iText 4.2.0 - Could a software licence be changed from MPL/LGPL to AGPL by simply redistributing the pom.xml?

Tue, 19 Jan 2016 14:59:15 -0800 

Hi folks,

I have a simple simple question - is it possible/legal to change the software 
licence by simply re-distributing a POM a couple of years later?

During a code review I came across a project using itext-4.2.0-jar. 

AFAIK iText 2.1.7 was the last version under MPL/LGPL and later they moved to 
AGPL V3 - I suggested to remove the library but the developer insisted that the 
library was indeed under MPL :-O

* He showed me itext-4.2.0.jar/META-INF/maven/com.lowagie/itext/pom.xml clearly 
displaying a MPL/LGPL licence
* I pointed him to 
http://search.maven.org/#artifactdetails%7Ccom.lowagie%7Citext%7C4.2.0%7Cpom 
clearly displaying a AGPL V3 licence

But the 
http://search.maven.org/remotecontent?filepath=com/lowagie/itext/4.2.0/itext-4.2.0.pom
 actually contains a "relocation" section

<licenses>
    <license>
        <name>GNU Affero General Public License v3</name>
        <url>http://www.fsf.org/licensing/licenses/agpl-3.0.html</url>
    </license>
</licenses>
<distributionManagement>
    <relocation>
        <groupId>com.itextpdf</groupId>
        <artifactId>itextpdf</artifactId>
        <version>5.5.6</version>
        <message>After release 2.1.7, iText moved from the MPLicense to the 
AGPLicense.
        The groupId changed from com.lowagie to com.itextpdf and the artifactId 
from itext to itextpdf.
        See http://itextpdf.com/functionalitycomparison for more 
information.</message>
    </relocation>
</distributionManagement>

Mhmm, that puzzled me because itext-4.2.0.jar still has "com.lowagie" package 
name so I started digging through Maven Central


1) What Maven Central Says
===============================================================

http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/

itext-4.2.0-bundle.jar.asc                         20-Sep-2012 16:34            
     490
itext-4.2.0-bundle.jar.asc.md5                     20-Sep-2012 16:34            
      32
itext-4.2.0-bundle.jar.asc.sha1                    20-Sep-2012 16:34            
      40
itext-4.2.0-javadoc.jar                            20-Sep-2012 16:34            
 4498819
itext-4.2.0-javadoc.jar.asc                        20-Sep-2012 16:34            
     490
itext-4.2.0-javadoc.jar.asc.md5                    20-Sep-2012 16:34            
      32
itext-4.2.0-javadoc.jar.asc.sha1                   20-Sep-2012 16:34            
      40
itext-4.2.0-javadoc.jar.md5                        20-Sep-2012 16:34            
      32
itext-4.2.0-javadoc.jar.sha1                       20-Sep-2012 16:34            
      40
itext-4.2.0-sources.jar                            20-Sep-2012 16:34            
 4061295
itext-4.2.0-sources.jar.asc                        20-Sep-2012 16:34            
     490
itext-4.2.0-sources.jar.asc.md5                    20-Sep-2012 16:34            
      32
itext-4.2.0-sources.jar.asc.sha1                   20-Sep-2012 16:34            
      40
itext-4.2.0-sources.jar.md5                        20-Sep-2012 16:34            
      32
itext-4.2.0-sources.jar.sha1                       20-Sep-2012 16:34            
      40
itext-4.2.0.jar                                    20-Sep-2012 16:34            
 2243043
itext-4.2.0.jar.asc                                20-Sep-2012 16:34            
     490
itext-4.2.0.jar.asc.md5                            20-Sep-2012 16:34            
      32
itext-4.2.0.jar.asc.sha1                           20-Sep-2012 16:34            
      40
itext-4.2.0.jar.md5                                20-Sep-2012 16:34            
      32
itext-4.2.0.jar.sha1                               20-Sep-2012 16:34            
      40
itext-4.2.0.pom                                    10-Jul-2015 08:16            
    2156
itext-4.2.0.pom.asc                                10-Jul-2015 08:16            
     821
itext-4.2.0.pom.asc.md5                            09-Jul-2015 12:33            
      32
itext-4.2.0.pom.asc.sha1                           09-Jul-2015 12:33            
      40
itext-4.2.0.pom.md5                                10-Jul-2015 08:16            
      32
itext-4.2.0.pom.sha1                               10-Jul-2015 08:16            
      40

Interesting - the pom.xml was re-distributed a couple of months ago while the 
iText library is still from 2012. I guess the redistribution was caused by the 
additional "relocation" section of the pom.xml

> wget http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar
> wget http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.jar.asc
> gpg --verify itext-4.2.0.jar.asc 

itext> gpg --verify itext-4.2.0.jar.asc 
gpg: assuming signed data in `itext-4.2.0.jar'
gpg: Signature made Thu Sep 20 17:24:41 2012 CEST using RSA key ID 5FC3427B
gpg: Can't check signature: public key not found

> wget http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.pom
> wget http://repo1.maven.org/maven2/com/lowagie/itext/4.2.0/itext-4.2.0.pom.asc
> gpg --verify itext-4.2.0.pom.asc 
gpg: assuming signed data in `itext-4.2.0.pom'
gpg: Signature made Fri Jul 10 10:15:36 2015 CEST using RSA key ID D401AB61
gpg: Can't check signature: public key not found


2) Checking the itext-4.2.0.jar metadata
===============================================================

A closer look at the itext-4.2.0.jar shows the following pom.xml

<project>
    <licenses>
        <license>
            <name>GNU General Lesser Public License (LGPL) version 3.0</name>
            <url>http://www.gnu.org/licenses/lgpl.html</url>
            <distribution>repo</distribution>
        </license>
        <license>
            <name>Mozilla Public License Version 2.0</name>
            <url>http://www.mozilla.org/MPL/2.0/</url>
            <distribution>repo</distribution>
        </license>
    </licenses>
   
    <name>iText-4.2.0</name>
    <url>https://github.com/weiyeh/iText-4.2.0</url>
    <description>This is a build of the last MPL version of iText.  
</description>
    <scm>
        <url>scm:git:https://github.com/weiyeh/iText-4.2.0.git</url>
        
<connection>scm:git:https://github.com/weiyeh/iText-4.2.0.git</connection>
        
<developerConnection>scm:git:https://github.com/weiyeh/iText-4.2.0.git</developerConnection>
    </scm>

</project>

Looking at https://github.com/weiyeh/iText-4.2.0 shows that this is a fork of 
static mirror of the original iText project

So this is actually not an official build from the iText developers so I 
checked the "official" SourceForge SVN repo


3) What SourceForge Says
===============================================================

I digged through the SourceForge SVN repo and there is indeed a tag "Unofficial 
release: iText 4.2.0"

* http://sourceforge.net/p/itext/code/HEAD/tree/tags/iText_4_2_0/www/lowagie/ 
* 
http://sourceforge.net/p/itext/code/HEAD/tree/tags/iText_4_2_0/src/core/com/lowagie/text/Anchor.java
 

clearly states that the project at that time was under MPL/LGPL


4) Open Questions
===============================================================

Could anyone clarify the issue

* Is this only an accident and we just need to upload the old pom.xml?
* Is the current itext-4.2.0.jar legally dangerous and should be removed from 
Maven Central?
* Could a re-distribution of pom.xml indeed the change the licence terms many 
years later?
* What are the legal implication in this case if a LGPL library suddenly turns 
into viral GPL? Legal hell? Cease and desist letters?


Thanks in advance

Siegfried Goeschl


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Reply via email to