 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
5 messages in org.apache.legal-discussRe: Fixing pom.xml issues. Automated ...| From | Sent On | Attachments |
|---|---|---|
| Anton Tagunov | May 30, 2008 12:47 pm | |
| Henri Yandell | May 30, 2008 5:53 pm | |
| Stefano Bagnara | May 31, 2008 4:39 am | |
| Henri Yandell | May 31, 2008 1:38 pm | |
| Stefano Bagnara | Jun 1, 2008 5:51 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: Fixing pom.xml issues. Automated approach | Actions... |
|---|---|---|
| From: | Stefano Bagnara (apa...@bago.org) | |
| Date: | May 31, 2008 4:39:05 am | |
| List: | org.apache.legal-discuss | |
Henri Yandell ha scritto:
I think we're a long way from requiring a solution - I'm not convinced that the problem is even halfway understood yet.
I know of two use cases:
1) The Maven repository 2) People who want to flatten the Maven repository into the distribution for offline building
The latter in my opinion is a dumb idea and whoever is stuck on that should get over it - you can't do that unless the items you're distributing fall within the AL 2.0 license, and it sounds to me like the people wanting to do that are saying it doesn't. So - no, remove that feature. Both the pedant and the pragmatist will be happy with the removal.
The former however requires discussion.
In both case you have to understand what are the rights and you can't use something that could be "all right reserved". So, anyway, there is a need to classify the poms our projects use in order to build and to KNOW what we can do with them. Once we know what we CAN do, each PMC will decide what he wants to do following the rules.
With the former, a maven repository redistributes various artifacts under many licenses - thus it's only licenses like BCL that are a concern. There are three types of individual who contribute artifacts:
* Maven repository manager * Bundle uploader via JIRA * Sync'd repository owners
The artifacts tend to be:
* a maven-metadata.xml file - this is created by repository managers and (I think) repository owners. * a jar (javadoc, source, binary). Often including a license/notice file. The old style was to only have the license in the zip/archive, so I imagine this is sporadic. * a pom. Rarely with a source header, though likely covered by the license on the zip/archive it is also distributed in.
Both syncing repository owners and bundle uploaders have to prove they are members of the relevant source projects. So there is a level of checking to make sure people aren't randomly uploading someone else's crap.
It is not true. I'm *sure* that some dnsjava pom created by me has been uploaded to central without too many questions about who created what and what rights I was granting for that specific pom. So, why should I think that this did not happen for every other pom there? As far as I can tell I never granted rights to automatically copy that pom in people's local repository. Let me be clear, I don't want to sue anyone and the next time I will submit a dnsjava pom I will do that adding copyright statement and an ALv2 header, but how can I tell what other "submitter" wants me to (not) make with their poms?
What is our concern?
We've talked about source headers and licenses, but that's not a concern. There is the very open question of just how much a pom needs in it to be considered copyrightable, and there is the question of whether we want all ASF created poms to have a source header. Neither of these are the real concern of this thread imo (source headers on created (not generated) ASF poms are nice, and we should do that, but it doesn't concern this discussion as we can do what we want with our poms already).
I don't agree. "Our" concern is that we have to make sure that people have rights to use the poms we produce, at the same way we take care of people to have rights to alter/redistribute our source codes. If we create a pom for our product and we don't tell people what is the license then no one should use it, people should not upload it to central, people should not use it from central as part of an automated process, people should not make a local copy in the local repository, they should not provide mirrors for that data. We are not currently explicitly granting that set of rights.
The only concern imo is the right of distribution. If you read the t&c for sf.net, google.code, codeplex etc, they have a right of distribution in there, which I'm guessing also has text that it applies to them, subsidiaries, and partners etc. Currently for the Maven repository this is implied (for bundle uploads) and I'm assuming is verbal rather than written (for rsyncs). It also could be argued that it's not clear that mirrors would also be redistributing.
I'd therefore expect a solution to be more like:
1) Ensure we have a formal syncing agreement that provides distribution rights to Apache and partners with each syncer. 2) Ensure that bundle uploads confer such rights - much the way we have a checkbox in our JIRA. As the JIRA is at Codehaus, we would have to a) confirm that our checkbox solution can apply to a single project at a time rather than all of them (probably not, but I think we could hard code something in there with little trouble) and b) ask Codehaus if that plugin could be added. It could however simply be their being asked to state that when making the issue.
If a pom is a creative work and people can claim copyright on it then we should treat them as any other piece of code, and we should talk about "license" and not for "people to confer rights" when uploading the pom to JIRA. If we ask for a license we know what exactly can be done, if you ask for a specific set of rights then you will be stuck to that rights once a new tool will require a new way to handle that meta data. As an example if you simply ask rights for redistribution then you will not have the rights to create a derivative work of that one just because a new version of a bundle has been created and the original pom author is no more there. We have to ensure that each pom is published under a very liberal license, or we'll simply create an useless metadata database.
Stefano
--------------------------------------------------------------------- DISCLAIMER: Discussions on this list are informational and educational only. Statements made on this list are not privileged, do not constitute legal advice, and do not necessarily reflect the opinions and policies of the ASF. See <http://www.apache.org/licenses/> for official ASF policies and documents.