and we just need to upload the old pom.xml?
> * Is the current itext-4.2.0.jar legally dangerous and should be removed
> from Maven Central?
> * Could a re-distribution of pom.xml indeed the change the licence terms
> many years later?
> * What are the legal implication in this case if a LGPL library suddenly
> turns into viral GPL? Legal hell? Cease and desist letters?
>
>
> Thanks in advance
>
> Siegfried Goeschl
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message