Re: Central repository, bundle-create and distribution of licenses

[Mark H. Wood]

On Tue, May 18, 2010 at 07:52:48PM +0100, Bruno Harbulot wrote:
> I'm not saying that the central repo should investigate each and every 
> case to check that it's indeed true, but it should make it mandatory to 
> have a licence at least so as to avoid to put software that is 
> mistakenly unattributed (and thus often in breach of the licence).

What is the URL for the license to software which is placed in the
public domain?  If you can answer that, then yes, I'd agree that it
would be reasonable for a repo. to check that the POM lists a license
and even that the link is not broken.  What is *in* that target
document is probably beyond the scope of the present software.  If
it's a copy of "Jabberwocky" or Lorem Ipsum, that's the submitter's
problem.

> As a publisher of a piece of software, I did put the LICENSE.txt file in 
> my bundle linked from  
> (via the default settings of maven-repository-plugin 2.0 at the time), 
> having the expectation that it would be distributed along with the 
> artifacts in the bundle.

What led you to believe that this would happen?  If you put it into a
src/main/resources directory then it should have been packed up into
the archive, but I don't see anything which says that anything else
shall be done with it.

-- 
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Balance your desire for bells and whistles with the reality that only a 
little more than 2 percent of world population has broadband.
-- Ledford and Tyler, _Google Analytics 2.0_


pgppbMvNnITRI.pgp
Description: PGP signature

Re: Central repository, bundle-create and distribution of licenses

[Brian Fox]

> Does that follow more or less the new guidelines? Are you saying that I
> should have jsslutils-1.0-licence.txt next to the other jars in the bundle
> instead (sorry, I can't see licence files in the screenshots on that blog
> entry).
>

No, I'm saying if you wanted the license sitting in the folder next to
your jar, it would need to be jsslutils-1.0-license.txt. Otherwise,
you should have the name and url in the pom for your license.

>
> Best wishes,
>
> Bruno.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
> For additional commands, e-mail: users-h...@maven.apache.org
>
>

-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Bruno Harbulot]

On 19/05/2010 00:41, Brian Fox wrote:

The MAVENUPLOAD issue you refer to was processed by hand. This is
something we've worked to stop and automate, so it's not really
relevant what happened it was 2 years ago.

That said, I don't know if LICENSE.txt inside the new bundle format
would be handled any differently because LICENSE.txt is not a proper
maven artifact. foo-1.0-licence.txt is another story. Put that inside
a bundle and it will be preserved. Any solution that includes the
license as a file inside the m2 namespace will have to follow the m2
namespace conventions.

Maven Central gets all of its artifacts via rsync connections to
various repos. If developers put stuff without the license in their
sync source, well then it won't have it when we sync it. The rsyncs as
I mentioned before is something we are actively working on winding
down, but we can't just flip the switch overnite, projects need time
to update to a forge and to update their process.

This is an iterative process, I'd love to flip a switch tomorrow and
have all artifacts subject to a new standard but it's not practical.


I understand it's not easy. That's great work and I appreciate the effort.



It's been an ongoing battle just getting basic validation and gpg
signatures.


Indeed, trust management and validation are always problematic.



All that said, I don't know how beneficial the addition of a license
as a file in the repo really is. Instead the license inside the pom
should be validated, and if appropriate included inside the jars. We
_do not_ modify artifacts that are uploaded, and I'll make sure our
automated approach rejects jars that have files with non-conforming
files in them. Unfortunately this means a bundle with LICENSE inside
it will be rejected, but then you would at least know to use
foo-xx-license.txt instead if you want it to be included with your
artifacts.


Ah great, so sorry, that's what I didn't really understand and was 
asking clarifications about in the first place.
I guess that's mainly a documentation issue then, considering the blog 
entry you sent wasn't clearly linked from the maven.apache.org site (as 
far as I could tell) and that I couldn't work out how "Sonatype [would] 
perform some due diligence to make sure that the artifact has a license 
compatible with unrestricted distribution."


For my next release which I'm planning to bundle over the next few days, 
I've put the licence within the comments element:

http://jsslutils.googlecode.com/svn/trunk/jsslutils/pom.xml

Does that follow more or less the new guidelines? Are you saying that I 
should have jsslutils-1.0-licence.txt next to the other jars in the 
bundle instead (sorry, I can't see licence files in the screenshots on 
that blog entry).



Best wishes,

Bruno.


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Brian Fox]

The MAVENUPLOAD issue you refer to was processed by hand. This is
something we've worked to stop and automate, so it's not really
relevant what happened it was 2 years ago.

That said, I don't know if LICENSE.txt inside the new bundle format
would be handled any differently because LICENSE.txt is not a proper
maven artifact. foo-1.0-licence.txt is another story. Put that inside
a bundle and it will be preserved. Any solution that includes the
license as a file inside the m2 namespace will have to follow the m2
namespace conventions.

Maven Central gets all of its artifacts via rsync connections to
various repos. If developers put stuff without the license in their
sync source, well then it won't have it when we sync it. The rsyncs as
I mentioned before is something we are actively working on winding
down, but we can't just flip the switch overnite, projects need time
to update to a forge and to update their process.

This is an iterative process, I'd love to flip a switch tomorrow and
have all artifacts subject to a new standard but it's not practical.
It's been an ongoing battle just getting basic validation and gpg
signatures.

All that said, I don't know how beneficial the addition of a license
as a file in the repo really is. Instead the license inside the pom
should be validated, and if appropriate included inside the jars. We
_do not_ modify artifacts that are uploaded, and I'll make sure our
automated approach rejects jars that have files with non-conforming
files in them. Unfortunately this means a bundle with LICENSE inside
it will be rejected, but then you would at least know to use
foo-xx-license.txt instead if you want it to be included with your
artifacts.

-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Justin Edelson]

On Tue, May 18, 2010 at 5:48 PM, Bruno Harbulot <
bruno.harbu...@manchester.ac.uk> wrote:

>
> On 18/05/2010 20:33, Justin Edelson wrote:
>
>> Clarification of the documentation and/or mechanisms on how to
>>> > redistribute the licences properly with the software is what I'm
>>> > suggesting. In terms of core Maven mechanism, that could consist of an
>>> > improvement with respect to the convention over configuration principle
>>> > that Maven follows.
>>>
>> I agree that the documentation can be improved with respect to this. You
>> can certainly submit some documentation patches on this point. I'm not
>> sure what "core" changes would be involved. There's probably some
>> possible enforcer plugin, but ultimately it's not Maven's job to
>> interpret the semantics of a license - that's something developers need
>> to be responsible for.
>>
>
> That's exactly the point: saying it's someone else's problem is just denial
> of the problem.

You have this backwards... saying it is Maven's problem is denying that
developers need to be cognizant of the requirement of the license they have
chosen for their project. Maven cannot give legal advice, which is
essentially what you are asking it to do.


> A publisher's omission to include a licence doesn't grant whoever gets hold
> of that software a licence to redistribute unconditionally.
>
This is your interpretation of a legal document.


> The problem with most OSS licences (as I was saying above), is that a
> developer's mistake ends up putting the burden on the distributors.
>
And if the operators of Central were concerned about this burden, I suppose
they would have done something about it.


> Since the Maven system overall relies on the tool, the repository and
> owners (or people allowed to distribute) to publish their software, this is
> a problem that has to be considered as a whole, I think.
>
This is a misunderstanding. Maven is not dependent upon the existence of
Central.

>
> I'm not arguing for perfection, just convenience in what I think are the
> common cases. Assuming that developers might be a little bit lazy sometimes
> and that most OSS software do have a least a requirement of quoting their
> licence with their copies, if a developer/publisher follows the default
> layout (that is, LICENSE.txt next pom.xml according to the documentation),
> this licence should end up automatically in what's going to be fetched by
> the tool when a user puts it as a dependency in their own software, unlike
> what happens at the moment.
> (I guess including some licence text could easily apply to
> closed/proprietary software too.)
>
I don't disagree with any of this. By default, the resources plugin probably
should copy /LICENSE.txt to target/classes/META-INF/LICENSE.txt if
src/main/resources/META-INF/LICENSE.txt doesn't exist.


> I think that would be a more sensible default behaviour for the whole
> workflow, and that's what makes it a problem for the "core" Maven.

As Benjamin said, this isn't what "core" Maven does. You are describing a
plugin feature.

Justin

>
>
>
> Best wishes,
>
> Bruno.
>
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
> For additional commands, e-mail: users-h...@maven.apache.org
>
>

Re: Central repository, bundle-create and distribution of licenses

[Bruno Harbulot]

On 18/05/2010 20:45, Ron Wheeler wrote:

On 18/05/2010 2:52 PM, Bruno Harbulot wrote:
But how is a repository to know
1) Who is allowed to upload?
2) What, if any, license scheme the person uses. I can make up my own
license and I don't think that copyright or any law depends on a copy of
the license being included.
3) Does the committer have all the contributor licenses for the stuff
that they uploading that they did not write personally.


Sure, that can be tricky. I'm not suggesting there will be a perfect 
solution. Cases where there's foul play will always be a problem.
It's for cases where everyone's trying to play fairly that I think the 
default mechanism should make things go more smoothly.


I reckon that Maven's success is based on the fact that it's a model for 
distributing software (that's at least a key element of the mechanism) 
and that most of the software is open-source and falls broadly into 
Apache, GPL, LGPL, MIT, BSD licences. Considering that all these have in 
common some terms regarding the distribution of the software 
("redistribution", "conveying", "distributing", I'm not a lawyer, but 
the ideas seems fairly clear), it just seems surprising that having a 
mechanism that enables all parties involved (in particular software 
publishers and repositories) to respect those licences seems to have 
come as an after-thought.



On 18/05/2010 19:52, Bruno Harbulot wrote:

On 18/05/2010 18:33, Ron Wheeler wrote:

1) If people are distributing their own software in violation of their
own licensing, it is their problem.
2) If people are distributing other people's software in violation of
the licencing, they should stop.

Hard to see how this is a Maven problem or how Maven could fix it. Case
#1 is clearly the prerogative of the owner of the software.


True.


Actually, I think I got that bit wrong, sorry. If the copyright holder 
of some software publishes it without a licence or copyright notice, 
they can. However, I don't think this grants any right to whoever gets 
it, maybe using it, but almost definitely not redistributing it.



On 18/05/2010 20:33, Justin Edelson wrote:

Clarification of the documentation and/or mechanisms on how to
> redistribute the licences properly with the software is what I'm
> suggesting. In terms of core Maven mechanism, that could consist of an
> improvement with respect to the convention over configuration principle
> that Maven follows.

I agree that the documentation can be improved with respect to this. You
can certainly submit some documentation patches on this point. I'm not
sure what "core" changes would be involved. There's probably some
possible enforcer plugin, but ultimately it's not Maven's job to
interpret the semantics of a license - that's something developers need
to be responsible for.


That's exactly the point: saying it's someone else's problem is just 
denial of the problem. A publisher's omission to include a licence 
doesn't grant whoever gets hold of that software a licence to 
redistribute unconditionally.
The problem with most OSS licences (as I was saying above), is that a 
developer's mistake ends up putting the burden on the distributors.
Since the Maven system overall relies on the tool, the repository and 
owners (or people allowed to distribute) to publish their software, this 
is a problem that has to be considered as a whole, I think.


I'm not arguing for perfection, just convenience in what I think are the 
common cases. Assuming that developers might be a little bit lazy 
sometimes and that most OSS software do have a least a requirement of 
quoting their licence with their copies, if a developer/publisher 
follows the default layout (that is, LICENSE.txt next pom.xml according 
to the documentation), this licence should end up automatically in 
what's going to be fetched by the tool when a user puts it as a 
dependency in their own software, unlike what happens at the moment.
(I guess including some licence text could easily apply to 
closed/proprietary software too.)


I think that would be a more sensible default behaviour for the whole 
workflow, and that's what makes it a problem for the "core" Maven.



Best wishes,

Bruno.





-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Ron Wheeler]

On 18/05/2010 2:52 PM, Bruno Harbulot wrote:



On 18/05/2010 18:33, Ron Wheeler wrote:

1) If people are distributing their own software in violation of their
own licensing, it is their problem.
2) If people are distributing other people's software in violation of
the licencing, they should stop.

Hard to see how this is a Maven problem or how Maven could fix it. Case
#1 is clearly the prerogative of the owner of the software.


True.



Case#2 would be hard to detect without having a big investigation for
every package being uploaded to be sure that it is a violation before
rejecting it. Very difficult to automate.


I'm not saying that the central repo should investigate each and every 
case to check that it's indeed true, but it should make it mandatory 
to have a licence at least so as to avoid to put software that is 
mistakenly unattributed (and thus often in breach of the licence).


There's a shortcoming in terms of mechanism in place. It is the 
responsibility of whoever's hosting a Maven repository (in particular 
the central repository) to check that they redistribute software under 
the suitable licence. The central repository clearly fails in that 
respect. Once again, I don't see why people don't seem to realise that 
the central repository is redistributing software. Isn't that obvious?


I would like Maven (documentation or design) to have more guidance or 
an in-built mechanism to help publishers and more often distributors 
not to break those licences. (Some convention over configuration would 
be good here.)



As a publisher of a piece of software, I did put the LICENSE.txt file 
in my bundle linked from 
 (via the default 
settings of maven-repository-plugin 2.0 at the time), having the 
expectation that it would be distributed along with the artifacts in 
the bundle.
While I'm not expecting the central repository a big investigation to 
find that licence, I would expect the bare minimum of using what was 
automatically bundled when following the official guidelines, more so 
considering that including that LICENSE.txt file was mandatory with 
the maven-repository-plugin version at the time.
The content of the bundle did end up in the central repository, except 
the licence.
Subsequently, when people put this artifact's ID in their POM and that 
Maven downloads it from the central repository, the central repository 
redistribute those files without the licence: that's a breach of the 
licence.
That makes sense. Modifying an uploaded package to remove licenses can 
not be a "good thing"




The point here is that I'm not really arguing there should be a better 
system to protect our interests, I'm arguing there should be a better 
system to protect Maven repositories, especially the central one: 
they're the ones redistributing software and they're the ones at fault.




Lots of projects have lots of committers and who owns an open source
project would be more a question of ego than law in many cases.


(True, but that's what contributor licence agreements are for.)



But how is a repository to know
1) Who is allowed to upload?
2) What, if any, license scheme the person uses. I can make up my own 
license and I don't think that copyright or any law depends on a copy of 
the license being included.
3) Does the committer have all the contributor licenses for the stuff 
that they uploading that they did not write personally.






Best wishes,

Bruno.


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Justin Edelson]

On 5/18/10 2:50 PM, Bruno Harbulot wrote:
> 
> 
> On 18/05/2010 18:25, Justin Edelson wrote:
>> I thought it was well-established that you should include the license
>> inside binary and source artifacts.
>> What exactly is your reason for
>> thinking this isn't a good idea? Saying that it isn't "obvious" doesn't
>> really count IMHO as this is highly subjective.
> 
> I'm not sure if that's well-established. There are a number of artifacts
> in the central repository that clearly don't, so that's subjective too.
We can't change the past. But I think (almost) every Apache project is
now doing the right thing.

> You're right, the only reason I think it's better outside the jar itself
> is to make it a bit more visible. Whether the licence is within the
> jar's META-INF or next to the jar is a minute detail indeed. Having it
> within the jar would make it distributed with the jar of course (which
> is a good thing).
> 
> Clarification of the documentation and/or mechanisms on how to
> redistribute the licences properly with the software is what I'm
> suggesting. In terms of core Maven mechanism, that could consist of an
> improvement with respect to the convention over configuration principle
> that Maven follows.
I agree that the documentation can be improved with respect to this. You
can certainly submit some documentation patches on this point. I'm not
sure what "core" changes would be involved. There's probably some
possible enforcer plugin, but ultimately it's not Maven's job to
interpret the semantics of a license - that's something developers need
to be responsible for.

Justin

> 
> Best wishes,
> 
> Bruno.
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
> For additional commands, e-mail: users-h...@maven.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Bruno Harbulot]

On 18/05/2010 18:33, Ron Wheeler wrote:

1) If people are distributing their own software in violation of their
own licensing, it is their problem.
2) If people are distributing other people's software in violation of
the licencing, they should stop.

Hard to see how this is a Maven problem or how Maven could fix it. Case
#1 is clearly the prerogative of the owner of the software.


True.



Case#2 would be hard to detect without having a big investigation for
every package being uploaded to be sure that it is a violation before
rejecting it. Very difficult to automate.


I'm not saying that the central repo should investigate each and every 
case to check that it's indeed true, but it should make it mandatory to 
have a licence at least so as to avoid to put software that is 
mistakenly unattributed (and thus often in breach of the licence).


There's a shortcoming in terms of mechanism in place. It is the 
responsibility of whoever's hosting a Maven repository (in particular 
the central repository) to check that they redistribute software under 
the suitable licence. The central repository clearly fails in that 
respect. Once again, I don't see why people don't seem to realise that 
the central repository is redistributing software. Isn't that obvious?


I would like Maven (documentation or design) to have more guidance or an 
in-built mechanism to help publishers and more often distributors not to 
break those licences. (Some convention over configuration would be good 
here.)



As a publisher of a piece of software, I did put the LICENSE.txt file in 
my bundle linked from  
(via the default settings of maven-repository-plugin 2.0 at the time), 
having the expectation that it would be distributed along with the 
artifacts in the bundle.
While I'm not expecting the central repository a big investigation to 
find that licence, I would expect the bare minimum of using what was 
automatically bundled when following the official guidelines, more so 
considering that including that LICENSE.txt file was mandatory with the 
maven-repository-plugin version at the time.
The content of the bundle did end up in the central repository, except 
the licence.
Subsequently, when people put this artifact's ID in their POM and that 
Maven downloads it from the central repository, the central repository 
redistribute those files without the licence: that's a breach of the 
licence.


The point here is that I'm not really arguing there should be a better 
system to protect our interests, I'm arguing there should be a better 
system to protect Maven repositories, especially the central one: 
they're the ones redistributing software and they're the ones at fault.




Lots of projects have lots of committers and who owns an open source
project would be more a question of ego than law in many cases.


(True, but that's what contributor licence agreements are for.)



Best wishes,

Bruno.


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Bruno Harbulot]

On 18/05/2010 18:25, Justin Edelson wrote:

I thought it was well-established that you should include the license
inside binary and source artifacts.
What exactly is your reason for
thinking this isn't a good idea? Saying that it isn't "obvious" doesn't
really count IMHO as this is highly subjective.


I'm not sure if that's well-established. There are a number of artifacts 
in the central repository that clearly don't, so that's subjective too.
You're right, the only reason I think it's better outside the jar itself 
is to make it a bit more visible. Whether the licence is within the 
jar's META-INF or next to the jar is a minute detail indeed. Having it 
within the jar would make it distributed with the jar of course (which 
is a good thing).


Clarification of the documentation and/or mechanisms on how to 
redistribute the licences properly with the software is what I'm 
suggesting. In terms of core Maven mechanism, that could consist of an 
improvement with respect to the convention over configuration principle 
that Maven follows.


Best wishes,

Bruno.


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Ron Wheeler]

On 18/05/2010 1:09 PM, Bruno Harbulot wrote:

Hi,

I've just submitted this issue: http://jira.codehaus.org/browse/MNG-4680

However, I'm told this wasn't the right place to submit. I'm not sure.
To me, one of the key features of Apache Maven (if not the main 
feature) is its repository mechanism. This makes the redistribution of 
software via those repository a core function of Maven.
In addition, Maven's success is largely based on its central 
repository I think (would anyone disagree?), which distributes mostly 
open-source software, which in turn has licences that apply to its 
redistribution in most cases.


In appears that the distribution model hasn't fully taken into 
consideration the problem of licences. Considering that the central 
repository is in breach of a number of such OSS licences, I'd say 
there's something wrong with the model in that respect (hence filing 
the issue with the core framework MNG).



On 16/05/10 02:00, Brian Fox wrote:

What I meant by usually was that if someone wants to include the
license text, it's done inside the archives. Take a look at any recent
apache jar for example and you'll find LICENSE and NOTICE prominently
included.


Indeed, some projects have it in the META-INF directory, even with the 
binary distribution. (It's not bad, but it's not an obvious place. 
Putting them along with the POM would make it a bit clearer.)


There is definitely something wrong with the "convention over 
configuration" aspect. Whether that's strictly MNG domain or not is 
debatable indeed. However, if you follow the guidelines in the guides 
(e.g. licence placed as described in [1]), the licence doesn't end up 
either in META-INF or anywhere in the repository.


Is it just a documentation shortcoming, or is it a flaw in the 
architecture of Maven? There definitely is a flaw in the central 
repository, since it's clearly redistributing some software without 
the adequate licence.



I think these things are definitely fixable, and I'm not after an 
immediate fix, but I think the issue needs more consideration w.r.t. 
documentation or design of Maven, rather than saying it's the 
packager's or the repository's problem.


1) If people are distributing their own software in violation of their 
own licensing, it is their problem.
2) If people are distributing other people's software in violation of 
the licencing, they should stop.


Hard to see how this is a Maven problem or how Maven could fix it. Case 
#1 is clearly the prerogative of the owner of the software.
Case#2 would be hard to detect without having a big investigation for 
every package being uploaded to be sure that it is a violation before 
rejecting it. Very difficult to automate.
Lots of projects have lots of committers and who owns an open source 
project would be more a question of ego than law in many cases.


More trouble than it is worth and more likely to do more damage than good.

Ron



Best wishes,

Bruno.


[1] 
http://maven.apache.org/guides/introduction/introduction-to-the-standard-directory-layout.html 




-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Justin Edelson]

I thought it was well-established that you should include the license
inside binary and source artifacts. What exactly is your reason for
thinking this isn't a good idea? Saying that it isn't "obvious" doesn't
really count IMHO as this is highly subjective.

Justin

On 5/18/10 1:09 PM, Bruno Harbulot wrote:
> Hi,
> 
> I've just submitted this issue: http://jira.codehaus.org/browse/MNG-4680
> 
> However, I'm told this wasn't the right place to submit. I'm not sure.
> To me, one of the key features of Apache Maven (if not the main feature)
> is its repository mechanism. This makes the redistribution of software
> via those repository a core function of Maven.
> In addition, Maven's success is largely based on its central repository
> I think (would anyone disagree?), which distributes mostly open-source
> software, which in turn has licences that apply to its redistribution in
> most cases.
> 
> In appears that the distribution model hasn't fully taken into
> consideration the problem of licences. Considering that the central
> repository is in breach of a number of such OSS licences, I'd say
> there's something wrong with the model in that respect (hence filing the
> issue with the core framework MNG).
> 
> 
> On 16/05/10 02:00, Brian Fox wrote:
>> What I meant by usually was that if someone wants to include the
>> license text, it's done inside the archives. Take a look at any recent
>> apache jar for example and you'll find LICENSE and NOTICE prominently
>> included.
> 
> Indeed, some projects have it in the META-INF directory, even with the
> binary distribution. (It's not bad, but it's not an obvious place.
> Putting them along with the POM would make it a bit clearer.)
> 
> There is definitely something wrong with the "convention over
> configuration" aspect. Whether that's strictly MNG domain or not is
> debatable indeed. However, if you follow the guidelines in the guides
> (e.g. licence placed as described in [1]), the licence doesn't end up
> either in META-INF or anywhere in the repository.
> 
> Is it just a documentation shortcoming, or is it a flaw in the
> architecture of Maven? There definitely is a flaw in the central
> repository, since it's clearly redistributing some software without the
> adequate licence.
> 
> 
> I think these things are definitely fixable, and I'm not after an
> immediate fix, but I think the issue needs more consideration w.r.t.
> documentation or design of Maven, rather than saying it's the packager's
> or the repository's problem.
> 
> 
> Best wishes,
> 
> Bruno.
> 
> 
> [1]
> http://maven.apache.org/guides/introduction/introduction-to-the-standard-directory-layout.html
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
> For additional commands, e-mail: users-h...@maven.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Bruno Harbulot]

Hi,

I've just submitted this issue: http://jira.codehaus.org/browse/MNG-4680

However, I'm told this wasn't the right place to submit. I'm not sure.
To me, one of the key features of Apache Maven (if not the main feature) 
is its repository mechanism. This makes the redistribution of software 
via those repository a core function of Maven.
In addition, Maven's success is largely based on its central repository 
I think (would anyone disagree?), which distributes mostly open-source 
software, which in turn has licences that apply to its redistribution in 
most cases.


In appears that the distribution model hasn't fully taken into 
consideration the problem of licences. Considering that the central 
repository is in breach of a number of such OSS licences, I'd say 
there's something wrong with the model in that respect (hence filing the 
issue with the core framework MNG).



On 16/05/10 02:00, Brian Fox wrote:

What I meant by usually was that if someone wants to include the
license text, it's done inside the archives. Take a look at any recent
apache jar for example and you'll find LICENSE and NOTICE prominently
included.


Indeed, some projects have it in the META-INF directory, even with the 
binary distribution. (It's not bad, but it's not an obvious place. 
Putting them along with the POM would make it a bit clearer.)


There is definitely something wrong with the "convention over 
configuration" aspect. Whether that's strictly MNG domain or not is 
debatable indeed. However, if you follow the guidelines in the guides 
(e.g. licence placed as described in [1]), the licence doesn't end up 
either in META-INF or anywhere in the repository.


Is it just a documentation shortcoming, or is it a flaw in the 
architecture of Maven? There definitely is a flaw in the central 
repository, since it's clearly redistributing some software without the 
adequate licence.



I think these things are definitely fixable, and I'm not after an 
immediate fix, but I think the issue needs more consideration w.r.t. 
documentation or design of Maven, rather than saying it's the packager's 
or the repository's problem.



Best wishes,

Bruno.


[1] 
http://maven.apache.org/guides/introduction/introduction-to-the-standard-directory-layout.html



-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Bruno Harbulot]

On 16/05/2010 02:00, Brian Fox wrote:

On Sat, May 15, 2010 at 4:56 PM, Benson Margulies  wrote:
Yes, these are good ideas.


Well, I'm not sure this is just about "good ideas", it sounds more like 
a legal requirement. This being said, I'm not a lawyer, it's just the 
way I interpret the BSD licence (for example) when I read it.




We currently require that the license be
specified in the pom but aren't validating that it is correct
automatically.


As far as I know, only the licence name is required, for example 
BSD. I've been saying this in this thread before, but 
that's just a *type* of licence, not an actual licence.
What would be the point of the BSD licence otherwise? Self-propagation 
of its own terms? The important part is the acknowledgement of the 
copyright holder.



Anyway, pending further development of the plugin and repository 
management, for my next release, I'll put the text full text of the 
licence in the  element within the POM file (it's only about 
30 lines). It seems reasonable.



Best wishes,

Bruno.


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Bruno Harbulot]

On 15/05/2010 21:56, Benson Margulies wrote:

I think that perhaps there's an important distinction being missed
here. Central doesn't vacuum up artifacts from unsuspecting authors.
Other people put them there. If the authors of code choose to deposit
jar files on central, then it's not central who is 'distributing' them
-- it's the authors. In this case, it's people who download from
central and then repackage on their own who are responsible for
worrying about tracking down and including licenses.

The tricky case here is the non-author publishers, as with the
recently-announced mechanism. If I take a jar of OSS from its author's
distro, and push it to central without a license file, I am probably
violating the license. It's not clear to me that Sonatype is.

Thus, what I take from this thread is that it would be a kindness for
Sonatype to add a feature to the new publication mechanism to upload
the actual license. It could then be added to META-INF or just
published as an accompanying artifact, either way, and then no one
would have anything to complain about.


I don't think I would have made the publisher/distributor distinction in 
that order. If a publisher publishes a book, bookshops are the ones 
distributing it. You are certainly right there's a grey area there, 
though. To some extent, the central repository situation may be similar 
to other services that host content (and practically, they can't always 
check everything indeed, in my opinion).
This being said, I'm not sure it makes sense to argue that the central 
repository does not distribute software; to me it clearly does.



I also think that it's not sufficient to say that because the authors 
are the ones asking for it to be distributed, it's OK. It's not always 
all the authors or all the copyright holders. Pieces of OSS often 
include other pieces of OSS, from other projects, that may have been 
included under the same or other licences. The full list of copyright 
holders that may extend beyond the list of people being involved in a 
particular project.



Coming back to a case I know well:
http://jira.codehaus.org/browse/MAVENUPLOAD-2293
Admittedly, it's a small drop in the ocean of open-source software. 
Nevertheless, the bundle linked from the JIRA entry 
(jsslutils-0.5.1-bundle.jar), which was produced with 
maven-repository-plugin-2.0 did include a LICENSE.txt file (made 
mandatory by that version of the plugin).

 (a) This licence file never made it to the central repository.
 (b) This feature was removed from maven-repository-plugin-2.1 and 
following versions: LICENSE.txt files and no longer included in the 
bundles as far as I can tell.



I'm allowed by my management to release this software under a BSD-style 
licence, but the copyright holder still is my institution: the 
institution is licensing users to do what the licence say they can do, 
not me as an individual. One of the reasons I'm allowed to publish this 
code and ask to have it placed in the Maven repository, is that there's 
an expectation that the licence will be respected. The problem is that, 
when copyright holders (individual or institution) realise that the OSS 
licence they've granted isn't respected, they might be less keen to 
publish OSS again.




It might be worth doing this just to avoid those voices in the wide
world who like to write alarmist postings about Maven distribution
(e.g. Saxon's author).


(Sorry, I'm not aware of the postings you're referring to.)

Don't get me wrong, I'm very happy to have the software I write 
distributed on the central repository, and I'm happy to use the content 
of the repository too. Maven isn't perfect, but it's very useful.
One of the main reasons it's useful is the amount of software available 
in the central repository. It's a system that's good for authors (it 
makes it easy to encourage usage of their work), good for whoever 
promotes Maven (presumably Sonatype) and of course good for its users.
What I'd like to see is a bit more action towards the respect of the 
licence, which is what makes OSS work in the end.
I'd therefore like Sonatype to improve the publication of licenses as 
they were bundled and to put that feature (or something similar) back in 
the following versions of the plugin.




Best wishes,

Bruno.


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Brian Fox]

On Sat, May 15, 2010 at 4:56 PM, Benson Margulies  wrote:
> I think that perhaps there's an important distinction being missed
> here. Central doesn't vacuum up artifacts from unsuspecting authors.
> Other people put them there. If the authors of code choose to deposit
> jar files on central, then it's not central who is 'distributing' them
> -- it's the authors. In this case, it's people who download from
> central and then repackage on their own who are responsible for
> worrying about tracking down and including licenses.
>
> The tricky case here is the non-author publishers, as with the
> recently-announced mechanism. If I take a jar of OSS from its author's
> distro, and push it to central without a license file, I am probably
> violating the license. It's not clear to me that Sonatype is.
>
> Thus, what I take from this thread is that it would be a kindness for
> Sonatype to add a feature to the new publication mechanism to upload
> the actual license. It could then be added to META-INF or just
> published as an accompanying artifact, either way, and then no one
> would have anything to complain about.
>

Yes, these are good ideas. We currently require that the license be
specified in the pom but aren't validating that it is correct
automatically. The vast majority of artifacts in Central come in over
wide open rsyncs so garbage in the source repo = garbage in central.
This gaping hole is slowly being closed by requiring projects to go
through forges that have the proper validation procedures before
getting into Central.

What I meant by usually was that if someone wants to include the
license text, it's done inside the archives. Take a look at any recent
apache jar for example and you'll find LICENSE and NOTICE prominently
included.

Requiring this of all artifacts is probably a good idea.

> It might be worth doing this just to avoid those voices in the wide
> world who like to write alarmist postings about Maven distribution
> (e.g. Saxon's author).
>
> -
> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
> For additional commands, e-mail: users-h...@maven.apache.org
>
>

-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Benson Margulies]

I think that perhaps there's an important distinction being missed
here. Central doesn't vacuum up artifacts from unsuspecting authors.
Other people put them there. If the authors of code choose to deposit
jar files on central, then it's not central who is 'distributing' them
-- it's the authors. In this case, it's people who download from
central and then repackage on their own who are responsible for
worrying about tracking down and including licenses.

The tricky case here is the non-author publishers, as with the
recently-announced mechanism. If I take a jar of OSS from its author's
distro, and push it to central without a license file, I am probably
violating the license. It's not clear to me that Sonatype is.

Thus, what I take from this thread is that it would be a kindness for
Sonatype to add a feature to the new publication mechanism to upload
the actual license. It could then be added to META-INF or just
published as an accompanying artifact, either way, and then no one
would have anything to complain about.

It might be worth doing this just to avoid those voices in the wide
world who like to write alarmist postings about Maven distribution
(e.g. Saxon's author).

-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Bruno Harbulot]

Usually? I'm not sure really.

NOTICE and LICENSE files are fine in source bundles, but they don't seem 
to be put into the source jars with the current bundling process. They 
probably don't belong to the binary jars anyway (unless perhaps in the 
META-INF directory, somewhere?).


Anyway, I don't really have to look far for counter-examples, where this 
notice isn't present. Just taking the first one in alphabetical order 
:

- No mention of licence
- No reference to the original project
- No licence file in the jar file itself

After looking it up on Google, it looks like this project's licence is 
this: . I'll draw you 
attention to section 3, which maven.org seems to infringe on: there are 
no disclaimers or information on how to get the source are present, as 
required.

I haven't looked through all of them, but it's not an isolated case.


I think the bundling process should make sure the licences are there, 
but it currently isn't. Even when the licence is referenced, as I was 
saying, putting the licence type isn't enough. For example, "BSD" really 
means "BSD-style"; not all software released under a BSD-style licence 
has the "Regents of the University of California" as copyright holders. 
What you find here  
for example is a template, not the actual licence.



I don't think it's realistic to expect Sonatype to go through all the 
jars to make sure there's a licence file somewhere. The practicality of 
Maven is something that I really enjoy, and I wouldn't like to see this 
practicality affected.
However, what could be done to make things clearer is to enable (and 
perhaps force) the inclusion of a LICENSE file (or similar) during the 
bundling process, so as to make sure it's published in Maven 
repositories. Otherwise, people who redistribute software by providing 
the central Maven repository (and mirrors) are in breach of those licences.


Again, the blog post you mentioned talks about "unrestricted 
distribution". No OSS is strictly compatible with "unrestricted 
distribution" except when it's in the public domain. All have 
restrictions stating that distribution must at least comply with their 
licence (which most of the time requires to quote the licence itself).


All I'm suggesting is to have a mechanism to improve that in Maven. I 
have no doubt that what's being done now is done in good faith with the 
reasonable expectations that people can Google to find the actual 
project page, but this situation could be made right, I think.



Best wishes,

Bruno.


On 15/05/2010 03:17, Brian Fox wrote:

Usually this is handled by inserting NOTICE and LICENSE into the jar
files themselves. In theory you could attach the license file to the
main artifact using the "license" classifier but normally this isn't
done.

On Fri, May 14, 2010 at 7:20 PM, Bruno Harbulot
  wrote:

Thanks for the link. Perhaps someone could put it on this page:
http://maven.apache.org/guides/mini/guide-central-repository-upload.html


Nevertheless, this doesn't really answer my question. The point I was making
was that, with the current model, licences are missing in most projects as
far as I can tell. There's often at best a URL to a licence file hosted
elsewhere than the repository.
Most OSS licences are fairly clear: the licence must be distributed along
with the software, whether in binary or source form (depending on the
content of the licence).
The fact that "Sonatype will perform some due diligence to make sure that
the artifact has a license compatible with unrestricted distribution, and we
will then promote the uploaded artifacts to the Central Maven repository."
[from your link] doesn't make the text of those licences appear from thin
air, and the bundling process doesn't seem to bundle those files.

'BSD' often doesn't refer to the actual same
licence for example. The copyright holder will be different from one project
to another, and redistributing software released under such a licence, but
without it, is effectively in breach of this licence (and there are plenty
of those in the central repository). One of the main point of OSS licences
is to acknowledge the copyright holders, at the very least.

I suppose one way to solve it would be to put the actual text within the
  element of the  element in the POM file that's with
the jars in the repository.

I'm just suggesting there should be, along with the POM file and the jars, a
place for a LICENSE.txt (and perhaps NOTICE.txt as some licences use) to
make this clearer. (Downloading them along with the artifacts would be a
plus, again, for the sake of abiding by these licences.)
Does this mechanism already exist? How is it done?


Best wishes,

Bruno.


On 14/05/2010 22:39, Brian Fox wrote:



http://www.sonatype.com/people/2010/04/uploading-artifacts-to-the-central-maven-repository-diy/

On Fri, May 14, 2010 at 11:46

Re: Central repository, bundle-create and distribution of licenses

[Brian Fox]

Usually this is handled by inserting NOTICE and LICENSE into the jar
files themselves. In theory you could attach the license file to the
main artifact using the "license" classifier but normally this isn't
done.

On Fri, May 14, 2010 at 7:20 PM, Bruno Harbulot
 wrote:
> Thanks for the link. Perhaps someone could put it on this page:
> http://maven.apache.org/guides/mini/guide-central-repository-upload.html
>
>
> Nevertheless, this doesn't really answer my question. The point I was making
> was that, with the current model, licences are missing in most projects as
> far as I can tell. There's often at best a URL to a licence file hosted
> elsewhere than the repository.
> Most OSS licences are fairly clear: the licence must be distributed along
> with the software, whether in binary or source form (depending on the
> content of the licence).
> The fact that "Sonatype will perform some due diligence to make sure that
> the artifact has a license compatible with unrestricted distribution, and we
> will then promote the uploaded artifacts to the Central Maven repository."
> [from your link] doesn't make the text of those licences appear from thin
> air, and the bundling process doesn't seem to bundle those files.
>
> 'BSD' often doesn't refer to the actual same
> licence for example. The copyright holder will be different from one project
> to another, and redistributing software released under such a licence, but
> without it, is effectively in breach of this licence (and there are plenty
> of those in the central repository). One of the main point of OSS licences
> is to acknowledge the copyright holders, at the very least.
>
> I suppose one way to solve it would be to put the actual text within the
>  element of the  element in the POM file that's with
> the jars in the repository.
>
> I'm just suggesting there should be, along with the POM file and the jars, a
> place for a LICENSE.txt (and perhaps NOTICE.txt as some licences use) to
> make this clearer. (Downloading them along with the artifacts would be a
> plus, again, for the sake of abiding by these licences.)
> Does this mechanism already exist? How is it done?
>
>
> Best wishes,
>
> Bruno.
>
>
> On 14/05/2010 22:39, Brian Fox wrote:
>>
>>
>> http://www.sonatype.com/people/2010/04/uploading-artifacts-to-the-central-maven-repository-diy/
>>
>> On Fri, May 14, 2010 at 11:46 AM, Bruno Harbulot
>>   wrote:
>>>
>>> Hello,
>>>
>>> Is there a way to prepare a bundle to be uploaded to the central
>>> repository
>>> so that it also contains the licence file?
>>>
>>> Ideally, I'd like a licence file along these files, for example:
>>> http://repo1.maven.org/maven2/org/jsslutils/jsslutils/0.5.1/
>>>
>>> My POM contains this:
>>>        
>>>                
>>>                        BSD
>>>                        LICENSE.txt
>>>                        repo
>>>                
>>>        
>>>
>>> The licence file is next to the POM in the source tree, but it's never
>>> included in the bundle or any of its inner jar files. I guess it could be
>>> an
>>> absolute URL that points to it, but it would be good to have a licence
>>> file
>>> bundled and uploaded with the other files, at least to respect the terms
>>> of
>>> the licence itself.
>>>
>>>
>>> Best wishes,
>>>
>>> Bruno.
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
>>> For additional commands, e-mail: users-h...@maven.apache.org
>>>
>>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
> For additional commands, e-mail: users-h...@maven.apache.org
>
>

-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Bruno Harbulot]

Thanks for the link. Perhaps someone could put it on this page: 
http://maven.apache.org/guides/mini/guide-central-repository-upload.html



Nevertheless, this doesn't really answer my question. The point I was 
making was that, with the current model, licences are missing in most 
projects as far as I can tell. There's often at best a URL to a licence 
file hosted elsewhere than the repository.
Most OSS licences are fairly clear: the licence must be distributed 
along with the software, whether in binary or source form (depending on 
the content of the licence).
The fact that "Sonatype will perform some due diligence to make sure 
that the artifact has a license compatible with unrestricted 
distribution, and we will then promote the uploaded artifacts to the 
Central Maven repository." [from your link] doesn't make the text of 
those licences appear from thin air, and the bundling process doesn't 
seem to bundle those files.


'BSD' often doesn't refer to the actual 
same licence for example. The copyright holder will be different from 
one project to another, and redistributing software released under such 
a licence, but without it, is effectively in breach of this licence (and 
there are plenty of those in the central repository). One of the main 
point of OSS licences is to acknowledge the copyright holders, at the 
very least.


I suppose one way to solve it would be to put the actual text within the 
 element of the  element in the POM file that's 
with the jars in the repository.


I'm just suggesting there should be, along with the POM file and the 
jars, a place for a LICENSE.txt (and perhaps NOTICE.txt as some licences 
use) to make this clearer. (Downloading them along with the artifacts 
would be a plus, again, for the sake of abiding by these licences.)

Does this mechanism already exist? How is it done?


Best wishes,

Bruno.


On 14/05/2010 22:39, Brian Fox wrote:

http://www.sonatype.com/people/2010/04/uploading-artifacts-to-the-central-maven-repository-diy/

On Fri, May 14, 2010 at 11:46 AM, Bruno Harbulot
  wrote:

Hello,

Is there a way to prepare a bundle to be uploaded to the central repository
so that it also contains the licence file?

Ideally, I'd like a licence file along these files, for example:
http://repo1.maven.org/maven2/org/jsslutils/jsslutils/0.5.1/

My POM contains this:


BSD
LICENSE.txt
repo



The licence file is next to the POM in the source tree, but it's never
included in the bundle or any of its inner jar files. I guess it could be an
absolute URL that points to it, but it would be good to have a licence file
bundled and uploaded with the other files, at least to respect the terms of
the licence itself.


Best wishes,

Bruno.


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Central repository, bundle-create and distribution of licenses

[Brian Fox]

http://www.sonatype.com/people/2010/04/uploading-artifacts-to-the-central-maven-repository-diy/

On Fri, May 14, 2010 at 11:46 AM, Bruno Harbulot
 wrote:
> Hello,
>
> Is there a way to prepare a bundle to be uploaded to the central repository
> so that it also contains the licence file?
>
> Ideally, I'd like a licence file along these files, for example:
> http://repo1.maven.org/maven2/org/jsslutils/jsslutils/0.5.1/
>
> My POM contains this:
>        
>                
>                        BSD
>                        LICENSE.txt
>                        repo
>                
>        
>
> The licence file is next to the POM in the source tree, but it's never
> included in the bundle or any of its inner jar files. I guess it could be an
> absolute URL that points to it, but it would be good to have a licence file
> bundled and uploaded with the other files, at least to respect the terms of
> the licence itself.
>
>
> Best wishes,
>
> Bruno.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
> For additional commands, e-mail: users-h...@maven.apache.org
>
>

-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Central repository, bundle-create and distribution of licenses

[Bruno Harbulot]

Hello,

Is there a way to prepare a bundle to be uploaded to the central 
repository so that it also contains the licence file?


Ideally, I'd like a licence file along these files, for example:
http://repo1.maven.org/maven2/org/jsslutils/jsslutils/0.5.1/

My POM contains this:


BSD
LICENSE.txt
repo



The licence file is next to the POM in the source tree, but it's never 
included in the bundle or any of its inner jar files. I guess it could 
be an absolute URL that points to it, but it would be good to have a 
licence file bundled and uploaded with the other files, at least to 
respect the terms of the licence itself.



Best wishes,

Bruno.


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org