[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd party dependency approval
|
Hey Eugene
Eugene Kuleshov wrote:
Jeff McAffer wrote:
If there is something in Maven that says that all archetypes in a
repo have the same license and Maven asks the user to agree to the
license for that repo when adding the repo then yes.
I don't think there is any such thing in Maven
Otherwise, this is jumping the gun IMHO. Its like saying, enter a
URL and then assuming that because the user entered the URL they are
giving you implicit consent to agree to all licenses on all things in
that repo.
Jeff, if I follow your logic, we have pretty much the same situation
with CVS plugin distributed with Eclipse Platform. So, user can enter
an CVS url and then checkout some projects with gazillion of
dependencies and custom builders configured to run on JDT build. But
there was not any license confirmation or anything in the CVS project
checkout UI.
INAL but I think there si a difference here in that one is downloading
source that the user will then see the license for (e.g., in the
copyright headers) and is not yet shipping vs. downloading binary that
is then combined with existing binaries and used/run. if this were not
true then we would not be asking the license questions we ask in p2.
Of course do not support or encourage installing anything without
the user consent. It was my perception that by providing the
information to identify the archetype/artifact the user was already
allowing access. You summarized it perfectly above.
While I am not that familiar with Maven, someone saying that they
want to have a Foo is not equivalent to them saying, "hey I am ok
with you installing GPL code". The if you are getting something on
the user's behalf then the user should know about and be agreeing to
the licenses. If this is the case then there should not be an issue
with the repository since it is just another place to get stuff. The
list of "known repos" should be open, modifiable/extensible but
beyond that I don't see an IP issue.
of course, I could be completely off base here ...
Generally, all artifacts in Maven repositories have license
placeholder (and artifacts that came from the Maven namespace are all
APL licensed).
The archetype license could be shown to the user, but as a user I
think I will find it quite annoying if license confirmation would be
shown to me every time I need to create project.
Just imagine that new Java project wizard would ask you to confirm
the EPL license every time. :-)
I'm not saying anything about how, when or how many times the license
notice is show to the user except that how many >= 1 and when = before
the licensed code is installed. Presumably you do not download/install
the plugins for each project so doing it once the first time you
encounter each plugin should be sufficient.
Sidenote: Ultimately it is likely out of scope for the IP team to
mandate that you do this workflow whoever without this function there
are quite some number of development shops that will not accept Maven
tooling. There is a reason we have to ask the license questions that
are asked in p2. It was driven by people wanting to ensure that the dev
team knew the licenses for the tools they were using. Take these
comments as you will.
Jeff