Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm
Precedence: bulk
Reply-To: legal-discuss@apache.org
Date: Tue, 18 Apr 2017 14:16:41 +0000 (UTC)
From: "Nick Couchman (JIRA)" <jira@apache.org>
To: legal-discuss@apache.org
Message-ID: <JIRA.13063843.1492101845000.306153.1492525001532@Atlassian.JIRA>
In-Reply-To: <JIRA.13063843.1492101845000@Atlassian.JIRA>
References: <JIRA.13063843.1492101845000@Atlassian.JIRA> <JIRA.13063843.1492101845734@jira-lw-us.apache.org>
Subject: [jira] [Commented] (LEGAL-299) Category-X Dependency in Incubator
 Project
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
archived-at: Tue, 18 Apr 2017 14:16:44 -0000


    [ https://issues.apache.org/jira/browse/LEGAL-299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15972751#comment-15972751 ] 

Nick Couchman commented on LEGAL-299:
-------------------------------------

And, in response to Roy's comments...

{quote}
What matters for our licensing is that the Apache product (the source code package) is distributed under the terms of the Apache License. What matters for downstream licensing is that a default build of the Apache product does not change those terms (i.e., the resulting binary package is still under the Apache License).
{quote}
So, I believe that this extension definitely meets the first required - *none* of the source code ends up licensed under anything other than the Apache license, and the Cat-X dependency here is strictly in binary form, and one that the Guacamole project (product) will not distribute with binary builds.

As far as the "default build" of the Guacamole Client product, the binary build distributed on the Guacamole site will not include this extension.  If a user chooses to download the source and build it themselves, they will get the RADIUS extension, which will then pull in the Cat-X dependency.

{quote}
LGPL is fine when we aren't distributing the LGPL-covered product, even when it is a hard dependency, so long as interfacing with that product does not cause a default build to require LGPL terms. If it does, we cannot include LGPL in the product and the resulting build is DOA. Avoiding that isn't strictly a legal problem, but rather a board policy, which means it is motivated by social factors rather than legality. As such, the policy is applied on a case-by-case basis and should not stop a project from moving ahead. The PMC is obligated by the board to replace such a dependency, eventually.
{quote}
My impression from the various conversations we've had on this is that interfacing with this Cat-X dependency does not cause the default build to require LGPL terms, but this seems to be a very fuzzy area, and I have no legal training and am relying on what everyone else is saying about it.

My take-away at this point is that we can continue with inclusion of this source code in the Guacamole Client code, that we will not distribute binaries of this extension, but that users who choose to download and compile the product themselves will be able to build this extension with the Cat-X dependency.  Am I reading the landscape correctly?

> Category-X Dependency in Incubator Project
> ------------------------------------------
>
>                 Key: LEGAL-299
>                 URL: https://issues.apache.org/jira/browse/LEGAL-299
>             Project: Legal Discuss
>          Issue Type: Question
>            Reporter: Nick Couchman
>
> I'm currently contributing code to the Guacamole project, which is in the Incubator phase with ASF.  One of the items I'm contributing is an extension to the Guacamole Client that supports RADIUS authentication.  The extension that I've written includes a binary dependency on the JRadius library, which is licensed under LGPL-2.1, a license not compatible with the Apache 2.0 license and listed in the Category-X section on the ASF legal page.
> We have been through several rounds of discussions in the project and on the Incubator General list about the acceptability of including this extension in the project.  At this point we have determined that it is definitely not acceptable to distribute a binary form of this extension that would include the binary (JAR) of the JRadius library.  However, if possible, we'd like to include the source code for this extension in the main repository, with instructions to users on building the extension.  Based on the information provided on the ASF legal page, we believe this is acceptable, but would like to have verification on that.
> All of the source code in the extension is Apache 2.0 licensed.  There is no source code included from the JRadius library, only calls to classes and methods provided by the library.
> Finally, the source code in question is for an optional extension to the Guacamole Client project, and is not core to its functionality.  It allows a user to perform RADIUS authentication with the Guacamole Client, if they so choose, and other authentication modules are also available.
> Given the above information, can we get some guidance on whether or not including the source code for the extension (*not* the JRadius library) in this ASF Incubator project is acceptable?


--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org