www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LEGAL-299) Category-X Dependency in Incubator Project
Date Mon, 17 Apr 2017 19:47:42 GMT

    [ https://issues.apache.org/jira/browse/LEGAL-299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15971548#comment-15971548

Roy T. Fielding commented on LEGAL-299:

Licenses apply to products, not projects.

What matters for our licensing is that the Apache product (the source code package) is distributed
under the terms of the Apache License. What matters for downstream licensing is that a default
build of the Apache product does not change those terms (i.e., the resulting binary package
is still under the Apache License).

It doesn't matter if the Apache product depends on a Category X product. Java is category
X. We don't distribute Java and nobody minds the hard dependency because building our product
does not cause the downstream redistributor to embed Java (aside from the API names).

LGPL is fine when we aren't distributing the LGPL-covered product, even when it is a hard
dependency, so long as interfacing with that product does not cause a default build to require
LGPL terms. If it does, we cannot include LGPL in the product and the resulting build is DOA.
Avoiding that isn't strictly a legal problem, but rather a board policy, which means it is
motivated by social factors rather than legality. As such, the policy is applied on a case-by-case
basis and should not stop a project from moving ahead. The PMC is obligated by the board to
replace such a dependency, eventually.

> Category-X Dependency in Incubator Project
> ------------------------------------------
>                 Key: LEGAL-299
>                 URL: https://issues.apache.org/jira/browse/LEGAL-299
>             Project: Legal Discuss
>          Issue Type: Question
>            Reporter: Nick Couchman
> I'm currently contributing code to the Guacamole project, which is in the Incubator phase
with ASF.  One of the items I'm contributing is an extension to the Guacamole Client that
supports RADIUS authentication.  The extension that I've written includes a binary dependency
on the JRadius library, which is licensed under LGPL-2.1, a license not compatible with the
Apache 2.0 license and listed in the Category-X section on the ASF legal page.
> We have been through several rounds of discussions in the project and on the Incubator
General list about the acceptability of including this extension in the project.  At this
point we have determined that it is definitely not acceptable to distribute a binary form
of this extension that would include the binary (JAR) of the JRadius library.  However, if
possible, we'd like to include the source code for this extension in the main repository,
with instructions to users on building the extension.  Based on the information provided on
the ASF legal page, we believe this is acceptable, but would like to have verification on
> All of the source code in the extension is Apache 2.0 licensed.  There is no source code
included from the JRadius library, only calls to classes and methods provided by the library.
> Finally, the source code in question is for an optional extension to the Guacamole Client
project, and is not core to its functionality.  It allows a user to perform RADIUS authentication
with the Guacamole Client, if they so choose, and other authentication modules are also available.
> Given the above information, can we get some guidance on whether or not including the
source code for the extension (*not* the JRadius library) in this ASF Incubator project is

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message