incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Loughran <>
Subject Re: [Proposal] Accept Jena into the Incubator
Date Mon, 15 Nov 2010 10:31:13 GMT
On 13/11/10 04:17, Paolo Castagna wrote:
> Jeremy Carroll wrote:
>> On 11/12/2010 11:51 AM, Paolo Castagna wrote:
>>> Also (from the JenaProposal):
>>> "The Jena GRDDL Reader has some additional dependencies:
>>> BrowserLauncher2 could be removed in favor of a much simpler approach
>>> (i.e. write it in a file!).
>> That is actually superseded by a Java6 facility, so I should do a
>> small piece of recoding and remove the dependency
> +1
> (and, if I can help, let me know.)
> Of course, it would be even easier/less work, to remove the click
> through altogether (this is probably my favorite option).
>>> What other Apache projects do in a similar situation (i.e. you want
>>> to warn the user about some potential security issues and therefore
>>> you ask the user to actively agree, press a button, etc. to make sure
>>> the user reads it (I know, I know...))?
>> The GRDDL component runs XSLT from the Web, in a sandbox.
>> The HP lawyer who advised, understanding the risks of running 3rd
>> party code, wanted an explicit user action to agree to the BSD license
>> terms, to have a firmer leg to stand on if the the 3rd party code
>> proved malicious, and the sandbox inadequate.
>> (The browser launcher is used only for the click through agreement to
>> BSD)
> I was not able to find a single Apache project which requires a click
> through to 'ensure' users agree to the license.

it really screws up things like transitive ivy/maen downloads too, you 
make an enemy of people downstream. That's why Sun JARs with click 
through licenses aren't there.

For Jena, maybe untrusted XSL is some feature that should be turned on 
via a config option, not click-through.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message