Re: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Justin Mclean]

Hi,

Sorry -1 Due to license and copyright issues and possible crypto issue.

I checked:
- artefact contains incubating
- signature and hashes good
- DISCLAIMER exists
- LICENSE is missing a couple of things/has a few issues
- NOTICE is good but may be missing thing form other Apache bundled software
- rat exclusions bay be a bit wide
- no unexpected binaries in release
- while most source file have Apache headers there are serval issues with 
copyright owners and multiple headers in files
- didn’t compile as the build process looks rather difficult

If OpenSSL is being bundled has this process been followed? [8] I’m not 
familiar with the process and it may not apply here. Can someone who more 
familiar with this please comment.

LICENSE issues:
- License implies that all BSD licensed software is "Copyright (c) 2008-2010, 
Allan Jardine” which is not the case. Each piece of licensed software will have 
it’s own owner.
- missing MIT licensed Asciidoctor [1]
- Jquery UI is MIT licensed not BSD [2]
- missing MIT license MooTools Framework [3]
- missing BSD style OpenSSL license [4]
- missing MIT JavaScript InfoVis Toolkit license [5]
- missing MIT JQuery license [6]
- And while the code under [7] is MIT it's not copyright SpryMedia Ltd
- missing license for CSS Document by Codify Design Studio [15] How is this 
file  licensed?

Also this file [9] is marked as copyright ASF but contains  other possible 
copyright owners:

Re: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Steve Loughran]

> On 19 Nov 2015, at 02:28, Justin Mclean  wrote:
> 
> 10], copyright Open Software Foundation e.g. [11]


That taints so much of the HP C++ codebase. Someone I know was working on the 
unix JVM and was in the graphics code, where he came across bits of the font 
stuff which he'd written himself for OSF/Motif about 10+ years earlier; it's 
the tainting of that bit of code which may have lead to the rendering on 
openjdk being so worse than oracle JDK for a long time: too much cut and paste 
consortium code without provenance management.

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

RE: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Roberta Marton]

Thanks Justin for your comprehensive review of the release artifacts and
valuable comments.   And thanks Steve for your comment that indicates the
importance of getting provenance correct.

We are committed to getting the release package correct along with all the
provenance issues. This is the first time we are releasing and were
expecting some issues.  A lot of time and effort has been spent getting your
source package to work in the Apache infrastructure.

We will look at the provenance issues you mentioned and figure out how best
to address them.

There are a few questions that we have based on the comments we received so
far:

1. HP donated the Trafodion code to Apache several months ago.  We have gone
through all the legal steps to get the code donated.  As part of this
process we removed all the HP copyrights except for our test files and
documentation.  Do we have to remove all the Copyrights in order to release
in Apache?  Is including HP in the NOTICE/LICENSE file adequate?

2. A conscious decision was made to add the latest Apache license to files
that have existing licenses. So now multiple licenses are showing up.  Is
this something we should not be doing?  The original license came when the
code was first used by the product.

3.   We have followed the instructions detailed in [8] but it looks like we
are missing a mention of this in our README file.  We will add appropriate
information as the rules apply, for example - " This distribution includes
cryptographic software. The country in which you currently reside may have
restrictions on the import, possession, use, and/or re-export to another
country, ..."

4.  We do have permission to use the photos in [13] [14].  Is there
something we need to do to indicate this somewhere?

5. You mentioned that we may be too generous in excluding files for our RAT
test.  We did include in the RAT_README file an explanation of the exception
and why. If there are specific explanations in RAT_README.txt that are not
ok , we can look at each one on  a case by case basis.

We based RAT exceptions by looking at other apache products and as described
http://apache.org/legal/src-headers.html#faq-exceptions:

The RAT_README.txt file contains explanations on how we clearly cannot add
copyright info to :
•   generated files
•   configuration files
•   testware  expected files
•   source/testware  that were downloaded from elsewhere that contain
their own copyright info in the same directory.

However, it looks like we missed adding some of the items in our LICENSE
file.

6. Justin, can we get accessibility to some of the scripts you ran to check
for these incompatibilities?  This will give our next release a better
chance of succeeding.

Again, thanks for taking the time to provide this valuable feedback

   Regards,
   Roberta

-Original Message-
From: Justin Mclean [mailto:jus...@classsoftware.com]
Sent: Wednesday, November 18, 2015 6:29 PM
To: general@incubator.apache.org
Subject: Re: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating
(RC4)

Hi,

Sorry -1 Due to license and copyright issues and possible crypto issue.

I checked:
- artefact contains incubating
- signature and hashes good
- DISCLAIMER exists
- LICENSE is missing a couple of things/has a few issues
- NOTICE is good but may be missing thing form other Apache bundled software
- rat exclusions bay be a bit wide
- no unexpected binaries in release
- while most source file have Apache headers there are serval issues with
copyright owners and multiple headers in files
- didn’t compile as the build process looks rather difficult

If OpenSSL is being bundled has this process been followed? [8] I’m not
familiar with the process and it may not apply here. Can someone who more
familiar with this please comment.

LICENSE issues:
- License implies that all BSD licensed software is "Copyright (c)
2008-2010, Allan Jardine” which is not the case. Each piece of licensed
software will have it’s own owner.
- missing MIT licensed Asciidoctor [1]
- Jquery UI is MIT licensed not BSD [2]
- missing MIT license MooTools Framework [3]
- missing BSD style OpenSSL license [4]
- missing MIT JavaScript InfoVis Toolkit license [5]
- missing MIT JQuery license [6]
- And while the code under [7] is MIT it's not copyright SpryMedia Ltd
- missing license for CSS Document by Codify Design Studio [15] How is this
file  licensed?

Also this file [9] is marked as copyright ASF but contains  other possible
copyright owners:

Re: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Justin Mclean]

Hi,

> 1. HP donated the Trafodion code to Apache several months ago.  We have gone
> through all the legal steps to get the code donated.  As part of this
> process we removed all the HP copyrights except for our test files and
> documentation.  Do we have to remove all the Copyrights in order to release
> in Apache?

My understanding If the code was donated to the ASF it’s now copyright the ASF 
not HP.

>  Is including HP in the NOTICE/LICENSE file adequate?

Yes that's needed as well. [1]

> 2. A conscious decision was made to add the latest Apache license to files
> that have existing licenses. So now multiple licenses are showing up.

Each file should have a single license header showing who owns the copyright. 
BTW rat doesn’t pick up on this.

>  The original license came when the code was first used by the product.

If the code come from another project then HP probably didn't own the 
copyright. If the original code is Apache licensed then you usually don’t need 
to add anything to LICENSE [2], but if the software where it come from has a 
NOTICE file you may need to add something to your NOTICE files [2]. all other 
permissive licenses need to be added to LICENSE [3].

> 3.   We have followed the instructions detailed in [8] but it looks like we
> are missing a mention of this in our README file.

I’m not familiar with the process but you might want to look at what the HTTP 
project does in their README [2].

> 4.  We do have permission to use the photos in [13] [14].  Is there
> something we need to do to indicate this somewhere?

From the original people who took the photos? (Just because they were in the 
donation from HP doesn’t mean you have permission to use and distribute them.) 
Both of the photos look professional to me. How are they licensed? Does the 
photos metadata include license or copyright information? Usually that info 
would go in LICENSE. 

> 5. You mentioned that we may be too generous in excluding files for our RAT
> test. 

Just because of the number of issues it may be that you’re not checking all the 
files you shod be. I didn’t look in detail.

> 6. Justin, can we get accessibility to some of the scripts you ran to check
> for these incompatibilities? 

Noting fancy script wise just rat and this:

find . -type f -exec grep “XXX" {} \; -print

Where XXX is “Copyright”, “ MIT “, “BSD”, “GPL” etc. Sometimes I pipe to a 
couple of grep -v ’s to reduce the noise.

Thanks,
Justin

1. http://www.apache.org/dev/licensing-howto.html#mod-notice
2. http://www.apache.org/dev/licensing-howto.html#alv2-dep
3. http://www.apache.org/dev/licensing-howto.html#permissive-deps
3. https://github.com/apache/httpd/blob/trunk/README


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

RE: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Roberta Marton]

Thanks for your quick answers.

As for #4 - the pictures were taken by someone in our organization.  I will
tell him that they look professional -:)
They are not licensed or anything, just personal photos

Since you seem to knowledgeable on License issues.  You mentioned that #11
references Open Software Foundation.  In my research this is managed by a
GNU license.  However, it looks Apache has restrictions on using these types
of licenses - http://www.apache.org/licenses/GPL-compatibility.html.  If
this is true, would this mean we can't include this file in our source
distribution?

Roberta

-Original Message-
From: Justin Mclean [mailto:jus...@classsoftware.com]
Sent: Thursday, November 19, 2015 5:51 PM
To: general@incubator.apache.org
Subject: Re: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating
(RC4)

Hi,

> 1. HP donated the Trafodion code to Apache several months ago.  We
> have gone through all the legal steps to get the code donated.  As
> part of this process we removed all the HP copyrights except for our
> test files and documentation.  Do we have to remove all the Copyrights
> in order to release in Apache?

My understanding If the code was donated to the ASF it’s now copyright the
ASF not HP.

>  Is including HP in the NOTICE/LICENSE file adequate?

Yes that's needed as well. [1]

> 2. A conscious decision was made to add the latest Apache license to
> files that have existing licenses. So now multiple licenses are showing
> up.

Each file should have a single license header showing who owns the
copyright. BTW rat doesn’t pick up on this.

>  The original license came when the code was first used by the product.

If the code come from another project then HP probably didn't own the
copyright. If the original code is Apache licensed then you usually don’t
need to add anything to LICENSE [2], but if the software where it come from
has a NOTICE file you may need to add something to your NOTICE files [2].
all other permissive licenses need to be added to LICENSE [3].

> 3.   We have followed the instructions detailed in [8] but it looks like
> we
> are missing a mention of this in our README file.

I’m not familiar with the process but you might want to look at what the
HTTP project does in their README [2].

> 4.  We do have permission to use the photos in [13] [14].  Is there
> something we need to do to indicate this somewhere?

>From the original people who took the photos? (Just because they were in the
donation from HP doesn’t mean you have permission to use and distribute
them.) Both of the photos look professional to me. How are they licensed?
Does the photos metadata include license or copyright information? Usually
that info would go in LICENSE.

> 5. You mentioned that we may be too generous in excluding files for
> our RAT test.

Just because of the number of issues it may be that you’re not checking all
the files you shod be. I didn’t look in detail.

> 6. Justin, can we get accessibility to some of the scripts you ran to
> check for these incompatibilities?

Noting fancy script wise just rat and this:

find . -type f -exec grep “XXX" {} \; -print

Where XXX is “Copyright”, “ MIT “, “BSD”, “GPL” etc. Sometimes I pipe to a
couple of grep -v ’s to reduce the noise.

Thanks,
Justin

1. http://www.apache.org/dev/licensing-howto.html#mod-notice
2. http://www.apache.org/dev/licensing-howto.html#alv2-dep
3. http://www.apache.org/dev/licensing-howto.html#permissive-deps
3. https://github.com/apache/httpd/blob/trunk/README


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Marvin Humphrey]

On Thu, Nov 19, 2015 at 5:50 PM, Justin Mclean  wrote:

>> 1. HP donated the Trafodion code to Apache several months ago.  We have
>> gone through all the legal steps to get the code donated.  As part of this
>> process we removed all the HP copyrights except for our test files and
>> documentation.  Do we have to remove all the Copyrights in order to release
>> in Apache?
>
> My understanding If the code was donated to the ASF it’s now copyright the
> ASF not HP.

The ASF does not require copyright assignment -- instead, contributors such as
HP retain the copyright on their contributions, but license them.  For
contributions under a CLA or SGA, the contributions are licensed to the ASF
under terms which allow us to make them available under the ALv2.
Contributions not covered by a CLA or SGA are covered under section 5 of the
ALv2[1].

The ASF politely requests that contributors remove copyright notices from
individual files.  There are a variety of reasons for this request[2].

Optionally, a copyright owner who is removing copyright notices from
individual source files may put a copyright notice into the NOTICE file.
(The copyright owner is not required to add a copyright notice to the NOTICE
file, but they may.)  The contents of the NOTICE file must be propagated by
redistributors under terms described in section 4 of the ALv2[3].

Removing copyright notices does not change the copyright status of a work --
the owner retains copyright even if the notice is removed.  The ability to
recover damages for copyright infringement is impacted by removing copyright
notices, but most people do not concern themselves about that for permissively
licensed open source material.

Only the copyright owner or their authorized agent may make changes to
copyright notices -- it is illegal for anyone else to change them.
Removal of copyright notices is generally handled during early incubation
under the close supervision of podling Mentors[4].  It may also happen any
time there's a contribution of new source files containing copyright notices,
but following initial import is typically when we have the most files to deal
with.

Marvin Humphrey

[1] http://apache.org/licenses/LICENSE-2.0.html#contributions
[2] See  for some of these reasons.  The issue gets
discussed every couple of years on either general@incubator or
legal-discuss@apache.
[3] http://apache.org/licenses/LICENSE-2.0.html#redistribution
[4] http://incubator.apache.org/guides/mentor.html#clean-up-best-practice

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Justin Mclean]

Hi,

> As for #4 - the pictures were taken by someone in our organization.  I will
> tell him that they look professional -:) They are not licensed or anything, 
> just personal photos.

If they are fine with them being distributed then that's all good IMO. You may 
want to add something in LICENSE.

> Since you seem to knowledgeable on License issues.  You mentioned that #11
> references Open Software Foundation.  In my research this is managed by a
> GNU license.

The GPL is not a licence that’s comparable with Apache software [1] so if they 
are GPL licensed then yes they would be to be removed / replaced with something 
else.

Files in question:
./core/sql/common/from_GB2312.c
./core/sql/common/multi-byte.h
./win-odbc64/sql/common/from_GB2312.c
./win-odbc64/sql/common/multi-byte.h

(may be others)

Looking at the file it mentions “OSF/1”. It's been a couple years since I used 
DEC Alpha’s :-)  It’s not clear to me how those files are licensed they may or 
may not be GPL.  But they shouldn’t have an Apache header if they are not 
Apache licensed.

I also noticed this file:
/core/sql/common/swsprintf.cpp

Which is "Copyright (c) 1990 The Regents of the University of California.” and 
looks to be BSD licensed. Again it shouldn't have an Apache license header and 
would this would also need to be added to LICENSE.

Do you know the provenance of all the files in /core/sql/common?

Sorry but it look like the rabbit hole gets a bit deeper. When I was doing some 
checks I may of missed some things. Searching a bit further I can see code that 
is:
Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com)
Copyright (c) 1998, 1999 Thai Open Source Software Centre Ltd
Copyright (c) 1997-1999 Compaq Computer Corporation.  All Rights Reserved.
Copyright (c) 1997-2007, Damian Conway C<<  >>
Copyright Transaction Processing Performance Council

And from a few spot checks an Apache headers has been incorrectly added to some 
of these files.

This file for instance:
./core/sqf/export/lib/Parse/RecDescent.pm

Is probably under the perl artistic license which may cause further 
complications. [2]

Thanks,
Justin

1. http://www.apache.org/legal/resolved.html#category-x
2. https://issues.apache.org/jira/browse/LEGAL-86
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Justin Mclean]

Hi,

Thanks for the clarification.

> The ASF politely requests that contributors remove copyright notices from
> individual files.  There are a variety of reasons for this request[2].

I assume you mean their own copyright notices you can’t remove other peoples 
right?

Any advice in what to do in this case? By my count there are 50+ different 
copyright message in this code base.

Thanks,
Justin


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Alex Harui]

On 11/19/15, 7:56 PM, "Justin Mclean"  wrote:

>Hi,
>
>Thanks for the clarification.
>
>> The ASF politely requests that contributors remove copyright notices
>>from
>> individual files.  There are a variety of reasons for this request[2].
>
>I assume you mean their own copyright notices you can’t remove other
>peoples right?
>
>Any advice in what to do in this case? By my count there are 50+
>different copyright message in this code base.

AIUI, if these files are listed in the SGA, there must be a paper trail of
the copyright owner giving permission for them to be donated.  Otherwise,
they should be treated as third-party, the SGA may require amending as
well.

-Alex


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Alex Harui]

On 11/19/15, 7:42 PM, "Justin Mclean"  wrote:

>Hi,
>
>> As for #4 - the pictures were taken by someone in our organization.  I
>>will
>> tell him that they look professional -:) They are not licensed or
>>anything, just personal photos.
>
>If they are fine with them being distributed then that's all good IMO.
>You may want to add something in LICENSE.

And you may want/need official documentation that is ok for them to be
distributed.  And maybe even under what license and whether they are
contributing/licensing the photos to Apache.

True story:  Person C writes some code.  Company M acquires Person C and
his code.  A team is formed, more code is added.  Company A acquires
Company M.  Even more code is added.  Person C leaves Company A.  Company
A decides to donate all of that code to the ASF.  OMG! The acquisition
agreement for Person C and his code only licensed the code to Company M,
it did not explicitly grant the right to re-license that code to the ASF!
Hunt down person C and get signed agreement that Company A can re-license
Person C's code.  OMG!  Person C's copyright notices are still in the
files!  Person C is not a committer so he can't move the copyrights to
NOTICE.  Must ask person C for written permission to do so.

AIUI, if I take a photo as part of my job, maybe to create some test
media, my employee agreement says that my employer has copyright of that
work.  But if I bring in a photo from one of my trips, I probably own
copyright.  I can say my company can use it, but the terms are not clear.
It might be ok since our test media is in-house, but do I want it in an
ASF repo where everyone else can copy it and modify it?  What if people
start adding mustaches to my wedding photos!  And technically, since I own
that photo, the software grant cannot license it to the ASF, and since I
did not explicitly assign an ASF-compatible license to it, the ASF can't
just use it.  The template for adding something to LICENSE includes the
license it is under.

So, if this is a personal photo, I think you have the following choices:
1) Ignore me, since really, it is a lot of hassle, and what is the
likelihood something bad will happen?
2) Have the photographer send an email to your dev@ list saying that it is
under (choose an ASF-compatible license)
3) (Optional) Further have the photographer add in the email that they
donate/license the photos to the ASF.  This is optional because you can
always treat the photos as 3rd-party.
4) Replace the photos.

I don't know how strict the ASF wants to be on things like test media
photos.  If you choose #1, I won't know about it unless it gets brought up
on this list.  I'm just offering up what I've learned from several
software grants and IP clearances.

My mental model is that every contribution/pixel/line-of-code is
owned/copyrighted by some person or entity under some license (or no
license in which case no permissions have been granted).  The ASF further
wants explicit permission from the owner for every
contribution/pixel/line-of-code that is considered part of an ASF
project's source.  Even if a line of code from outside the ASF is already
under the Apache License, the ASF considers it third-party without such
permission.  You can bundle it in your releases, but it needs to be called
out in LICENSE since its owners may have other rules on how modifications
get back to the master copy.

Of course, IANAL, and most certainly could be wrong.

-Alex

RE: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Roberta Marton]

It looks like we have some copyright and licensing issue to resolved before
completing our first release. So I am officially withdrawing our request
for our first Apache Trafodion release.  We will take a look at all the
issues reported and submit a new package later.



Again, thanks for all your valuable information.  This is obviously an area
we should have spent more time on before submitting.  It has been, and will
continue to be, and educational exercise for us.



Regards,

Roberta



*From:* Alex Harui [mailto:aha...@adobe.com]
*Sent:* Thursday, November 19, 2015 10:31 PM
*To:* general@incubator.apache.org
*Subject:* Re: [VOTE] Release Apache Trafodion (incubating)
1.3.0-incubating (RC4)

Re: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Henry Saputra]

Thanks, could you send reply with modified subject prefixed with:

[CANCEL] [VOTE]

to indicate the voting has been cancelled?

Thanks,

Henry

On Fri, Nov 20, 2015 at 8:18 AM, Roberta Marton
 wrote:
> It looks like we have some copyright and licensing issue to resolved before
> completing our first release. So I am officially withdrawing our request
> for our first Apache Trafodion release.  We will take a look at all the
> issues reported and submit a new package later.
>
>
>
> Again, thanks for all your valuable information.  This is obviously an area
> we should have spent more time on before submitting.  It has been, and will
> continue to be, and educational exercise for us.
>
>
>
> Regards,
>
> Roberta
>
>
>
> *From:* Alex Harui [mailto:aha...@adobe.com]
> *Sent:* Thursday, November 19, 2015 10:31 PM
> *To:* general@incubator.apache.org
> *Subject:* Re: [VOTE] Release Apache Trafodion (incubating)
> 1.3.0-incubating (RC4)

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Re: [VOTE] Release Apache Trafodion (incubating) 1.3.0-incubating (RC4)

[Alex Harui]

On 11/20/15, 8:18 AM, "Roberta Marton"  wrote:

>It looks like we have some copyright and licensing issue to resolved
>before
>completing our first release. So I am officially withdrawing our request
>for our first Apache Trafodion release.  We will take a look at all the
>issues reported and submit a new package later.
>

Good luck.  FWIW, at my company, the legal staff was highly interested in
helping us get this right, had tools to help us get it right, and their
response time was often quicker than this list and would be true legal
advice instead of anecdotes from engineers who've survived the process.
If you have such resources available to you it might speed up the process.
 They may not be able to advise on how to write the LICENSE and NOTICE
files, but they could help you be more certain about which files need to
be mentioned in LICENSE and NOTICE.  The reason the company legal staff
was interested was because the Software Grant had to be signed by a VP and
needed to be as accurate as possible since the company didn't want to
grant IP to the ASF and expose to the world in the ASF repos that it
wasn't supposed to.

Once you know who owns the various pieces and which ones have been granted
vs are 3rd party, you can then make more sense of the ASF documents on how
to document everything.  The ASF has further rules on what 3rd party
dependencies are allowed in various configurations.  A company can grant
software that the ASF cannot use "as-is" because it depends on 3rd party
code with certain licenses.

-Alex


-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org