www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Bagnara <apa...@bago.org>
Subject Re: Maven repository issues [Was: Creative Commons Attribution License]
Date Thu, 29 May 2008 19:35:50 GMT
Henri Yandell ha scritto:
> The issue, I think, is the next step in that - if it is copyrightable,
> then we need to license that. At least I'm reading this as the JAMES
> PMC having discussion about publishing their own poms, not whether
> they will depend on 3rd party jars without a license on the top. Maybe
> I'm wrong though :)

No, we include the standard ASF header in our poms.
The problem is that we use a technique that I call "local stage 
repository". This is a maven repository (legacy structure) having a 
relative path to the project root itself. This way we can redistribute a 
package that can be built with maven with no internet access because we 
also provide any dependency in our "local stage repository". This is lie 
the "old" lib folder for ant based projects, simply structured by 
groupId/artifactId.
If we only put there jars then maven will automatically create simple 
poms when installing them and this is not good because the new poms 
would differ from the "official" pom and this would break transitive 
dependencies for other projects built in the same machine (sharing the 
same local repository, this time it is the .m2 folder in the user home 
and not our "stage repository").
So we have to also put the original poms in this stage folder to make 
everything work fine.
The problem is that 99% of poms descriptor in maven central do not 
provide a license header and so we have to take them as "all right 
reserved" and ASF does not allow us to redistribute similar files.

> That's a general problem for any user - how to determine the license
> of their 3rd party works. There are solutions out there - commercial
> and open source.
> 
> With the Maven repository, the jar files often contain LICENSE and
> NOTICE files now - I always check the META-INF of an unknown jar for
> its licensing nowadays (to the point of having a script for it :) ).

As you say the JAR includes the LICENSE/NOTICE, but my problem is that 
the pom is not inside the JAR and more often than not it has not been 
created by the JAR author. So there is no way to know the license for 
the pom itself unless it has an header (and 99% of poms in central do 
not have a license header).

This could even mean that people has no right to use the poms as part of 
an automated process (a maven/ivy build) because I didn't find any 
documentation in central about what usage rights I have for the poms 
they redistribute.

Stefano


---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message