-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, May 17, 2012 11:45:00 AM Kevan Miller wrote: > On May 17, 2012, at 8:34 AM, Josh Thompson wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Wednesday, May 16, 2012 10:37:02 AM Kevan Miller wrote: > >> On May 11, 2012, at 3:17 PM, Josh Thompson wrote: > >>> Kevan, > >>> > >>> Ugh. Thanks for looking at this. I guess it goes to show you can't > >>> just > >>> trust that another project that says it is MIT licensed is *completely* > >>> MIT > >>> licensed. :( I'll figure out a way to deal with it. If it works out > >>> that > >>> bcpowmod.php and str_split.php are not actually needed, can I just > >>> remove > >>> them? If so, do I need to document that modification somewhere? > >> > >> BTW, vcl/trunk/web/.ht-inc/phpseclib/index.html refers to PHP Secure > >> Communications Library as LGPL-licensed. Which is contradicted by > >> http://phpseclib.sourceforge.net/ > >> > >> It looks like our documentation comes from > >> http://phpseclib.sourceforge.net/documentation/ -- I'd check with the > >> phpseclib project. Seems to be their reference to LGPL is unintended or > >> inconsistent. bcpowmod.php's LGPL license would seem to be a problem with > >> this, however… > >> > >> --kevan > > > > After looking further, there are only two files (AES.php and Rijndael.php) > > needed from the phpseclib project, and both of them appear as though they > > were written to be able to be included by themselves (i.e. each one > > contains information about the author, the project, and the license). > > Both files state that they are MIT licensed and contain that license in > > them. Is it normal to just pull in specific files from another project, > > or is it better to include the whole project? > > First, I should say that all my comments are from a purely procedural > nature… I'm not making any comments on the function. > > It's more "normall" to pull in whole projects. Certainly true when you're > pull in as dependencies. Advantage is that as fixes are made to original > library, you pull in as a dependency (and don't have to migrate any source > fixes). More later... > > That doesn't mean that whole projects is "better". Both can be equally > correct. In this case, only pulling in the two files would seem perfectly > fine to me. > > Can I please ask that the LGPL files be removed from SVN immediately? Please > treat this as a -1 on the original svn commit as the commit contains LGPL > licensed code. Removing the offending files from svn will address my veto. > > As a (final?) piece of mentor education, see: > > http://www.apache.org/foundation/voting.html#votes-on-code-modification > http://www.apache.org/foundation/voting.html#Veto > > > My only other experience in including another open source project in one I > > work on is from including the Dojo Toolkit with VCL. In that case, it > > seemed to make the most sense to include the whole thing. > > Right. So, both techniques are used. Which is most appropriate, depends on > the situation. > > License wise, it seems simplest to just include the two files in the > > release, but I just want to make sure we do the right thing in respecting > > other open source projects. > > In general copying code is less desirable than including released software > from another project. A description of this practice (with negative > connotations) would be "forking" (though forking usually refers to an > entire project). In general, we'd prefer to collaborate with other > projects, rather than copy their code. > > However, open source gives us the flexibility to choose. And we should feel > free to choose what best fits the needs of the project -- taking all > factors into account... > > In this case, we should definitely raise the licensing questions that have > been raised with the phpseclib project (no matter how we resolve the > issue). And, by the way, perhaps there was a mistake made and those files > aren't LGPL -- we may learn something... > > --kevan
Kevan, Thanks for your thoughts and pointing out the code modification veto process (I wasn't aware of that). I removed the offending files and emailed the project maintainer regarding the discrepancy in licensing. Josh - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk+1YJEACgkQV/LQcNdtPQMdqwCfVL0kJ7yWds73jEi+Xe4Uo7iu m/0AnjSIpFn1UjAbDNCIMMsIO0Ew1MVd =SR3z -----END PGP SIGNATURE-----
