Hi folks, I have a simple simple question - is it possible/legal to change the software licence by simply re-distributing a POM a couple of years later?
During a code review I came across a project using itext-4.2.0-jar. AFAIK iText 2.1.7 was the last version under MPL/LGPL and later they moved to AGPL V3 - I suggested to remove the library but the developer insisted that the library was indeed under MPL :-O * He showed me itext-4.2.0.jar/META-INF/maven/com.lowagie/itext/pom.xml clearly displaying a MPL/LGPL licence * I pointed him to http://search.maven.org/#artifactdetails%7Ccom.lowagie%7Citext%7C4.2.0%7Cpom clearly displaying a AGPL V3 licence But the http://search.maven.org/remotecontent?filepath=com/lowagie/itext/4.2.0/itext-4.2.0.pom actually contains a "relocation" section <licenses> <license> <name>GNU Affero General Public License v3</name> <url>http://www.fsf.org/licensing/licenses/agpl-3.0.html</url> </license> </licenses> <distributionManagement> <relocation> <groupId>com.itextpdf</groupId> <artifactId>itextpdf</artifactId> <version>5.5.6</version> <message>After release 2.1.7, iText moved from the MPLicense to the AGPLicense. The groupId changed from com.lowagie to com.itextpdf and the artifactId from itext to itextpdf. See http://itextpdf.com/functionalitycomparison for more information.</message> </relocation> </distributionManagement> Mhmm, that puzzled me because itext-4.2.0.jar still has "com.lowagie" package name so I started digging through Maven Central 1) What Maven Central Says =============================================================== http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/ itext-4.2.0-bundle.jar.asc 20-Sep-2012 16:34 490 itext-4.2.0-bundle.jar.asc.md5 20-Sep-2012 16:34 32 itext-4.2.0-bundle.jar.asc.sha1 20-Sep-2012 16:34 40 itext-4.2.0-javadoc.jar 20-Sep-2012 16:34 4498819 itext-4.2.0-javadoc.jar.asc 20-Sep-2012 16:34 490 itext-4.2.0-javadoc.jar.asc.md5 20-Sep-2012 16:34 32 itext-4.2.0-javadoc.jar.asc.sha1 20-Sep-2012 16:34 40 itext-4.2.0-javadoc.jar.md5 20-Sep-2012 16:34 32 itext-4.2.0-javadoc.jar.sha1 20-Sep-2012 16:34 40 itext-4.2.0-sources.jar 20-Sep-2012 16:34 4061295 itext-4.2.0-sources.jar.asc 20-Sep-2012 16:34 490 itext-4.2.0-sources.jar.asc.md5 20-Sep-2012 16:34 32 itext-4.2.0-sources.jar.asc.sha1 20-Sep-2012 16:34 40 itext-4.2.0-sources.jar.md5 20-Sep-2012 16:34 32 itext-4.2.0-sources.jar.sha1 20-Sep-2012 16:34 40 itext-4.2.0.jar 20-Sep-2012 16:34 2243043 itext-4.2.0.jar.asc 20-Sep-2012 16:34 490 itext-4.2.0.jar.asc.md5 20-Sep-2012 16:34 32 itext-4.2.0.jar.asc.sha1 20-Sep-2012 16:34 40 itext-4.2.0.jar.md5 20-Sep-2012 16:34 32 itext-4.2.0.jar.sha1 20-Sep-2012 16:34 40 itext-4.2.0.pom 10-Jul-2015 08:16 2156 itext-4.2.0.pom.asc 10-Jul-2015 08:16 821 itext-4.2.0.pom.asc.md5 09-Jul-2015 12:33 32 itext-4.2.0.pom.asc.sha1 09-Jul-2015 12:33 40 itext-4.2.0.pom.md5 10-Jul-2015 08:16 32 itext-4.2.0.pom.sha1 10-Jul-2015 08:16 40 Interesting - the pom.xml was re-distributed a couple of months ago while the iText library is still from 2012. I guess the redistribution was caused by the additional "relocation" section of the pom.xml > wget http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar > wget http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar.asc > gpg --verify itext-4.2.0.jar.asc itext> gpg --verify itext-4.2.0.jar.asc gpg: assuming signed data in `itext-4.2.0.jar' gpg: Signature made Thu Sep 20 17:24:41 2012 CEST using RSA key ID 5FC3427B gpg: Can't check signature: public key not found > wget http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.pom > wget http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.pom.asc > gpg --verify itext-4.2.0.pom.asc gpg: assuming signed data in `itext-4.2.0.pom' gpg: Signature made Fri Jul 10 10:15:36 2015 CEST using RSA key ID D401AB61 gpg: Can't check signature: public key not found 2) Checking the itext-4.2.0.jar metadata =============================================================== A closer look at the itext-4.2.0.jar shows the following pom.xml <project> <licenses> <license> <name>GNU General Lesser Public License (LGPL) version 3.0</name> <url>http://www.gnu.org/licenses/lgpl.html</url> <distribution>repo</distribution> </license> <license> <name>Mozilla Public License Version 2.0</name> <url>http://www.mozilla.org/MPL/2.0/</url> <distribution>repo</distribution> </license> </licenses> <name>iText-4.2.0</name> <url>https://github.com/weiyeh/iText-4.2.0</url> <description>This is a build of the last MPL version of iText. </description> <scm> <url>scm:git:https://github.com/weiyeh/iText-4.2.0.git</url> <connection>scm:git:https://github.com/weiyeh/iText-4.2.0.git</connection> <developerConnection>scm:git:https://github.com/weiyeh/iText-4.2.0.git</developerConnection> </scm> </project> Looking at https://github.com/weiyeh/iText-4.2.0 shows that this is a fork of static mirror of the original iText project So this is actually not an official build from the iText developers so I checked the "official" SourceForge SVN repo 3) What SourceForge Says =============================================================== I digged through the SourceForge SVN repo and there is indeed a tag "Unofficial release: iText 4.2.0" * http://sourceforge.net/p/itext/code/HEAD/tree/tags/iText_4_2_0/www/lowagie/ * http://sourceforge.net/p/itext/code/HEAD/tree/tags/iText_4_2_0/src/core/com/lowagie/text/Anchor.java clearly states that the project at that time was under MPL/LGPL 4) Open Questions =============================================================== Could anyone clarify the issue * Is this only an accident and we just need to upload the old pom.xml? * Is the current itext-4.2.0.jar legally dangerous and should be removed from Maven Central? * Could a re-distribution of pom.xml indeed the change the licence terms many years later? * What are the legal implication in this case if a LGPL library suddenly turns into viral GPL? Legal hell? Cease and desist letters? Thanks in advance Siegfried Goeschl --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org