On Feb 9, 2008, at 8:17 PM, Davanum Srinivas wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kevan,
You are right. We have a new mechanism for triggering prohibited
works. We need to get this to the attention of the
legal-discuss folks so they cover that angle in addition to just
the "ship" angle that they have looked at so far.
Would specifying "<scope>provided</scope>" provided in the pom.xml
for mysql be enough to geronimo from downloading
mysql when the plugin is installed? I am not that worried about
pulling in that jar into our maven repo when we
create/build our distribution, as long as we don't ship it.
The scope won't have any effect. We do have the option of specifying
the mysql jar as a prerequisite which will prevent installation of
the plugin unless the mysql jar is already present, presumably
because someone who is aware of the licensing concerns has explicitly
installed it.
I don't know if we've checked that this works properly with a jar
rather than car (geronimo plugin) dependency but theoretically it
would work.
I don't think this a very elegant solution but it may be the best we
can do in the near term. I guess I'm dreaming of a "license filter"
that you can set up and then plugins can download dependencies
consistent with the licenses you have allowed.
To reiterate, we (asf) would never be shipping the mysql jar, but as
currently set up, anyone installing the mysql roller plugin would be
installing the mysql jar into their geronimo server.
thanks
david jencks
thanks,
dims
Kevan Miller wrote:
|
| On Feb 9, 2008, at 2:01 PM, Davanum Srinivas wrote:
|
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> Kevan,
|>
|> I followed the discussion. You said that "Yes. The automatic
download
|> is the issue.". I don't think that is the case...I
|> believe the "clear guidance" kicks in when we *ship* a distribution
|> with some other license on that page. So i thought
|> we should get clarification on that point.
|>
|> related question, Are we at this point picking/shipping either the
|> plugin or the mysql jars into our distribution?
|
|
| Hi Dims,
| The roller plugins are not included in Geronimo 2.1. We will want to
| release the roller plugin at some point. So, will need to clear
up this
| point before then.
|
| Thanks for the clarification. So, is this your question?
|
| ****************
|
| Is it ok to release an Apache product which will automatically,
without
| user prompting, download a prohibited work?
|
| The product in question is the Apache Geronimo roller-mysql-database
| plugin which has a dependency on a "prohibited work" (i.e. a
MySQL jar
| which is GPL with a FLOSS exception). The building of the plugin
would
| download a MySQL jar into a users maven repository. The MySQL jar
would
| *not* be included in the Geronimo roller-mysql-database plugin
binary.
| However, the subsequent installation of this plugin would cause the
| Geronimo server to automatically download and install the MySQL jar,
| without notifying the user.
|
| *****************
|
| IMO, the answer is no, you can't. Not by default and not without
| notifying the user. Am happy to get clarification, if you (or anyone
| else) think otherwise or aren't sure...
|
| I think the basic options are:
|
| 1. Don't make roller-mysql-database part of the standard build (and
| don't release a roller-mysql-database binary). The user can use a
| non-standard build option to create the plugin, as long as he/she is
| notified.
| 2. Make the roller-mysql-database part of the standard build, but
remove
| the MySQL dependency. This binary can be built and released by our
| project. However, the MySQL jar must be installed -- either
manually by
| the user or by some tool which properly notifies the user.
|
| --kevan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)
iD8DBQFHrnrmgNg6eWEDv1kRAvXxAKDLSlpx83vB5a2iEzskKIOt8iIP+wCfdqfn
oUFOkxrqEIx5Yl+U2ao04vE=
=oWpQ
-----END PGP SIGNATURE-----