Re: POM license guidance (and need for documentation/FAQ)
Alexander Kriegisch wrote: > I think what Nils says applies internationally, not just in the NL. A > copyright claim for any project which sports at least one easily > discoverable licence file in its SCM and in each major artifact should > be easy to defend against any licence violations. Legally, redundant > copies are totally unnecessary. My point was that even when there is no copyright notice anywhere, legally means that nobody except the author is allowed to use the code. At least in The Netherlands. Other countries may require an explicit copyright notice. Of course having an explicit copyright notice may help when there is a copyright dispute. When there is no license, there can also be no license violation, but default copyright rules apply when there is no license. You only need to license something when you want to deviate from standard copyright rules. Nils. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: POM license guidance (and need for documentation/FAQ)
I think what Nils says applies internationally, not just in the NL. A copyright claim for any project which sports at least one easily discoverable licence file in its SCM and in each major artifact should be easy to defend against any licence violations. Legally, redundant copies are totally unnecessary. This whole licence copying mania only serves the purpose to increase the probability of licence discovery from 99% to 99.5%. Whoever uses OSS source code accidentally, will be glad to remove it or acknowledge the licence if you tell him to. Whoever steals it on purpose is probably smart enough to remove licence headers from source code and config files anyway. This whole practice, however many years established and followed like cargo cult, is simply a waste of time and resources that does not increase or decrease any party's chances of winning or losing in court by one iota. I think, we should let it go. Apologies to the person starting the thread, asking a different question, for straying somewhat off topic. -- Alexander Kriegisch https://scrum-master.de Nils Breunese schrieb am 30.03.2024 14:26 (GMT +01:00): > Timothy Stone wrote: > >> Organizationally, we lack a policy and much of our code lacks even a >> "copyright." > > Where I live (The Netherlands) there is no need to explicitly add a copyright > notice to the work you create, you automatically have the copyright on > anything > you create (not just software). But laws are not the same all over the world, > which I guess is why many organizations add an explicit copyright notice in > each individual source file. > > Nils. > - > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: POM license guidance (and need for documentation/FAQ)
Timothy Stone wrote: > Organizationally, we lack a policy and much of our code lacks even a > "copyright." Where I live (The Netherlands) there is no need to explicitly add a copyright notice to the work you create, you automatically have the copyright on anything you create (not just software). But laws are not the same all over the world, which I guess is why many organizations add an explicit copyright notice in each individual source file. Nils. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: POM license guidance (and need for documentation/FAQ)
Thanks everyone! I think that the default of "no license" aligns to the expectation I've seen in other conversations. Omitting the element seems to be the community understanding, especially where SPDX lacks community alignment on a value (barring the NPM behavior). Organizationally, we lack a policy and much of our code lacks even a "copyright." Bernd has proposed a standard, but one that is not recognized by tooling, e.g., Mend (formally Whitesource). While I can align to this proposal in principle, the community at large lacks consensus. I may propose a simple MR to the Maven POM Reference documentation that simply states something along the lines of: "If your code is proprietary, i.e., not subject to licensing, omit this property." This simple statement can help many others in grokking the expectations of meta-data in the POM. Much thanks! Tim On 3/27/24 4:19 PM, Bernd Eckenfels wrote: Nils Breunese wrote on 27. Mar 2024 20:33 (GMT +01:00): That sounds like a good idea when the code is actually licensed under the “Companyname Commercial License” No, in my case it’s not a existing license (or actually there are of course licenses for the resulting product). But I use the name to make sure: - „commercial“ keeps people from thinking it’s unrestricted (if they happen to get in contact with Pom or repo) - companyname gives a namespace - allows to be included in manifest In the end this is mostly that SBOM and build-reports list all projects together. (A vendor grouping would be better but I think normal maven reports don’t). Not specifying a license has two problems, first it might inherit unwanted licenses from parent, and secondly it makes it harder to find actual not yet documented missing licenses. Therefore I can only recommend to always use a common license even if those Poms and artifacts never are to be exposed to external participants. Gruss Bernd - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org -- Timothy Stone = Some call me ... Tim. Husband, Father, Blogger, OSS, Wargamer, Home Brewer, and D Find me on GitLab | GitHub | Linked In | MeWe | GnuPG OpenPGP_signature.asc Description: OpenPGP digital signature
Re: POM license guidance (and need for documentation/FAQ)
Nils Breunese wrote on 27. Mar 2024 20:33 (GMT +01:00): > That sounds like a good idea when the code is actually licensed under the > “Companyname Commercial License” No, in my case it’s not a existing license (or actually there are of course licenses for the resulting product). But I use the name to make sure: - „commercial“ keeps people from thinking it’s unrestricted (if they happen to get in contact with Pom or repo) - companyname gives a namespace - allows to be included in manifest In the end this is mostly that SBOM and build-reports list all projects together. (A vendor grouping would be better but I think normal maven reports don’t). Not specifying a license has two problems, first it might inherit unwanted licenses from parent, and secondly it makes it harder to find actual not yet documented missing licenses. Therefore I can only recommend to always use a common license even if those Poms and artifacts never are to be exposed to external participants. Gruss Bernd - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: POM license guidance (and need for documentation/FAQ)
That sounds like a good idea when the code is actually licensed under the “Companyname Commercial License”, but if code is proprietary and there is no desire to license it to anyone, it should not be necessary to create such a license. Code is proprietary by default, you only need to license it when you want to define under which circumstances and in what ways others are also allowed to use the code. No license means others are not allowed to use it. Nils. > Op 27 mrt 2024, om 20:11 heeft Bernd Eckenfels het > volgende geschreven: > > I use name=„Companyname Commercial License“, > url=„https://www.companyname.com/terms“, distribution=„manual“ but also think > it would be good to have standard distribution and classifier for properitary > code. > > Nils Breunese wrote on 27. Mar 2024 20:02 (GMT +01:00): >> I personally omit the element when there are no applicable >> licenses. But it sounds like you'd want to be able to distinguish between >> ’there are no applicable licenses’ and ’there may or may not be >> applicable licenses’? > > Gruss > Bernd > > - > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: POM license guidance (and need for documentation/FAQ)
I use name=„Companyname Commercial License“, url=„https://www.companyname.com/terms“, distribution=„manual“ but also think it would be good to have standard distribution and classifier for properitary code. Nils Breunese wrote on 27. Mar 2024 20:02 (GMT +01:00): > I personally omit the element when there are no applicable > licenses. But it sounds like you'd want to be able to distinguish between > ’there are no applicable licenses’ and ’there may or may not be > applicable licenses’? Gruss Bernd - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: POM license guidance (and need for documentation/FAQ)
I personally omit the element when there are no applicable licenses. But it sounds like you'd want to be able to distinguish between ’there are no applicable licenses’ and ’there may or may not be applicable licenses’? Nils. > Op 27 mrt 2024, om 16:38 heeft Timothy Stone het > volgende geschreven: > > I'm trying to improve the use of POM meta-data such as in our > internal projects. > > However, proprietary code, i.e., "unlicensed" code, is not explicitly > documented in the POM Reference[1]. > > A search of the mailing list did not turn up any discussions in the past > (though how far back that search looked may be in question). > > The SPDX does not recognize "UNLICENSED" (though NPM does) and NOT to be > confused with "The Unlicense" (SPDX "Unlicense"). > > How does the community manage this? Is this a documentation PR opportunity > based on feedback here? A best practice is sought. > > The explicit recommendation for documenting the recommended pattern in the > POM would be valuable to many organizations. > > Thanks! > Tim > > [1]. https://maven.apache.org/pom.html#licenses > > -- > Timothy Stone > = > Some call me ... Tim. > Husband, Father, Blogger, OSS, Wargamer, Home Brewer, and D > Find me on GitLab | GitHub | Linked In | MeWe | GnuPG - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
POM license guidance (and need for documentation/FAQ)
I'm trying to improve the use of POM meta-data such as in our internal projects. However, proprietary code, i.e., "unlicensed" code, is not explicitly documented in the POM Reference[1]. A search of the mailing list did not turn up any discussions in the past (though how far back that search looked may be in question). The SPDX does not recognize "UNLICENSED" (though NPM does) and NOT to be confused with "The Unlicense" (SPDX "Unlicense"). How does the community manage this? Is this a documentation PR opportunity based on feedback here? A best practice is sought. The explicit recommendation for documenting the recommended pattern in the POM would be valuable to many organizations. Thanks! Tim [1]. https://maven.apache.org/pom.html#licenses -- Timothy Stone = Some call me ... Tim. Husband, Father, Blogger, OSS, Wargamer, Home Brewer, and D Find me on GitLab | GitHub | Linked In | MeWe | GnuPG OpenPGP_signature.asc Description: OpenPGP digital signature
