www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nick Couchman (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LEGAL-299) Category-X Dependency in Incubator Project
Date Tue, 18 Apr 2017 14:16:41 GMT

    [ https://issues.apache.org/jira/browse/LEGAL-299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15972751#comment-15972751

Nick Couchman commented on LEGAL-299:

And, in response to Roy's comments...

What matters for our licensing is that the Apache product (the source code package) is distributed
under the terms of the Apache License. What matters for downstream licensing is that a default
build of the Apache product does not change those terms (i.e., the resulting binary package
is still under the Apache License).
So, I believe that this extension definitely meets the first required - *none* of the source
code ends up licensed under anything other than the Apache license, and the Cat-X dependency
here is strictly in binary form, and one that the Guacamole project (product) will not distribute
with binary builds.

As far as the "default build" of the Guacamole Client product, the binary build distributed
on the Guacamole site will not include this extension.  If a user chooses to download the
source and build it themselves, they will get the RADIUS extension, which will then pull in
the Cat-X dependency.

LGPL is fine when we aren't distributing the LGPL-covered product, even when it is a hard
dependency, so long as interfacing with that product does not cause a default build to require
LGPL terms. If it does, we cannot include LGPL in the product and the resulting build is DOA.
Avoiding that isn't strictly a legal problem, but rather a board policy, which means it is
motivated by social factors rather than legality. As such, the policy is applied on a case-by-case
basis and should not stop a project from moving ahead. The PMC is obligated by the board to
replace such a dependency, eventually.
My impression from the various conversations we've had on this is that interfacing with this
Cat-X dependency does not cause the default build to require LGPL terms, but this seems to
be a very fuzzy area, and I have no legal training and am relying on what everyone else is
saying about it.

My take-away at this point is that we can continue with inclusion of this source code in the
Guacamole Client code, that we will not distribute binaries of this extension, but that users
who choose to download and compile the product themselves will be able to build this extension
with the Cat-X dependency.  Am I reading the landscape correctly?

> Category-X Dependency in Incubator Project
> ------------------------------------------
>                 Key: LEGAL-299
>                 URL: https://issues.apache.org/jira/browse/LEGAL-299
>             Project: Legal Discuss
>          Issue Type: Question
>            Reporter: Nick Couchman
> I'm currently contributing code to the Guacamole project, which is in the Incubator phase
with ASF.  One of the items I'm contributing is an extension to the Guacamole Client that
supports RADIUS authentication.  The extension that I've written includes a binary dependency
on the JRadius library, which is licensed under LGPL-2.1, a license not compatible with the
Apache 2.0 license and listed in the Category-X section on the ASF legal page.
> We have been through several rounds of discussions in the project and on the Incubator
General list about the acceptability of including this extension in the project.  At this
point we have determined that it is definitely not acceptable to distribute a binary form
of this extension that would include the binary (JAR) of the JRadius library.  However, if
possible, we'd like to include the source code for this extension in the main repository,
with instructions to users on building the extension.  Based on the information provided on
the ASF legal page, we believe this is acceptable, but would like to have verification on
> All of the source code in the extension is Apache 2.0 licensed.  There is no source code
included from the JRadius library, only calls to classes and methods provided by the library.
> Finally, the source code in question is for an optional extension to the Guacamole Client
project, and is not core to its functionality.  It allows a user to perform RADIUS authentication
with the Guacamole Client, if they so choose, and other authentication modules are also available.
> Given the above information, can we get some guidance on whether or not including the
source code for the extension (*not* the JRadius library) in this ASF Incubator project is

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message