www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marvin Humphrey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LEGAL-294) Non-declared nested dependency license issues
Date Thu, 06 Apr 2017 21:42:41 GMT

    [ https://issues.apache.org/jira/browse/LEGAL-294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15959814#comment-15959814
] 

Marvin Humphrey commented on LEGAL-294:
---------------------------------------

This issue originates upstream, and I see that upstream has now at least acknowledged it:
https://github.com/xerial/snappy-java/issues/171

There has yet to be a new snappy-java release incorporating the promised changes, though --
and as of this moment the changes don't seem to have hit master even though the issue has
been closed.

Individual Apache projects may perform IP scans of various kinds.  It is common for projects
to incorporate Apache RAT (Release Audit Toolkit) into their builds, which could have caught
this issue.  However, while we expect our projects to make releases free of IP problems, there
is no centralized requirement that they use a particular scanning technology or process.

Those who wish to contribute towards IP maintenance of our projects are welcome to do so.
 The procedures are the same as for code contributions (and it seems that you have coding
skills so this reply uses dev jargon for efficiency's sake):

http://activemq.apache.org/contributing.html

In this case you would open a ticket via https://issues.apache.org/jira/browse/AMQ describing
the issue.  Better if could also propose a fix -- and then if your proposed approach is received
favorably, better still if you can provide a patch or pull request implementing it.

Thanks for taking an interest in our projects!

> Non-declared nested dependency license issues
> ---------------------------------------------
>
>                 Key: LEGAL-294
>                 URL: https://issues.apache.org/jira/browse/LEGAL-294
>             Project: Legal Discuss
>          Issue Type: Question
>            Reporter: John Whelan
>
> I have been going through source for ActiveMQ 5.14.1 including the dependencies, and
ran into content that appears to have licensing issues. Specifically, I see that snappy-java-1.1.2.jar
contains source files licensed by IBM and Oracle that don't clearly indicate that they can
be used by snappy-java. (see https://github.com/xerial/snappy-java/blob/1.1.2/lib/inc_ibm/jni_md.h
and https://github.com/xerial/snappy-java/blob/1.1.2/lib/inc_linux/jni_md.h as examples.)
> Related to this, I have a few questions. Does Apache typically do a transitive scan of
source code for products that it consumes? (AKA "would this issue already been discovered
and reviewed?") Given that this library is used in Apache products, is there an Apache issue
here, and if so, what is the proper way to raise the concern?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message