www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benson Margulies (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LEGAL-155) Please help us educate projects about LICENSE and NOTICE
Date Mon, 28 Jan 2013 21:15:13 GMT

    [ https://issues.apache.org/jira/browse/LEGAL-155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13564684#comment-13564684
] 

Benson Margulies commented on LEGAL-155:
----------------------------------------

To support the non-recursive approach:

For any project using a build tool that downloads dependencies that in turn have dependencies,
I don't see how a 100% reliable recursion is possible, and I'm not sure that I even see the
value. Heck, even the top-level documentation for auto-downloaded dependencies has a potential
leak: at time "T", the project checks and verifies the license, but at time T+1, the licence
has been changed. This can't happen with Maven, since artifacts on Central are frozen, but
Maven's not the only auto-downloading thing in the universe, and I don't know if some other
one has less stringent policies.

In any case, I remain a bit befogged one issue here. The clear case is when the release package
(i.e. source) incorporates the source of a dependency. Then that gets documented in N&L.
As soon as we start talking about something downloaded when you run a build, then I begin
to wonder if the N&L mechanism is the right place to say anything at all.

In a convenience binary, on the other hand, I suppose that N&L should cover all included
items. Which suggests that the N&L have different contents in the different cases.

                
> Please help us educate projects about LICENSE and NOTICE
> --------------------------------------------------------
>
>                 Key: LEGAL-155
>                 URL: https://issues.apache.org/jira/browse/LEGAL-155
>             Project: Legal Discuss
>          Issue Type: Task
>            Reporter: Benson Margulies
>
> Dear Legal,
> The incubator continues to struggle to educate projects in the proper construction and
maintenance of LICENSE and NOTICE files. INCUBATOR-125 is an attempt to write some documentation.
This document suffers from its authors' inability to even find a single point of reference
on the ASF website for theory of these files. 
> Since podlings are unusual only in their need to set up initial versions, it seems to
me that most of this documentation should be produced and maintained at the foundation level,
and the incubator should be pointing to it, instead of maintain detailed alternatives with
risk of divergence.
> If there is existing documentation, please comment and point me to it. If there is not,
can we collaborate to write it?
> In this area, I have a particular curiosity and concern about convenience binaries.
> A typical Apache project has very limited needs for complexity in these files for its
*releases*. Only sources with external provenance (e.g., results of an SGA) or bundled dependencies
trigger it. Far more dependencies get bundled in convenience binaries. But convenience binaries
are, merely, conveniences, not legally, releases from the foundation. I've never seen any
discussion of this; does the foundation's liability umbrella even extend over them? I doubt
it, for all the usual reasons given in emphasizing that the real release is the source release.
So I wonder about what policies or guidelines should exist for their legal boilerplate.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message