New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Downloads have incomplete notices and license texts #2794
Comments
Hi @pombredanne Apologies it has taken so long to reply. Trove and Snappy have been removed a while ago. Sigar, JNA and JTS are imported, and distributed as part of the Elasticsearch package, but (as I understand it) are not linked. From my reading, we need to include a notice explaining the licenses of these works (and linking to the source), but are not required to provide the source itself. Is my understanding here correct? If so, and you are still up for sending a PR, that'd be awesome. |
I'm currently looking into this as well because I'm trying to embed ElasticSearch in Amdatu, which is also Apache licensed. As I understand it, it would only be allowed to use a LGPLv2 libraries when they are completely optional. This is currently not the case, because there is a compile time dependency on JTS classes. Sources: http://copyleft.org/guide/comprehensive-gpl-guidech11.html#x14-9800010.4 and http://www.apache.org/legal/resolved.html. |
@paulbakker @clintongormley That said, the policies of the Apache Foundation wrt. LGPL are for own-released code, not for ES or anybody else. The interpretation of copyleft.org linked by @paulbakker above is rather clear, and MO is that the general accepted approach is that it is OK for Apache-licensed Java code to depend on unmodified LGPL-licensed third-party Jars without having these Jars have an impact of the Apache licensing. This would considered as a work "using the library". The requirements of the LGPL still apply of course to the LGPL-licensed library. @clintongormley linking as understood when interpreting the LGPL does not really matter in Java as I would understand this to be of dynamic nature. My point here is that for ES to comply with these requirements, there are a few essential things to do such as ensuring the proper license texts and credit notices are produced where needed and that the corresponding source code is available for redistribution. And yes, the source code need to provided (either on request or simplest side-by-side or in the download itself) and this is not a requirement that can be delegated elsewhere IMHO. Note also that beyond LGPL-licensed components, the notices included in ES are rather minimalist and possibly incomplete and I would expect more from an open source project. All in all not a lot of work though @clintongormley I think it would be best for a project member to work on that than me ... Cordially |
Yea, we need to add JTS, JNA to the notice page, mention they use LGPLv2 license with relevant links to the project pages in the notice, we should also mention that they are optional (the system can run without them). Same for Sigar, except its under Apache2 version (and optional as well). This is similar to what projects like spring-framework do, where they integrate with Hibernate (LGPL) on the ORM layer, but its not required to run spring-framework. We should go over and add any missing libraries we depend on and make sure we list all of them under the notice file (like Guava, HPPC). @clintongormley I agree that a project member should do it. |
FWIW, the latest JNA 4.x is dual licensed LGPL or Apache, though it does not mean that the proper credit notice should not be produced IMHO |
@pombredanne thanks, yea, we should see if we can upgrade to it soonish. Agreed on notice, it is just a miss on our end, but we should put in the notice file all the libraries we use, the license they are under, the URL to the project page, and if its optional or not. |
@kimchy you are already using JNA 4.1.0 ... and I assume you would be selecting the Apache license ... ;) |
@pombredanne argh, I read the sentence wrongly, of course, we choose Apache, same way we do with Jackson :) |
The downloads are missing the LGPL 2.1 license text and some kind of notice for both JNA and JTS. Getting the sources would be good too.
The Snappy notice is missing too (even though it is deprecated, it is still distributed)
As well as the Sigar notice and may be a few other.
@kimchy Tell me if you want a pull request for this
It could make sense to have a doc folder where the notices lay, as well as keep in Git the sources for the LGPL-licensed bits to honor source code redistribution.
The text was updated successfully, but these errors were encountered: