Hi all, repository.apache.org is an official Apache Software Foundation release channel and the MXNet project has been publishing convenience binaries via that channel since quite a while. Unfortunately it appears that no-one has initiated a license review of these convenience binaries, and unfortunately they are incompatible with the ASF requirements. They should have never been uploaded.
I recently reached out to Legal to inquire about this issue [1] and Legal team recommends to remedy the situation ASAP. Two issues, out of the potentially larger set of all issues. 1) There are GPU builds (mxnet-full_2.11-linux-x86_64-gpu) incorporating the CUDA SDK and possibly cuDNN, placing the resulting libmxnet.so under the CUDA EULA and cuDNN SLA. This EULA and SLA contain many restrictions, making them Category-X licenses [1]. No Apache project must under any circumstance redistribute such binaries. 2) All builds redistribute libgfortran.so, which is part of the GNU Fortran compiler, part of GCC and subject to the GPL. The GPL is also a Category-X license and the same restrictions apply. I see the following two potential remedies: 1) Ask the Infra team to delete all MXNet releases on repository.apache.org 2) Ask the Infra team to delete all MXNet GPU releases on repository.apache.org and provide replacement releases without libgfortran.so and other potentially Category-X files (I found libmkl_ml.so in one of the JARs..) If no-one steps up to do 2) or no-one suggests a better option, I recommend we go for option 1). Let's start discussing the options. Once discussion has settled, I'll initiate a lazy consensus or vote session. Note that these license rules apply to MXNet as part of the ASF. Third-parties (individuals or companies) may redistribute binary builds of MXNet incorporating Category-X licenses, IF they are appropriately labeled and no ASF trademarks or branding is infringed. As for the GPU builds, NVidia or Amazon may be willing to provide third-party GPU builds. I opened another ticket with Jira to see if such third-parties could provide them and what considerations would need to be taken into account. [3] This is similar to the Pypi releases, are third-party releases and not performed by the MXNet project (though also for them some legal questions remain open; in particular our Website does not disclaim that these are third-party releases). Best regards Leonard [1]: https://issues.apache.org/jira/browse/LEGAL-516 [2]: https://www.apache.org/legal/resolved.html#category-x [3]: https://issues.apache.org/jira/browse/LEGAL-515