www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henri Yandell <bay...@apache.org>
Subject Re: Proposal: Apache Third Party License Policy
Date Sat, 16 May 2015 23:44:13 GMT
Some thoughts inline (and a pouty note that you didn't reply to my last
reply :) ).

On Sat, May 16, 2015 at 9:57 AM, Lawrence Rosen <lrosen@rosenlaw.com> wrote:

> Jim Jagielski wrote:
>
> > the increased vigor for SPDX, which I support 100% and have a personal
> interest in, really has little-to-null to do with, afaict, with any
> licensing "issues" we may or may not have
>
>
>
> SPDX alone cannot solve Apache issues relating to IP due diligence and
> third party license review. But that kind of professional attention to
> detail in our NOTICE files can only help our customers. I previously
> provided a link to this article because open source supply chain issues are
> *very* topical in the software world:
>
>
>
>
> http://www.eweek.com/enterprise-apps/linux-foundation-updates-spdx-compliance-effort.html
>
>
> Here are some of our Apache "issues":
>
>
>
> Last weekend Henri Yandell closed a bunch of Apache Legal-JIRA issues. A
> partial list is below. If the answers to these questions are not in the
> NOTICE files for the relevant Apache projects, they are useless to our
> contributors or customers.
>
>
Note that a lot of the items closed were a case of me closing previously
resolved items. JIRA supports 'resolved' and 'closed', and for tidiness I
closed a bunch of years worth of resolved tickets. I didn't review that
batch (whereas the ones I resolved I obviously reviewed and re-reviewed).

You do assume that the answers in the tickets are relevant to our users.
For ones that are "Can we include X in Apache Y?", that's going to happen
for 'Yes' (attribution) and not going to happen for 'No'.


>
> As for the answers to these questions, I note that they typically
> attracted very few cogent responses from Apache members, nor from a lawyer,
> so I doubt the value of these JIRA issues as closed.
>

I would hope that the ones without any cogent response were the ones closed
in a 'No' or 'Won't Fix' direction.


> I would personally prefer that Apache amateurs not address these JIRA
> questions by themselves.
>

Are you defining amateur as non-lawyer-specializing-in-OSS?

We could always go back to simply never answering any license question :)


> Perhaps they should direct them to OSI's license-discuss@ list where
> folks seem to care about such issues with deeper understanding.
>
>
I wasn't aware that OSI license-discuss@ were experts on Apache policy
making. :)


>
>
> The proposed Apache Third Party License Policy can address many of those
> Legal-JIRA issues in one short rule that refers everyone to the
> OSI-approved open source license list. *ALL such FOSS software can be
> aggregated freely with Apache License 2.0 software.*
>
>
>

Currently I would describe Apache 3P policy, roughly, as:

"Apache Software intends to use no licensing that will affect the licensing
of your product or Apache's product, beyond the affect that Apache's
license makes. "

You'd change it above to:

"Assume the worst and prepare to be pleasantly surprised. "

It's fair to say currently that mistakes could be made and depending on
your level of risk/concern, you need to dig deep, but I believe the user
community sees value in Apache's intent, understanding that a mistake could
happen.

It may be that merely completing the SPDX information for our projects and
> documenting it in NOTICE files will fix most of these issues. I trust your
> judgment on that, Jim, because you support SPDX "100%." Certainly the
> Apache Software Foundation can't ignore these efforts?
>
>
>

My main feedback over the years for SPDX has been that it's designed
primarily for scanning companies, not for Open Source projects (which is
fine - it's primarily scanning companies doing all the work of creating
it). I'm all for it being used on Apache projects. Maven support would be
excellent, but there's not a community interested in doing that.


> I'll add to the below list of JIRA issues the following that were
> discussed here in Apache in the past week:
>
>
>
> 1. The issue of whether AOO can include MPL or LGPL code in its releases
> in order to work more effectively with LO.
>
>
>

Was it bad to discuss this?


> 2. The issue that our NOTICE file currently for Tomcat need to be updated
> for a probably minor fact about the distributed file.
>
>
Good then?


>
>
> 3. The fact that we provide no information in our NOTICE file about
> patents relating to Hadoop that we know about but haven't disclosed. Not
> that ASF itself is worried about those patents. Most developers at Apache
> say that patents are not our issue. :-)
>

I'm fine with this when it's publicly known. I assume advice would be
'don't go looking for patents', which raises the question of how to handle
a user saying "What does Apache think about Patent XYZ?";
triple-damage-trolling(?).


>
>
> I also remember that our former VP of Incubator proposed that Black Duck
> or Palamida or White Source scan all our Incubator projects before they
> graduate so we have something more than manual reviews and good faith IP
> promises to deliver to our customers. I believe he was mostly ignored.
>

Our code's public, so if they (vendors) would like to scan it and send
reports that would be great - be it releases or on every commit. Or even if
they can scan and make the unreviewed reports available to committers to
review, though the high levels of noise are likely to cost a lot in terms
of manual review. It's something Security companies do (or have done) in
the past as a way to market their products.

If the suggestion is that we buy software, install it, hire people to run
it, that would be 10x Apache's current income, if not more.


Hen

Mime
View raw message