Re: [go-nuts] Re: Clace: Secure web application development platform using Starlark

2023-10-31 Thread 'Dan Kortschak' via golang-nuts 
On Tue, 2023-10-31 at 02:50 -0700, Jason E. Aten wrote:
> 
> 
> On Tuesday, October 31, 2023 at 3:12:13 AM UTC Dan Kortschak wrote:
> > The Mozilla FAQ https://www.mozilla.org/en-US/MPL/2.0/FAQ/ appears
> > to
> > think it's OK.
> > 
> > > Q13: May I combine MPL-licensed code and BSD-licensed code in the
> > > same executable program? What about Apache?
> > > 
> > > Yes to both. Mozilla currently does this with BSD-licensed code.
> > > For
> > > example, libvpx, which is used in Firefox to decode WebM video,
> > > is
> > > under a BSD license.
> 
> 
> That is the other way around, not the situation under discussion.
> i.e. There is a difference
> between Apache input1 + MPL input2 -> MPL (for the combined output
> work), versus
> Apache input1 + MPL input2 -> Apache licensed combination.  The
> wikipedia article
> https://en.wikipedia.org/wiki/Mozilla_Public_License is fairly clear
> that even
> if you put the output under Apache, it is not really under Apache,
> because the MPL
> files have to still be under MPL. All you've really done at that
> point is to mislead the developer who
> uses your stuff into thinking that they have fewer compliance
> requirements than
> they actually do.
> 
> "Recipients can combine licensed source code with other files under a
> different, even proprietary license, thereby forming a "larger work"
> which can be distributed under any terms, but again the MPL-covered
> source files must be made freely available.[7]"
> 
> where the footnote is:
> [7] https://www.mozilla.org/en-US/MPL/2.0/FAQ/ 
> 
> Anyway. People divide into two camps on this. If you are working on
> open source software, 
> you don't care. You can afford to be sloppy with the licensing.
> Nobody is going to come after
> you because you work is open source in the end.
> 
> Commercial developers just avoid MPL and any uncertainty, and get on
> with their work. Nobody
> bothers to talk about it because it an issue just best avoided by not
> using MPLed software at all.
> 

Fair enough. Thanks for clarifying.

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/a176f1799556f3af47259c380a798eb5120826ca.camel%40kortschak.io.

Re: [go-nuts] Re: Clace: Secure web application development platform using Starlark

2023-10-31 Thread Jason E. Aten 


On Tuesday, October 31, 2023 at 3:12:13 AM UTC Dan Kortschak wrote:

The Mozilla FAQ https://www.mozilla.org/en-US/MPL/2.0/FAQ/ appears to 
think it's OK. 

> Q13: May I combine MPL-licensed code and BSD-licensed code in the 
> same executable program? What about Apache? 
> 
> Yes to both. Mozilla currently does this with BSD-licensed code. For 
> example, libvpx, which is used in Firefox to decode WebM video, is 
> under a BSD license.


That is the other way around, not the situation under discussion. i.e. 
There is a difference
between Apache input1 + MPL input2 -> MPL (for the combined output work), 
versus
Apache input1 + MPL input2 -> Apache licensed combination.  The wikipedia 
article
https://en.wikipedia.org/wiki/Mozilla_Public_License is fairly clear that 
even
if you put the output under Apache, it is not really under Apache, because 
the MPL
files have to still be under MPL. All you've really done at that point is 
to mislead the developer who
uses your stuff into thinking that they have fewer compliance requirements 
than
they actually do.

"Recipients can combine licensed source code 
 with other files 
 under a different, even 
proprietary license, thereby forming a "larger work" which can be 
distributed under any terms, but again the MPL-covered source files must be 
made freely available.[7] 
"

where the footnote is:
[7] https://www.mozilla.org/en-US/MPL/2.0/FAQ/ 

Anyway. People divide into two camps on this. If you are working on open 
source software, 
you don't care. You can afford to be sloppy with the licensing. Nobody is 
going to come after
you because you work is open source in the end.

Commercial developers just avoid MPL and any uncertainty, and get on with 
their work. Nobody
bothers to talk about it because it an issue just best avoided by not using 
MPLed software at all.

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/857f0809-2f1b-4173-89ea-f626d38bc4a5n%40googlegroups.com.

Re: [go-nuts] Re: Clace: Secure web application development platform using Starlark

2023-10-31 Thread 'Dan Kortschak' via golang-nuts 
On Mon, 2023-10-30 at 23:29 -0700, TheDiveO wrote:
> Unfortunatelly, "okay" hasn't been tested in court yet and especially
> with HashiCorp breaking bad you surely have the deep pockets to see
> this through?

This is not really my problem, I was just pointing out that the authors
of the license have publicly stated that they think they are
compatible.

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/c5de2e3218adda68821e8d54fe57867ac0ec1e8b.camel%40kortschak.io.

Re: [go-nuts] Re: Clace: Secure web application development platform using Starlark

2023-10-31 Thread TheDiveO 
Unfortunatelly, "okay" hasn't been tested in court yet and especially with 
HashiCorp breaking bad you surely have the deep pockets to see this through?

On Tuesday, October 31, 2023 at 4:12:13 AM UTC+1 Dan Kortschak wrote:

> On Mon, 2023-10-30 at 18:43 -0700, Jason E. Aten wrote:
> > I'm surprised by that claim. I seriously doubt, from reading the
> > licenses, that you can legally use the Apache2 license, since
> > it removes the MPL requirements; which the MPL forbids you from
> > doing.  
> > 
>
> The Mozilla FAQ https://www.mozilla.org/en-US/MPL/2.0/FAQ/ appears to
> think it's OK.
>
> > Q13: May I combine MPL-licensed code and BSD-licensed code in the
> > same executable program? What about Apache?
> >
> > Yes to both. Mozilla currently does this with BSD-licensed code. For
> > example, libvpx, which is used in Firefox to decode WebM video, is
> > under a BSD license.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/c2e1d2a4-e0c4-4b8b-baea-d78132db2972n%40googlegroups.com.

Re: [go-nuts] Re: Clace: Secure web application development platform using Starlark

2023-10-30 Thread 'Dan Kortschak' via golang-nuts 
On Mon, 2023-10-30 at 18:43 -0700, Jason E. Aten wrote:
> I'm surprised by that claim. I seriously doubt, from reading the
> licenses, that you can legally use the Apache2 license, since
> it removes the MPL requirements; which the MPL forbids you from
> doing.  
> 

The Mozilla FAQ https://www.mozilla.org/en-US/MPL/2.0/FAQ/ appears to
think it's OK.

> Q13: May I combine MPL-licensed code and BSD-licensed code in the
> same executable program? What about Apache?
>
> Yes to both. Mozilla currently does this with BSD-licensed code. For
> example, libvpx, which is used in Firefox to decode WebM video, is
> under a BSD license.

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/3b85733a7f1f495abf00b54ef4a33e4d65113d3d.camel%40kortschak.io.

Re: [go-nuts] Re: Clace: Secure web application development platform using Starlark

2023-10-30 Thread Jason E. Aten 
I'm surprised by that claim. I seriously doubt, from reading the licenses, 
that you can legally use the Apache2 license, since
it removes the MPL requirements; which the MPL forbids you from doing.  

Moreover I don't think a court would consider relevant what the Cloud 
Native Foundation thought was "okay".

On Tuesday, October 31, 2023 at 1:13:15 AM UTC Ajay Kidave wrote:

> Clace itself is Apache-2 licensed, using a MPL licensed library in an 
> Apache-2 licensed project is fine from what I understand. I do not plan to 
> make any code changes to the go-plugin code. The go-plugin library is 
> specifically allowed by CNCF projects if that matters 
> https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-06-27.json#L3
> .
>
> The intent in Clace is to allow multiple versions of a plugin to be usable 
> for backward compatibility. That, plus the security and stability benefits 
> of the out of process model make the go-plugin approach work better than 
> the .so/.dll approach.
>
> Ajay
>
> On Mon, Oct 30, 2023 at 11:55 AM Jason E. Aten  wrote:
>
>> I would just be aware that using software that is MPL licensed,
>>
>> https://github.com/hashicorp/go-plugin/blob/main/LICENSE
>>
>> means that nobody with commercial aspirations will touch your stuff. In 
>> practice, that means relatively little adoption. 
>>
>> -- 
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "golang-nuts" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/golang-nuts/FyaMylLPGEw/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> golang-nuts...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/golang-nuts/d56f9aab-19f8-40d4-87a5-59d05e1adb9fn%40googlegroups.com
>>  
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/d659156e-b0d0-4c3a-b42a-9ff1a0672384n%40googlegroups.com.

Re: [go-nuts] Re: Clace: Secure web application development platform using Starlark

2023-10-30 Thread Ajay Kidave 
Clace itself is Apache-2 licensed, using a MPL licensed library in an
Apache-2 licensed project is fine from what I understand. I do not plan to
make any code changes to the go-plugin code. The go-plugin library is
specifically allowed by CNCF projects if that matters
https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-06-27.json#L3
.

The intent in Clace is to allow multiple versions of a plugin to be usable
for backward compatibility. That, plus the security and stability benefits
of the out of process model make the go-plugin approach work better than
the .so/.dll approach.

Ajay

On Mon, Oct 30, 2023 at 11:55 AM Jason E. Aten  wrote:

> I would just be aware that using software that is MPL licensed,
>
> https://github.com/hashicorp/go-plugin/blob/main/LICENSE
>
> means that nobody with commercial aspirations will touch your stuff. In
> practice, that means relatively little adoption.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "golang-nuts" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/golang-nuts/FyaMylLPGEw/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> golang-nuts+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/golang-nuts/d56f9aab-19f8-40d4-87a5-59d05e1adb9fn%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CAFHo40kZpkuAw%2B5r-UV-VjRoJBvg3OAZSZxS3gwq11%3DKxKdeOA%40mail.gmail.com.

[go-nuts] Re: Clace: Secure web application development platform using Starlark

2023-10-30 Thread TheDiveO 
sadly, OpenDoufu(*) is the epitaph of HashiCorp breaking bad. So that 
go-plugin package is a no-go now (pun intended).

(*) I can't get myself using the British Empire misspelling of Standard 
Chinese (putonghua). And don't call that Ma... either.

On Monday, October 30, 2023 at 7:54:50 PM UTC+1 Jason E. Aten wrote:

> I would just be aware that using software that is MPL licensed,
>
> https://github.com/hashicorp/go-plugin/blob/main/LICENSE
>
> means that nobody with commercial aspirations will touch your stuff. In 
> practice, that means relatively little adoption.

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/742c67bd-53f7-4df4-abb3-0e1583553a1cn%40googlegroups.com.