www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ralph Goers <Ralph.Go...@dslextreme.com>
Subject Re: Status of dependency on LGPL'd library (Was: Re: [Legal] Why is this LGPL notice file in our SVN?)
Date Fri, 25 Jan 2008 14:22:10 GMT
Trustin Lee wrote:
>
> Indeed.  However, is this also agreed within the ASF?  I just sounds
> like we can use whatever LGPL'd libraries without restriction because
> we almost always don't modify LGPL'd Java library and it's free to
> reverse engineer or debug ASL'd stuff we distribute.
>   
FSF's position on the LGPL doesn't need to be "agreed to within the 
ASF". It is simply their position on how their license works.

The sticky wicket here is the last part of your paragraph, "it's free to 
reverse engineer or debug ASL'd stuff we distribute".  This isn't really 
true. Vendors can take Apache licensed code and incorporate it into 
their own proprietary works. They may not wish to allow any part of what 
they distribute to be reverse engineered.  So we could have a problem 
with that. Frankly, this scenario doesn't worry me a whole lot simply 
because the use of the LGPL'd library must be an optional feature to the 
ASF project. So any company with such a requirement would almost 
certainly not want to use the optional feature.
> What's in the gray area is whether using Maven to pull LGPL'd JARs or
> not, which occurs automatically.
>   
Maven needs a way to support this. Someone should create a Jira issue 
for it.
> 1) Should we provide the source code of the LGPL's JAR too in this case?
>
> 2) Should we explicitly state that what Maven is going to download is
> not distributed under ASL but under LGPL?
>   
Maven should be able to provide you a list of all the licenses you need 
to accept - including the Apache license.  This should be fairly easy to 
do in the 2.1 branch of Maven.
> 3) What about transitive dependencies?  For example, someone could use
> Maven to pull a ASL'd JAR which depends on another LGPL'd JAR.  He or
> she will pull the LGPL'd JAR without any proper notice.
>   
Again, Maven 2.1 should be able to handle this since it makes a graph of 
the whole dependency tree.

Ralph

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message