Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 95BC6200BD4 for ; Thu, 1 Dec 2016 14:13:30 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 9444E160B0F; Thu, 1 Dec 2016 13:13:30 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 66856160B0B for ; Thu, 1 Dec 2016 14:13:29 +0100 (CET) Received: (qmail 9315 invoked by uid 500); 1 Dec 2016 13:13:28 -0000 Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: Reply-To: legal-discuss@apache.org List-Id: Delivered-To: mailing list legal-discuss@apache.org Received: (qmail 9298 invoked by uid 99); 1 Dec 2016 13:13:27 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Dec 2016 13:13:27 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 742C8C03A4 for ; Thu, 1 Dec 2016 13:13:27 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.88 X-Spam-Level: * X-Spam-Status: No, score=1.88 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id G38QfbndHxlH for ; Thu, 1 Dec 2016 13:13:24 +0000 (UTC) Received: from mail-wj0-f179.google.com (mail-wj0-f179.google.com [209.85.210.179]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 21FF75F1F0 for ; Thu, 1 Dec 2016 13:13:24 +0000 (UTC) Received: by mail-wj0-f179.google.com with SMTP id v7so204047841wjy.2 for ; Thu, 01 Dec 2016 05:13:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=MvKAujE+5nLTXb3/jIC3X9x9BKa+SiNnzNzXkNj1hv0=; b=YmiZENxa33aa1omW8SCsIuJfKCll2Gc/KhU0U3kluOwRUmS7nUrBh0gaout8MN48t1 mJS4RoYa3jAGTtNE2s6JlYQlpLe/it1A8bB4EnzIzDnc4eXW3KZQu4qN5HXNisy6wtOn fJiJ3vhak1VumvW14/F+LoEG9XGPN+5eU0EK+8dTFV3fHSWfpm6BTCZaBeaKU/GPbMB+ 11gUGMlgBouVzL3UIgjFoyYOBmcQKepxruKSLddQU0Y6Mupm9cVYN4k9/Wq8BFOqxf3q Ig8qQXuQjC4AOlFeoOHzJU/N+goRDZpw2oRL1JDtlahoYcYce00oG8gViJ814JVexWwL GyLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=MvKAujE+5nLTXb3/jIC3X9x9BKa+SiNnzNzXkNj1hv0=; b=KYf2nTfhwvq26HBIF1WqIFlQ/z12rR/TkdRPfv77d0vdjoN2vhvIdn9a3BzT8zxP5q 5q16fysPt+WUXLiF0P0wko64cVAsAT92dE7nOjDbo4JO24DWdItRlam1dZ1SqDMteyOK c2lqr3knrbNRAbLIsQmrIpHSPu5J9x4K0mH4gGsr+p2f6W+j3Qvkave8sJM4qQb6t/yX ugedO3vtPZR9/3MjAGUvZh0IA4WIC6cF8ymGJ7aRD1BiXJRkweuoLJpvCk9PO9ofvvqX 53USnvjkRra3jR0fKj1VY6DKN5Yqkce9tQxdoNBIArwwS3/Rgiwk0vVxp4htBj0RAESO JrvA== X-Gm-Message-State: AKaTC01ms0dwOLBBkpPX/KkyCTM9dzqwJi/UpxQ15J8jGy9B2Sxz4pwrna+gNyh+CxHy1ZAePysBew/xXPnBLA== X-Received: by 10.194.44.41 with SMTP id b9mr39587934wjm.56.1480597996749; Thu, 01 Dec 2016 05:13:16 -0800 (PST) MIME-Version: 1.0 Received: by 10.194.70.37 with HTTP; Thu, 1 Dec 2016 05:13:15 -0800 (PST) In-Reply-To: References: From: Stephen Connolly Date: Thu, 1 Dec 2016 13:13:15 +0000 Message-ID: Subject: Re: JSR-305 anntations To: "legal-discuss@apache.org" Content-Type: multipart/alternative; boundary=047d7b86caf8a6e47a05429895e0 archived-at: Thu, 01 Dec 2016 13:13:30 -0000 --047d7b86caf8a6e47a05429895e0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Is this something we need to worry about? To make this more concrete - and I am not picking on hadoop, just the first example I could find - Consider Hadoop Common 2.7.1: https://repo.maven.apache.org/maven2/org/apache/hadoop/hadoop-common/2.7.1/= hadoop-common-2.7.1.pom This has a compile scoped dependency on the annotation jar: com.google.code.findbugs jsr305 compile Now in and of itself, that is not a problem for the Hadoop project... Now somebody else turns around and reuses Hadoop to create a Docker image..= . Not picking on anyone in particular, just the first image I found: https://github.com/sequenceiq/hadoop-docker If we look at what is included in that image: $ docker run -t -i sequenceiq/hadoop-docker:2.7.1 bash bash-4.1# java -XshowSettings:properties -version Property settings: ... java.vendor =3D Oracle Corporation ... java version "1.7.0_71" Java(TM) SE Runtime Environment (build 1.7.0_71-b14) Java HotSpot(TM) 64-Bit Server VM (build 24.71-b01, mixed mode) bash-4.1# find . -name jsr305\*.jar ./usr/local/hadoop-2.7.1/share/hadoop/yarn/lib/jsr305-3.0.0.jar ./usr/local/hadoop-2.7.1/share/hadoop/tools/lib/jsr305-3.0.0.jar ./usr/local/hadoop-2.7.1/share/hadoop/common/lib/jsr305-3.0.0.jar ./usr/local/hadoop-2.7.1/share/hadoop/kms/tomcat/webapps/kms/WEB-INF/lib/js= r305-3.0.0.jar ./usr/local/hadoop-2.7.1/share/hadoop/hdfs/lib/jsr305-3.0.0.jar ./usr/local/hadoop-2.7.1/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF= /lib/jsr305-3.0.0.jar Oh dear... that docker image is redistributing the Oracle JRE *and* it is also redistributing 6 copies of a jsr305.jar which would appear to be in direct conflict with the redistribution terms of the Oracle JRE It would seem by including that jar file we are not making it easy for third parties to consume our projects. Now yes, most likely the person who created that docker image was ignorant of the fact that they were redistributing a JRE and may not have therefore read the redistribution terms... But even if they had, have we made it easy for consumers of our projects to be aware that the jar may be banned under the terms of the Oracle JRE redistribution license? Can somebody redistributing Hadoop know that it is safe to remove all those jsr305.jar files? So hopefully a more concrete question will prod somebody to at least consider the questions. (BTW the fix for the docker image is probably to switch to OpenJDK which is a tested JRE for Hadoop... but that assumes that the trademark licensing terms for Java do not bring back in a similar issue) -Stephen ---------- Forwarded message ---------- From: Stephen Connolly Date: 27 November 2016 at 22:05 Subject: JSR-305 anntations To: "legal-discuss@apache.org" The recent hubub over the license terms has prompted me to raise a question. The driver was a statement that a principle of the ASF is that we should minimise restrictions on how software released by the ASF can be used by others. My question concerns the "JSR-305" annotations JAR files: https://search.maven.org/#artifactdetails%7Ccom. google.code.findbugs%7Cjsr305%7C3.0.1%7Cjar I need to establish some context first. JSR 305: https://jcp.org/en/jsr/detail?id=3D305 This JSR was set up to develop a standard set of annotations that can assist defect detection tools. The JSR appears effectively dead. It has not produced anything officially in the 10 years since it was initiated. There are some JAR files floating around that "claim" to represent the JSR... they are produced by the findbugs project (which is run by the spec lead for the JSR)... so they may indeed represent the vision that Bill has for the JSR... but until they are published via the JSR page, my understanding is that such JAR files are just rumour... the fact that these JARs include a @Nonnull annotation which is distinct from the stated intent on the JSR page to have a @NonNull annotation further highlights how the JAR is at odds with the official JSR process. Now I am not criticising Bill here, I am just point out that - IANAL but it would seem to me - perhaps legally and certainly technically there has not been any releases from JSR 305 Now what does this matter to the ASF. Findbugs is not an ASF project... being mostly GPL licensed... with the exception of the annotations. So the jsr305 JAR is Apache License, Version 2 which should be completely compatible with our license ;-) The problem is here: http://www.oracle.com/technetwork/java/javase/terms/license/index.html Specifically (although there are other relevant sections, this is the primary concern): F. JAVA TECHNOLOGY RESTRICTIONS. You may not create, modify, or change the behavior of, or authorize your licensees to create, modify, or change the behavior of, classes, interfaces, or subpackages that are in any way identified as "java", "javax", "sun", =E2=80=9Coracle=E2=80=9D or similar c= onvention as specified by Oracle in any naming convention designation. As I understand it, what the JRE binary redistribution terms mean that if you are redistributing at least an Oracle JRE, you are not allowed to include classes in the "java" or "javax" package space *unless* those classes have been released through the JSR process... And the "JSR-305" JAR file contains just that. So the questions: Q1. Should ASF projects be bundling the "jsr305.jar" in any of their 'convenience' binaries? (if we do, then that restricts the ability of others to use those binaries)... I think the answer is no... but I am a pedant! Q2. Should ASF projects be exposing the "jsr305.jar" as a transitive dependency? (if we do, then that restricts the ability of others to use those projects)... I think the answer is no... but I am a pedant! To be clear, as I understand it, if you create a Docker image that includes a JRE and happens to also have the "jsr305.jar" then my reading of the JRE binary redistribution license terms would seem to say "you do not have a license to redistribute that Docker image" Q3. "change the behaviour of" seems somewhat broad, is it broad enough that the dynamic references to the "jsr305.jar" annotations that are left when you compile a Java class would fall into scope. So how does Q3 come into effect. If I annotate a method with say @Nonnull public class Widget { ... @javax.annotation.Nonnull(when=3Djavax.annotation.meta.When.ALWAYS) public static Widget getInstance() { ... } } That will encode the bytecode for the annotation into Widget.class If we load that up in a JRE and the annotation classes are not available (because we stripped them from the redistributable so we could ship the JRE binaries) then the JRE is supposed to ignore the annotations... But what happens if JSR-305 ever reboots... or if some other JSR project gets fed up waiting and produces a @Nonnull(when=3Djavax. annotation.When.PERMANENTLY) The inclusion in our bytecode of the annotation will change that annotation behaviour such that any JRE code that uses the annotation will now see something like sun.reflect.annotation.EnumConstantNotPresentExceptionProxy rather than the enum value. So, Q3 basically boils down to... since we don't know what a future JSR-305 or even some other future JSR may do... including the annotation bytecode in our own bytecode could have the effect of changing the behaviour of code in the java or javax package namespace... so can we even use the "jsr305.jar" at compile time and then remove the jar but still cause issues for anyone consuming our software? I think Q3 may need a legal opinion from legal person who also understands how Java bytecode works... Oh fun eh! -Stephen --047d7b86caf8a6e47a05429895e0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Is this something we need to worry about?

To make this more concrete - and I am not picking on hadoop, just the fi= rst example I could find - Consider Hadoop Common 2.7.1:

https://repo.maven.apache.org/ma= ven2/org/apache/hadoop/hadoop-common/2.7.1/hadoop-common-2.7.1.pom
<= /div>

This has a compile scoped dependency on the annota= tion jar:

<dependency>
=C2=A0= <groupId>com.google.code.findbugs</groupId>
=C2=A0 &= lt;artifactId>jsr305</artifactId>
=C2=A0 <scope>co= mpile</scope>
</dependency>

Now in and of itself, that is not a problem for the Hadoop project...=

Now somebody else turns around and reuses Hadoop = to create a Docker image...

Not picking on anyone = in particular, just the first image I found:


If we look at what is = included in that image:

$ docker run -t -i =C2=A0s= equenceiq/hadoop-docker:2.7.1 bash
bash-4.1# java -XshowSetti= ngs:properties -version
Property settings:
...=
=C2=A0=C2=A0 =C2=A0java.vendor =3D Oracle Corporation
<= div>...
java version "1.7.0_71"
Java(TM) SE R= untime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) 64-Bit S= erver VM (build 24.71-b01, mixed mode)
bash-4.1# find = . -name jsr305\*.jar
./usr/local/hadoop-2.7.1/share/hadoop/yarn/l= ib/jsr305-3.0.0.jar
./usr/local/hadoop-2.7.1/share/hadoop/tools/l= ib/jsr305-3.0.0.jar
./usr/local/hadoop-2.7.1/share/hadoop/common/= lib/jsr305-3.0.0.jar
./usr/local/hadoop-2.7.1/share/hadoop/kms/to= mcat/webapps/kms/WEB-INF/lib/jsr305-3.0.0.jar
./usr/local/hadoop-= 2.7.1/share/hadoop/hdfs/lib/jsr305-3.0.0.jar
./usr/local/hadoop-2= .7.1/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/lib/jsr305-3.0.0.ja= r

Oh dear... that docker image is redistribu= ting the Oracle JRE *and* it is also redistributing 6 copies of a jsr305.ja= r which would appear to be in direct conflict with the redistribution terms= of the Oracle JRE

It would seem by including that= jar file we are not making it easy for third parties to consume our projec= ts.

Now yes, most likely the person who created th= at docker image was ignorant of the fact that they were redistributing a JR= E and may not have therefore read the redistribution terms...
But even if they had, have we made it easy for consumers of our= projects to be aware that the jar may be banned under the terms of the Ora= cle JRE redistribution license?

Can somebody redis= tributing Hadoop know that it is safe to remove all those jsr305.jar files?=

So hopefully a more concrete question will prod s= omebody to at least consider the questions.

(BTW t= he fix for the docker image is probably to switch to OpenJDK which is a tes= ted JRE for Hadoop... but that assumes that the trademark licensing terms f= or Java do not bring back in a similar issue)

-Ste= phen

---------- Forward= ed message ----------
From: Stephen Connol= ly <stephen.alan.connolly@gmail.com>
Date: 27 November 20= 16 at 22:05
Subject: JSR-305 anntations
To: "legal-discuss@apache.org" <legal-discuss@apache.org>

The recent hubub over the license terms has prompted me = to raise a question. The driver was a statement that a principle of the ASF= is that we should minimise restrictions on how software released by the AS= F can be used by others.=C2=A0

My question concerns the = "JSR-305" annotations JAR files:=C2=A0https://search.maven.org/#artifactdetails%7Ccom.google.code.findbugs%7Cjsr305%7C3.0.1%7Cjar

I need to establish some context first.


This JSR was set up to=C2=A0develop a standard set of annotations that ca= n assist defect detection tools.

The JSR appears e= ffectively dead. It has not produced anything officially in the 10 years si= nce it was initiated.

There are some JAR files flo= ating around that "claim" to represent the JSR... they are produc= ed by the findbugs project (which is run by the spec lead for the JSR)... s= o they may indeed represent the vision that Bill has for the JSR... but unt= il they are published via the JSR page, my understanding is that such JAR f= iles are just rumour... the fact that these JARs include a @Nonnull annotat= ion which is distinct from the stated intent on the JSR page to have a @Non= Null annotation further highlights how the JAR is at odds with the official= JSR process.

Now I am not criticising Bill here, = I am just point out that - IANAL but it would seem to me - perhaps legally = and certainly technically there has not been any releases from JSR 305

Now what does this matter to the ASF. Findbugs is not = an ASF project... being mostly GPL licensed... with the exception of the an= notations. So the jsr305 JAR is Apache License, Version 2 which should be c= ompletely compatible with our license ;-)

The prob= lem is here:


Specifically (although there are other relevant= sections, this is the primary concern):

F. JAVA T= ECHNOLOGY RESTRICTIONS. You may not create, modify, or change the behavior = of, or authorize your licensees to create, modify, or change the behavior o= f, classes, interfaces, or subpackages that are in any way identified as &q= uot;java", "javax", "sun", =E2=80=9Coracle=E2=80= =9D or similar convention as specified by Oracle in any naming convention d= esignation.

As I understand it, what the JRE b= inary redistribution terms mean that if you are redistributing at least an = Oracle JRE, you are not allowed to include classes in the "java" = or "javax" package space *unless* those classes have been release= d through the JSR process...

And the "JSR-305= " JAR file contains just that.

So the questio= ns:

Q1. Should ASF projects be bundling the "= jsr305.jar" in any of their 'convenience' binaries? (if we do,= then that restricts the ability of others to use those binaries)... I thin= k the answer is no... but I am a pedant!
Q2. Should ASF projects = be exposing the "jsr305.jar" as a transitive dependency? (if we d= o, then that restricts the ability of others to use those projects)... I th= ink the answer is no... but I am a pedant!

To be c= lear, as I understand it, if you create a Docker image that includes a JRE = and happens to also have the "jsr305.jar" then my reading of the = JRE binary redistribution license terms would seem to say "you do not = have a license to redistribute that Docker image"=C2=A0

=
Q3. "change the behaviour of" seems somewhat broad, is= it broad enough that the dynamic references to the "jsr305.jar" = annotations that are left when you compile a Java class would fall into sco= pe.

So how does Q3 come into effect.
If I annotate a method with say @Nonnull

public class Widget {
...
@javax.annotation.Nonnull(= when=3Djavax.annotation.meta.When.ALWAYS)
public static= Widget getInstance() {
...
}
}
That will encode the bytecode for the annotation into Widget.cl= ass

If we load that up in a JRE and the annotation= classes are not available (because we stripped them from the redistributab= le so we could ship the JRE binaries) then the JRE is supposed to ignore th= e annotations...

But what happens if JSR-305 ever = reboots... or if some other JSR project gets fed up waiting and produces a = @Nonnull(when=3Djavax.annotation.When.PERMANENTLY)

The inclusion in our bytecode of the annotation will change that anno= tation behaviour such that any JRE code that uses the annotation will now s= ee something like sun.reflect.annotation.EnumConstantNotPresentExcepti= onProxy rather than the enum value.

So, Q3 ba= sically boils down to... since we don't know what a future JSR-305 or e= ven some other future JSR may do... including the annotation bytecode in ou= r own bytecode could have the effect of changing the behaviour of code in t= he java or javax package namespace... so can we even use the "jsr305.j= ar" at compile time and then remove the jar but still cause issues for= anyone consuming our software?

I think Q3 may nee= d a legal opinion from legal person who also understands how Java bytecode = works...

Oh fun eh!

-Stephen

--047d7b86caf8a6e47a05429895e0--