www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hen <bay...@apache.org>
Subject Re: PyPI MXNet
Date Mon, 11 Feb 2019 01:27:15 GMT
On Sun, Feb 10, 2019 at 5:07 PM Marvin Humphrey <marvin@rectangular.com>

> On Sun, Feb 10, 2019 at 1:22 PM Hen <bayard@apache.org> wrote:
> >
> > Looking at this JIRA issue:
> >
> >
> https://issues.apache.org/jira/projects/LEGAL/issues/LEGAL-426?filter=allopenissues
> >
> > The question is whether the PyPI image for MXNet can include the Intel
> Simplified License.
> >
> > Before I reply/resolve, I want to check that my answer is correct. I
> think the answer is:
> >
> > ----------
> > * Apache does not have a PyPI account therefore whether or not to
> include the Intel Simplified License is outside the scope of this forum and
> is up to the account owner on PyPI.
> While trademarks are technically in the bailiwick of Brand Management
> rather than Legal Affairs, that sentence is problematic. It is not
> true that the PyPI account owner gets free rein.
> Because those MXNet packages use the ASF's trademarks, we *do* have
> the right to object. And we *do* object.

> > * Note that that account on PyPI is in breach of our trademark policy.
> > * 1) It does not refer to MXNet correctly, it should be referred to as
> Apache MXNet,
> > * 2) It causes confusion as it looks like it is being published by
> Apache. It must be clear that this comes from a third party.
> > * As a separate note, as this is a third party account the Apache MXNet
> PPMC should not be recommending this as the ideal way to install the
> software, but may refer to it as a convenience offered by a third-party.
> > ----------
> >
> > Do I have that right?
> I suggest a much simpler answer:
> * Since these MXNet PyPI packages use our trademarks, please adapt
>   them so that they adhere to the guidelines spelled out at
> https://issues.apache.org/jira/browse/LEGAL-427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16722198#comment-16722198
> * That will mean removing bundled dependencies under the Intel Simplified
>   License, since it is not an approved license.

So there are three situations (I was trying to shoe-horn this into #2):

1) Apache publishing software.
2) Any third party publishing software that incorporates software from
Apache under AL 2.0.
3) Any third party republishing Apache software.

Do we have any text published (outside of LEGAL-427) for #3?

I don't see it in the Trademark policy, or the Release Distribution policy,
and https://www.apache.org/dev/mirrors is an fyi page.

> As the parties behind the MXNet PyPI packages are already active
> participants in the Apache MXNet community, I anticipate that the
> issue will be resolved easily.
> > As a separate topic I think we should look into an Apache account on
> PyPI, akin to our account on DockerHub. The other approach to the above
> would be to get that setup.
> -1
> There are an unbounded number of downstream channels -- we cannot
> possibly interface with them all responsibly.
> Our oversight mechanisms are stretched thin enough as it is.  The
> Board must already review all project download pages periodically, and
> on occasion must deal with creeping commercial influences there. It is
> not feasible to review an ever-growing portfolio of distribution
> channels, and since we can't do it right we shouldn't do it at all.

I think it's a jump to say it's not feasible. We reviewed GitHub, DockerHub
and Maven Central.

> From an administrative point of view, our top priority must be to
> manage the canonical distribution channel and the project download
> pages effectively. Then, we can deal with problems in downstream
> distribution channels on an ad hoc basis, as they are found and
> reported to us.

Yet the public are (generally) getting our software from downstream
channels, not from us.


View raw message