www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Busbey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LEGAL-251) Can an Apache Project depend upon a binary-only dependencies available under a permissible license
Date Sun, 01 May 2016 03:15:13 GMT

    [ https://issues.apache.org/jira/browse/LEGAL-251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15265588#comment-15265588

Sean Busbey commented on LEGAL-251:

I'm not a part of the OP's question, but I have a related issue that came up in HBASE-14085.
HBase relies on Jetty 6.1.26, and as a part of the LICENSE/NOTICE review for HBASE-14085 I
needed to find the source (or at least its detailed license/notice information). 

Jetty 6 is extremely EOL. It is in maven central still (http://repo1.maven.org/maven2/org/mortbay/jetty/jetty/6.1.26/)
but the jars there do not include any LICENSE or NOTICE information. They *do* point to parent
poms that say ASLv2 / EPL v1, so the PMC was reasonably sure they were under an acceptable
license. There is a source jar there on central, but it's incomplete (wrt having the whole
jetty 6.1.26 project) and all of the pointers to source repositories in the poms are dead

Jetty 6 is sufficiently EOL that it does not appear in the archived releases of the current
Jetty project ( http://archive.eclipse.org/jetty/index.html ) nor is it tracked at all in
their source repository ( http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git ).

I ended up finding a purported copy of the source in the Fedora archive, as well as a tag
in a source mirror maintained by a user on github (who happens to be an ASF Member). In HBase's
case I accepted these two sources (and that they matched) as sufficient verification. I used
the NOTICE information present in them and left pointers to each in the part of our project
that creates the relevant NOTICE file.

I'd say the HBase project got lucky in this case, but it does demonstrate how time can make
it easier to lose access to the source of a non-ASF dependency. I'm sure there are projects
on github that don't publish source artifacts in central, with individual maintainers that
may choose to close up shop at any point in time. Can we use those? Should we be republishing
a copy of their source when we do so?

> Can an Apache Project depend upon a binary-only dependencies available under a permissible
> --------------------------------------------------------------------------------------------------
>                 Key: LEGAL-251
>                 URL: https://issues.apache.org/jira/browse/LEGAL-251
>             Project: Legal Discuss
>          Issue Type: Question
>            Reporter: Aditya Kishore
> While researching on this, ran into many related queries and their answers but could
not find one which address this specifically.
> In one place, LEGAL-230, it appears it is okay to depend on a binary whose source code
is not published but is available under a permissible license.
> To ask it specifically, let's say if there is a binary version of a library, 'foo', available
under one of the permissible license but no source is available.
> In such case, can an Apache project
> # Have a compile time dependency on such binary?
> # Include this binary in its distribution?
> Thanks for your help!

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message