www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <daniel.k...@iona.com>
Subject Re: POM licensing
Date Mon, 01 Oct 2007 22:12:25 GMT
On Monday 01 October 2007, Stefano Bagnara wrote:
> Daniel Kulp ha scritto:
> > I think there are two issues that are being discussed on this
> > thread:
> >
> > 1) The license of the POM itself
> > 2) The license of the artifacts the pom describes (usually a jar)
> > [...]
> > The first one is a bit trickier.   I guess that would be the header
> > that is stuck at the top of the pom.   But, as mentioned previously,
> > there are cases where the release plugin strips that header.   (I
> > know, the proper fix is it fix the plugin).    Also, should the pom
> > be under the same license as the artifact.    If the pom has the
> > above lines in it, is that good enough?    Good question.
>
> Even if we fix the release plugin, we put an hard oversight on the new
> poms accepted via the "JIRA Upload" workflow, and we add new checks
> for automatically-rsynced repositories to enforce presence of a
> "known" license header on the pom (and I think this would be already a
> BIG effort)
>
> - how do we deal with all of the old poms not having such header?
>
> - Furthermore, what would be the allowed POM licenses? I think we
> should only accept licenses that we are already allowed to
> redistribute within ASF projecs (Category A in
> http://people.apache.org/~cliffs/3party.html, because pom.xml is a
> source, so Category B does not work)

Well, I'm not so sure a "released" pom is considered source.   There was 
a discussion about something similar in Geronimo in regards to the Sun 
schemas.   Are they source or more of a binary "contract" and not source 
that a user would/should be interested in modifying.   

In the poms case, the release plugin does modify them.  Thus, are they 
considered "generated artifacts"?   Generated artifacts could fall into 
Category B.


> - What do we do with non-ASL projects? e.g: javamail is distributed
> under the CDDL, on the java.net repository they publish their own
> artifacts and their own poms. The poms do not include any header, so
> we cannot simply take it and publish it in central and we cannot use
> it directly because it does not contains license header.

Well.   Technically we COULD write our own poms from scratch and submit 
them (and the jar) to central.   The CDDL does permit that.   (The older 
BCL would not)   Definitely a pain to do though.

> Should we 
> write our own descriptors for this artifacts? Wouldn't be a source of
> confusion if we publish on central poms declaring the same
> artifactId/groupid of the one published on java.net but including
> different informations?

That has already happened.   :-(
http://repo1.maven.org/maven2/javax/xml/soap/saaj-api/1.3/
http://download.java.net/maven/1/javax.xml.soap/poms/

The one on central is more useful for remote-resources (has the license 
information, name, url, etc....) but has a dependency to an artifact not 
at central.   The one at java.net has resolvable dependencies, but not 
any of the rest of the useful info.


-- 
J. Daniel Kulp
Principal Engineer
IONA
P: 781-902-8727    C: 508-380-7194
daniel.kulp@iona.com
http://www.dankulp.com/blog

Mime
View raw message