Thanks for your report Scott,
After checking as much as I can, here are my conclusions:
As you reported "com.itextpdf:itextpdf:5.5.6" can't be used, it's AGPL so
incompatible with ASL2
Taher suggested to simply exclude loading it. So only loading
"com.lowagie:itext:4.2.0" which is MPL/GPL
But then we still face an issue as explained here
https://developers.itextpdf.com/question/versions-older-than-5
<<Some people claim that they use iText 4.2.0, but that version has never been
officially released>>
So it's not legally tenable.
This same FAQ entry is also about iText 2.1.7. The original archived
stackoverflow question is easier to read: https://s.apache.org/4QUU
So the same should apply to it as Lowagie (the author) says. But this is were I
think he is going too far.
Until proven otherwise, iText 2.1.7 has been officially released under an
MPL/GPL license under Lowagie's responsibility (he did release it)
And especially it's used by Eclipse Birt Runtime, the whole under an EPL
license, so I expect legally tenable.
You can find the iText 2.1.7 jar in every BIRT runtime package: http://download.eclipse.org/birt/downloads/ or
http://archive.eclipse.org/birt/downloads/build_list.php (we use 3.7.1)
The most interesting part is in com.lowagie.text_2.1.7.v201004222200.jar
Inside this jar we can read in the about.html that the original
itext-2.1.7.jar. is used (no modifications) same for itext Asian 1.5.2 version.
There are more legal information in about_files/misc_licenses.txt and as far as I understand the only IP infringement would be to use itext-2.1.7.jar
in a nuclear context. Last Sun license version says:
<<You acknowledge that this software is not designed or intended for
use in the design, construction, operation or maintenance of any
nuclear facility.>>
So for me, as long as we follow the misc. requirements in the misc_licenses.txt file in our LICENSE and possibly NOTICE file/s there should be no
problems using this "patch" in our main build.gradle
- compile 'com.lowagie:itext:4.2.0'
+ //compile 'com.lowagie:itext:2.1.7' // don't update because of license
issue. The BIRT runtime package uses the same.
We are sure that the 2.1.7 version will work because the code which uses itext
is from pre Apache Era (in PdfSurveyServices.java and CompDocServices.java)
Of course we need to ask the legal team before taking a formal decision about
it.
I think we have now enough material to ask, and without opposition I'll create
a LEGAL Jira in a week.
Jacques
Le 08/06/2018 à 03:57, Scott Gray a écrit :
Hi All,
I just noticed that the iText maven bundle is a bit tricksy and includes
iText 5.6.6 as a dependency, with the latter being GPL licensed. You can
see it by running "./gradlew -q dependencies":
+--- com.lowagie:itext:4.2.0
| \--- com.itextpdf:itextpdf:5.5.6
I haven't checked to see if the later version is actually used by our code
and I'm not sure if merely downloading it causes licensing issues, but I
thought I'd bring the question here in case anyone else has already looked
into it. Not sure what the work-around would be if it is an issue.
Regards
Scott