Thanks John, I wasn't familiar with the legal mailing list. I forwarded these questions there.
I've started another thread about 2 weeks ago ("A few questions about creating a release") which has a few other questions of similar nature but somewhat less legal-y - Could you perhaps answer those, or should I forward them to the legal mailing list as well? Thanks, Ran On Thu, Jun 15, 2017 at 6:24 PM, John D. Ament <johndam...@apache.org> wrote: > Ran, > > I believe the reason you're not getting a response is that this isn't the > right list to bring it up. I can provide some insight, but ultimately you > need to get some legal input (from legal-discuss) > > - Code formatting shouldn't be an issue, since its not required for the > execution of the code. > - Paramiko would be an issue. I would not include it as a dependency. > > John > > On Wed, Jun 14, 2017 at 11:17 AM Ran Ziv <r...@gigaspaces.com> wrote: > > > Bumping this again, still waiting for answers on these issues. > > > > On Sun, Jun 4, 2017 at 3:02 PM, Ran Ziv <r...@gigaspaces.com> wrote: > > > > > Hi, > > > > > > I went over all of ARIA's dependencies (including recursive > dependencies) > > > and validated them against the Apache allowed licenses > > > <https://www.apache.org/legal/resolved.html#category-x>. > > > We've done this before and found no issues, but this time two libraries > > > came up as a possible problem. I have a few theories about how this > might > > > have happened, but what's more important is to understand what we can > do > > > about it. > > > > > > John, Suneel - I was hoping you might be able to answer some of the > legal > > > questions / suggestions I've made below. If not, please advise where I > > > might be able to get answers for those. > > > > > > > > > The first package is PyLint (GPL2.0) - This is the tool we use for > > > validating our Python code format. This is only relevant for > development > > > purposes, and would not be packaged with ARIA - not even in the source > > > distribution format. > > > It is installed from the tests/requirements.txt file, and is used by > tox > > > on CIs or manually by developers. > > > I'm not sure if this is a problem from Apache's perspective - i'd > assume > > > it shouldn't be, but if it is we could supposedly simply work with a > > > different tool for this. > > > > > > > > > The more serious issue is with the Paramiko package (LGPL2.1) - > Paramiko > > > is the native python implementation for SSH, and is widely used in > Python > > > ecosystem - including in Fabric, which is the library ARIA uses for > > remote > > > execution in the execution-plugin. > > > I believe the main reason we haven't noticed this so far is because in > > the > > > past we only checked for non-recursive dependencies - and Fabric is > > > licensed under BSD-2-clause, which is allowed by Apache. > > > > > > Since ARIA doesn't use Paramiko directly (but only via Fabric), this > > might > > > be considered ok. > > > Otherwise, we have few other options: > > > > > > I'm not completely clear about what constitutes as "included packages" > - > > > When we will make a release, we'll distribute a source and binary > > packages > > > of ARIA, but no packages which actually contain any dependencies code - > > > those will be installed separately (e.g. from PyPI). > > > > > > Assuming this is not enough to claim that these packages are "not > > > included" with ARIA, we could remove Fabric (and thereby Paramiko) from > > > ARIA's dependencies, but leave the code using them inside - This way, > > when > > > a user installs ARIA, they won't automatically receive any > > > non-ASF-sanctioned dependency code, and ARIA will work but without any > > > remote execution capabilities - and all that would be required from the > > > user to add these capabilities is to manually install the Fabric > library. > > > This way, Fabric is treated like an extension or a plugin, so I'd like > to > > > think this is something acceptable according to Apache's legal > > constraints. > > > > > > If this too is not acceptable, because ARIA will still have references > to > > > Fabric in the code (despite Fabric not getting installed), then perhaps > > we > > > could extract the referencing code as well into a separate package > which > > > lives outside of ASF, and users would have to install this separate > > package > > > to be able to use the remote execution capabilities. > > > > > > > > > Finally, if none of my suggestions above pans out, I'd suggest we > > > temporarily remove the remote execution capabilities, aim for an ARIA > > > release with local capabilities only, and try to figure a workaround > for > > > the remote execution at a later date. > > > > > > > > > Thanks, > > > Ran. > > > > > > > > >