On 18/05/2010 2:52 PM, Bruno Harbulot wrote:
On 18/05/2010 18:33, Ron Wheeler wrote:
1) If people are distributing their own software in violation of their
own licensing, it is their problem.
2) If people are distributing other people's software in violation of
the licencing, they should stop.
Hard to see how this is a Maven problem or how Maven could fix it. Case
#1 is clearly the prerogative of the owner of the software.
True.
Case#2 would be hard to detect without having a big investigation for
every package being uploaded to be sure that it is a violation before
rejecting it. Very difficult to automate.
I'm not saying that the central repo should investigate each and every
case to check that it's indeed true, but it should make it mandatory
to have a licence at least so as to avoid to put software that is
mistakenly unattributed (and thus often in breach of the licence).
There's a shortcoming in terms of mechanism in place. It is the
responsibility of whoever's hosting a Maven repository (in particular
the central repository) to check that they redistribute software under
the suitable licence. The central repository clearly fails in that
respect. Once again, I don't see why people don't seem to realise that
the central repository is redistributing software. Isn't that obvious?
I would like Maven (documentation or design) to have more guidance or
an in-built mechanism to help publishers and more often distributors
not to break those licences. (Some convention over configuration would
be good here.)
As a publisher of a piece of software, I did put the LICENSE.txt file
in my bundle linked from
<http://jira.codehaus.org/browse/MAVENUPLOAD-2293> (via the default
settings of maven-repository-plugin 2.0 at the time), having the
expectation that it would be distributed along with the artifacts in
the bundle.
While I'm not expecting the central repository a big investigation to
find that licence, I would expect the bare minimum of using what was
automatically bundled when following the official guidelines, more so
considering that including that LICENSE.txt file was mandatory with
the maven-repository-plugin version at the time.
The content of the bundle did end up in the central repository, except
the licence.
Subsequently, when people put this artifact's ID in their POM and that
Maven downloads it from the central repository, the central repository
redistribute those files without the licence: that's a breach of the
licence.
That makes sense. Modifying an uploaded package to remove licenses can
not be a "good thing"
The point here is that I'm not really arguing there should be a better
system to protect our interests, I'm arguing there should be a better
system to protect Maven repositories, especially the central one:
they're the ones redistributing software and they're the ones at fault.
Lots of projects have lots of committers and who owns an open source
project would be more a question of ego than law in many cases.
(True, but that's what contributor licence agreements are for.)
But how is a repository to know
1) Who is allowed to upload?
2) What, if any, license scheme the person uses. I can make up my own
license and I don't think that copyright or any law depends on a copy of
the license being included.
3) Does the committer have all the contributor licenses for the stuff
that they uploading that they did not write personally.
Best wishes,
Bruno.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org