www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Weber <ossf...@dubioso.net>
Subject Re: Status of dependency on LGPL'd library (Was: Re: [Legal] Why is this LGPL notice file in our SVN?)
Date Fri, 25 Jan 2008 20:22:47 GMT
Sam Ruby wrote:
> We are getting close, and there is a part that deals with ASF policy
> issues that I am committed to get the board as a whole to come to
> agreement on.  Whether I will be able to do it before next board meeting
> or at the next board meeting (Feb 20) is yet to be determined.

Well, to me this discussion is still as confusing as the other
ones I've seen before, or as the 3rd party draft. Judging from [1],
the "System Dependency" clause of the 3rd party draft was intended
only for dependencies via a standard Java API but not for direct
imports of LGPL-licensed packages.
In my case, it's HttpComponents that would like to use the
NTLM code in jCIFS to support NTLM authentication. We don't know
yet whether that is doable at all, but I'm sure we would have to
import and call jCIFS packages directly to make it work. So at that
point of the discussion, I was sure that we have to keep that code
outside of Apache.

>>>> I've had to read this several times. My summary:
>>>> 1. Applications which import LGPL libraries need not be licensed
>>>> under LGPL
>>>> 2. The LGPL'd library must be able to be modified or replaced.
>>>> 3. The trickiest one - they must be able to reverse engineer your code
>>>> to debug their modifications to the LGPL'd library.
>>>> 3. If you distribute the LGPL'd library you must also make the source
>>>> available. If you don't distribute it then you don't.
> [...]
> It seems to me that we want something more than an LGPL notice file in
> our SVN.  Preferably something that requires an explicit action on the
> part of the developer.

So after the stuff that the FSF wrote, it is now acceptable to
have direct imports in optional modules of our Apache-hosted code?
>From both the legal and policy point of view?

> In the case of having an optional dependency, we
> want ASF products to be substantially usable without the dependency in
> place, and for an explicit action (i.e., something more than a simple
> click through) for somebody to download and include code that imposes
> upon the additional restrictions over and above those that the ASF
> license requires.

We can live with that. Is it OK to ship binaries of the optional module?
The users don't have to use a build switch, but they have to read through
the list of dependencies where a prominent notice about the LGPL licensed
dependency would be included. Uploading to a Maven repository is probably
not an option, since that would make it too easy to drag in the dependency.

I guess I'll just wait until the policy stuff is sorted out in
one of the next board meetings. And until somebody else has found
an acceptable way to handle such dependencies in Maven 2 :-)



DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message