From general-return-73500-apmail-incubator-general-archive=incubator.apache.org@incubator.apache.org Thu Jul 2 05:09:16 2020 Return-Path: X-Original-To: apmail-incubator-general-archive@www.apache.org Delivered-To: apmail-incubator-general-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by minotaur.apache.org (Postfix) with SMTP id 293B219CF2 for ; Thu, 2 Jul 2020 05:09:14 +0000 (UTC) Received: (qmail 75362 invoked by uid 500); 2 Jul 2020 05:09:05 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 74235 invoked by uid 500); 2 Jul 2020 05:09:03 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 74182 invoked by uid 99); 2 Jul 2020 05:09:02 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Jul 2020 05:09:02 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id BA8B048726 for ; Thu, 2 Jul 2020 05:09:01 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 977217823A8 for ; Thu, 2 Jul 2020 05:09:00 +0000 (UTC) Date: Thu, 2 Jul 2020 05:09:00 +0000 (UTC) From: "Leonard Lausen (Jira)" To: general@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (INCUBATOR-253) Issues with MXNet releases and their distribution MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/INCUBATOR-253?page=3Dcom.atlass= ian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D1= 7149872#comment-17149872 ]=20 Leonard Lausen edited comment on INCUBATOR-253 at 7/2/20, 5:08 AM: ------------------------------------------------------------------- I'm including below an excerpt from the MXNet report to the Incubator: =C2=A0 {code:java} #### Issues with releases and distributions ##### Background In May 2020 The MXNet PPMC has proactively initiated a ASF policy complianc= e review [1] and a license review [2] with the Apache Legal team. The license review uncovered that - Building unmodified MXNet release source code with the optional NVidia GP= U support enabled results in a binary subject to restrictions of NVidia EULA= . - PPMC members and committers uploaded convenience releases to repository.apache.org which contain Category-X components. Both GPL and NVidia EULA components were found. =20 The policy review uncovered that: - Prior ASF guidance to the PPMC (December 2018 legal review [3]) was incom= plete and did not include a reference to the "unwritten" rule that convenience binary distributions created by third-parties using ASF Trademarks must no= t include Category-X components. Based on this discovery, the Draft Downstre= am Distribution Branding Policy was updated in June 2020 to include the "unwritten" requirement. Based on the updated guidance, PPMC discovered various third-party trademark infringements. =20 The policy review did not yet conclude on the questions if - The PPMC may create nightly development builds (audience restricted to de= v list subscribers as per Release policy [4]) for the purpose of testing and developing MXNet; ##### List of issues and their status Justin classified the issues into 14 items. 1) Source and convenance binary releases containing Category X licensed cod= e. See summary from license review in Background section. Source code releases= do not contain Category X code; Takedown of binary releases on repository.apache.org is pending on Apache Infra. (Trademark infringements = of 3rd-parties such as on pypi are discussed separately) 2. Website giving access to downloads of non released/unapproved code. Website contained links to nightly development builds which have been remov= ed [5]; Going forward the PPMC intends to begin periodical voting on Alpha and Beta Releases which will then be linked from the website. 3. Website giving access to releases containing Category X licensed code. Website contained links to third-party distributions incorporating Category= -X components (see summary from license review above). Disclaimers were added = to the website clarifying the third-party status of the releases and their licenses. [5] 4. Web site doesn't given enough warning to users of the issues with non (P)PMC releases or making it clear that these are not ASF releases. Website contained links to third-party distributions incorporating Category= -X components (see summary from license review above). Disclaimers were added = to the website clarifying the third-party status of the releases and their licenses. [5] 5. Maven releases containing Category X licensed code. See summary from license review in Background section. Source code releases= do not contain Category X code; Takedown of binary releases on repository.apache.org is pending on Apache Infra. [6] (Trademark infringeme= nts of 3rd-parties are discussed separately) 6. PyPI releases containing Category X licensed code. There are no PiPy releases by the PPMC. Please refer to the trademark infringement section of the report. 7. Docker releases containing Category X licensed code. There are no Docker releases by the PPMC. Please refer to the trademark infringement section of the report. 8. Docker releases containing unreleased/unapproved code. There are no Docker releases by the PPMC. The existence of third-party rele= ases containing unreleased code was approved in [3] and is also in line with the current Downstream Distribution Branding Draft Policy. ("using any particul= ar revision from the development branch is OK" [3]) 9. Trademark and branding issues with PiPy and Docker releases. There are no PiPy releases by the PPMC. Please refer to the trademark infringement section of the report. 10. Trademark and brand issues with naming of releases. There are no binary releases by the PPMC besides the repository.apache.org releases discussed above, which are being removed. Please refer to the trademark infringement section of the report. 11. Developer releases available to users and public searchable https://repo.mxnet.io / https://dist.mxnet.io Links to the nightly development builds were removed from the MXNet website= and a robot.txt file was added to prevent indexing of the sites. These websites= are removed from Google search index. 12. Releases and other nightly builds on https://repo.mxnet.io / https://dist.mxnet.io containing category X license= d code. Neither of the two site contains Releases. It is an open question of the po= licy review (see Background section above) if nightly development builds may or = may not contain Category X components. 13. Lack of clarity on all platforms for what is an ASF release and what is= not. https://github.com/apache/incubator-mxnet/releases?after=3D1.2.0 previously= did not distinguish MXNet releases prior to MXNet joining the Incubator. Discla= imers were added. Other PPMC platforms do not contain references to non-ASF relea= ses (MXNet releases made prior to MXNet joining the ASF). The PPMC is aware of old third-party releases created prior to MXNet joining the ASF which are s= till available, but can be clearly separated from the ASF MXNet releases due to = the lack of reference to the Apache foundation. PPMC was able to find an exempl= ar=20 such release at [7]. If there are concerns from the Incubator, PPMC can req= uest the third-parties to take down these releases, as editing their Description= to include references to events (MXNet joining Apache) is not supported due to immutability constraints. [8] 14. Branding and release of 3rd parties containing unreleased code. (e.g. https://docs.nvidia.com/deeplearning/frameworks/mxnet-release-notes/r= el_20-03.html) Please refer to the trademark infringement section of the report. [1]: https://issues.apache.org/jira/browse/LEGAL-515 [2]: https://issues.apache.org/jira/browse/LEGAL-516 [3]: https://s.apache.org/flvug [4]: http://www.apache.org/legal/release-policy.html#publication [5]: https://github.com/apache/incubator-mxnet/commit/b6b40878f0aba2ba5509f= 3f3a4cd517a654847ce#diff-19bc831c1dab6d92d2efc3b87ec5c740 [6]: https://issues.apache.org/jira/browse/INFRA-20442 [7]: https://pypi.org/project/mxnet/0.9.5/ [8]: https://mail.python.org/pipermail/distutils-sig/2017-December/031826.h= tml #### Is the PPMC managing the podling's brand / trademarks? Are 3rd parties respecting and correctly using the podlings name and brand?= If not what actions has the PPMC taken to correct this? Has the VP, Brand appr= oved the project name? PPMC notes that there are multiple trademark infringements based on both th= e redistribution of MXNet with addition of unreleased code and the redistribu= tion of MXNet with Category-X GPL and Category-X NVidia components. PPMC intends= to handle both issues separately: ##### Unauthorized redistribution of unreleased code by third-parties PPMC members have reached out to the offending third parties (Nvidia Corpor= ation and Amazon Web Services) via inofficial channels and notified them of the problem. If the problem is not resolved by the end of July 2020, PPMC will request guidance from the Brand Management Team on how to formally notify t= he offenders of their trademark infrigement. ##### Unauthorized redistribution of Category-X GPL and NVidia CUDA EULA co= mponents by third-parties PPMC members note that the issue of "NVidia CUDA EULA infecting any applica= tion built with CUDA support" is an industry-wide problem. PPMC is not aware of = any individual or corporation correctly labeling their binary distributions sub= ject to the NVidia CUDA EULA. Instead, PPMC found that for example Facebook clai= ms distribution of PyTorch under BSD License (BSD-3) and Google claimns distribution of Tensorflow under Apache 2.0 License, despite both being sub= ject to the CUDA EULA. Thus, PPMC has contacted NVidia Corporation and requested NVidia Corporation to add clarifying language that applications based on th= e CUDA SDK with material additional functionality may be licensed under a lic= ense of the application owner's choice, consistent with existing industry "pract= ice". The issue was also discussed with NVidia and other Deep Learning Framework implementers during the Nvidia Deep Learning Framework Developer Council me= eting, during which NVidia promised to conclude their internal review and follow-u= p with the PPMC. PPMC thus recommends to give NVidia the chance to clarify and improve their license. As NVidia employs a team for working on MXNet, the PPMC is optimis= tic about receiving a detailed clarification and resolution from NVidia. If NVidia fails to clarify their license or the resolution is unsatisfactor= y within Q3 2020, the PPMC will notify any third-parties about their license infringement and ask them to take down or rename their redistributions containing Category-X pieces. Due the substantial overhead of trademark-infringement takedown notices for= any involved party, PPMC is further awaiting NVidia's clarification prior to contacting third-parties about trademark infringement due to inclusion of G= PL components. This is to avoid sending two separate takedown notices in case = of an unsatisfactory response by NVidia. The following downstream software distributors are known to the PPMC to be = using the name MXNet while redistributing Category-X components - pypi.org - hub.docker.com - ngc.nvidia.com - aws.amazon.com {code} was (Author: lausen): I'm including below an excerpt from the MXNet report to the Incubator: =C2=A0 #### Issues with releases and distributions ##### Background In May 2020 The MXNet PPMC has proactively initiated a ASF policy complianc= e review [1] and a license review [2] with the Apache Legal team. The license review uncovered that - Building unmodified MXNet release source code with the optional NVidia GP= U support enabled results in a binary subject to restrictions of NVidia EULA= . - PPMC members and committers uploaded convenience releases to repository.apache.org which contain Category-X components. Both GPL and NVidia EULA components were found. =20 The policy review uncovered that: - Prior ASF guidance to the PPMC (December 2018 legal review [3]) was incom= plete and did not include a reference to the "unwritten" rule that convenience binary distributions created by third-parties using ASF Trademarks must no= t include Category-X components. Based on this discovery, the Draft Downstre= am Distribution Branding Policy was updated in June 2020 to include the "unwritten" requirement. Based on the updated guidance, PPMC discovered various third-party trademark infringements. =20 The policy review did not yet conclude on the questions if - The PPMC may create nightly development builds (audience restricted to de= v list subscribers as per Release policy [4]) for the purpose of testing and developing MXNet; ##### List of issues and their status Justin classified the issues into 14 items. 1) Source and convenance binary releases containing Category X licensed cod= e. See summary from license review in Background section. Source code releases= do not contain Category X code; Takedown of binary releases on repository.apache.org is pending on Apache Infra. (Trademark infringements = of 3rd-parties such as on pypi are discussed separately) 2. Website giving access to downloads of non released/unapproved code. Website contained links to nightly development builds which have been remov= ed [5]; Going forward the PPMC intends to begin periodical voting on Alpha and Beta Releases which will then be linked from the website. 3. Website giving access to releases containing Category X licensed code. Website contained links to third-party distributions incorporating Category= -X components (see summary from license review above). Disclaimers were added = to the website clarifying the third-party status of the releases and their licenses. [5] 4. Web site doesn't given enough warning to users of the issues with non (P)PMC releases or making it clear that these are not ASF releases. Website contained links to third-party distributions incorporating Category= -X components (see summary from license review above). Disclaimers were added = to the website clarifying the third-party status of the releases and their licenses. [5] 5. Maven releases containing Category X licensed code. See summary from license review in Background section. Source code releases= do not contain Category X code; Takedown of binary releases on repository.apache.org is pending on Apache Infra. [6] (Trademark infringeme= nts of 3rd-parties are discussed separately) 6. PyPI releases containing Category X licensed code. There are no PiPy releases by the PPMC. Please refer to the trademark infringement section of the report. 7. Docker releases containing Category X licensed code. There are no Docker releases by the PPMC. Please refer to the trademark infringement section of the report. 8. Docker releases containing unreleased/unapproved code. There are no Docker releases by the PPMC. The existence of third-party rele= ases containing unreleased code was approved in [3] and is also in line with the current Downstream Distribution Branding Draft Policy. ("using any particul= ar revision from the development branch is OK" [3]) 9. Trademark and branding issues with PiPy and Docker releases. There are no PiPy releases by the PPMC. Please refer to the trademark infringement section of the report. 10. Trademark and brand issues with naming of releases. There are no binary releases by the PPMC besides the repository.apache.org releases discussed above, which are being removed. Please refer to the trademark infringement section of the report. 11. Developer releases available to users and public searchable https://repo.mxnet.io / https://dist.mxnet.io Links to the nightly development builds were removed from the MXNet website= and a robot.txt file was added to prevent indexing of the sites. These websites= are removed from Google search index. 12. Releases and other nightly builds on https://repo.mxnet.io / https://dist.mxnet.io containing category X license= d code. Neither of the two site contains Releases. It is an open question of the po= licy review (see Background section above) if nightly development builds may or = may not contain Category X components. 13. Lack of clarity on all platforms for what is an ASF release and what is= not. https://github.com/apache/incubator-mxnet/releases?after=3D1.2.0 previously= did not distinguish MXNet releases prior to MXNet joining the Incubator. Discla= imers were added. Other PPMC platforms do not contain references to non-ASF relea= ses (MXNet releases made prior to MXNet joining the ASF). The PPMC is aware of old third-party releases created prior to MXNet joining the ASF which are s= till available, but can be clearly separated from the ASF MXNet releases due to = the lack of reference to the Apache foundation. PPMC was able to find an exempl= ar=20 such release at [7]. If there are concerns from the Incubator, PPMC can req= uest the third-parties to take down these releases, as editing their Description= to include references to events (MXNet joining Apache) is not supported due to immutability constraints. [8] 14. Branding and release of 3rd parties containing unreleased code. (e.g. https://docs.nvidia.com/deeplearning/frameworks/mxnet-release-notes/r= el_20-03.html) Please refer to the trademark infringement section of the report. [1]: https://issues.apache.org/jira/browse/LEGAL-515 [2]: https://issues.apache.org/jira/browse/LEGAL-516 [3]: https://s.apache.org/flvug [4]: http://www.apache.org/legal/release-policy.html#publication [5]: https://github.com/apache/incubator-mxnet/commit/b6b40878f0aba2ba5509f= 3f3a4cd517a654847ce#diff-19bc831c1dab6d92d2efc3b87ec5c740 [6]: https://issues.apache.org/jira/browse/INFRA-20442 [7]: https://pypi.org/project/mxnet/0.9.5/ [8]: https://mail.python.org/pipermail/distutils-sig/2017-December/031826.h= tml #### Is the PPMC managing the podling's brand / trademarks? Are 3rd parties respecting and correctly using the podlings name and brand?= If not what actions has the PPMC taken to correct this? Has the VP, Brand appr= oved the project name? PPMC notes that there are multiple trademark infringements based on both th= e redistribution of MXNet with addition of unreleased code and the redistribu= tion of MXNet with Category-X GPL and Category-X NVidia components. PPMC intends= to handle both issues separately: ##### Unauthorized redistribution of unreleased code by third-parties PPMC members have reached out to the offending third parties (Nvidia Corpor= ation and Amazon Web Services) via inofficial channels and notified them of the problem. If the problem is not resolved by the end of July 2020, PPMC will request guidance from the Brand Management Team on how to formally notify t= he offenders of their trademark infrigement. ##### Unauthorized redistribution of Category-X GPL and NVidia CUDA EULA co= mponents by third-parties PPMC members note that the issue of "NVidia CUDA EULA infecting any applica= tion built with CUDA support" is an industry-wide problem. PPMC is not aware of = any individual or corporation correctly labeling their binary distributions sub= ject to the NVidia CUDA EULA. Instead, PPMC found that for example Facebook clai= ms distribution of PyTorch under BSD License (BSD-3) and Google claimns distribution of Tensorflow under Apache 2.0 License, despite both being sub= ject to the CUDA EULA. Thus, PPMC has contacted NVidia Corporation and requested NVidia Corporation to add clarifying language that applications based on th= e CUDA SDK with material additional functionality may be licensed under a lic= ense of the application owner's choice, consistent with existing industry "pract= ice". The issue was also discussed with NVidia and other Deep Learning Framework implementers during the Nvidia Deep Learning Framework Developer Council me= eting, during which NVidia promised to conclude their internal review and follow-u= p with the PPMC. PPMC thus recommends to give NVidia the chance to clarify and improve their license. As NVidia employs a team for working on MXNet, the PPMC is optimis= tic about receiving a detailed clarification and resolution from NVidia. If NVidia fails to clarify their license or the resolution is unsatisfactor= y within Q3 2020, the PPMC will notify any third-parties about their license infringement and ask them to take down or rename their redistributions containing Category-X pieces. Due the substantial overhead of trademark-infringement takedown notices for= any involved party, PPMC is further awaiting NVidia's clarification prior to contacting third-parties about trademark infringement due to inclusion of G= PL components. This is to avoid sending two separate takedown notices in case = of an unsatisfactory response by NVidia. The following downstream software distributors are known to the PPMC to be = using the name MXNet while redistributing Category-X components - pypi.org - hub.docker.com - ngc.nvidia.com - aws.amazon.com > Issues with MXNet releases and their distribution > ------------------------------------------------- > > Key: INCUBATOR-253 > URL: https://issues.apache.org/jira/browse/INCUBATOR-253 > Project: Incubator > Issue Type: Improvement > Reporter: Justin Mclean > Assignee: Justin Mclean > Priority: Major > > The main issues are: > 1. Source and convenance binary releases containing Category X licensed c= ode. > 2. Website giving access to downloads of non released/unapproved code. > 3. Website giving access to releases containing Category X licensed code. > 4. Web site doesn't given enough warning to users of the issues with non = (P)PMC releases or making it clear that these are not ASF releases. > 5. Maven releases containing Category X licensed code. > 6. PiPy releases containing Category X licensed code. > 7. Docker releases containing Category X licensed code. > 8 Docker releases containing unreleased/unapproved code. > 9. Trademark and branding issues with PiPy and Docker releases.=20 > 10. Trademark and brand issues with naming of releases.=20 > 11. Developer releases available to users and public searchable https://r= epo.mxnet.io / https://dist.mxnet.io > 12. Releases and other nightly builds on https://repo.mxnet.io / https://= dist.mxnet.io containing category X licensed code. > 13. Lack of clarity on all platforms for what is an ASF release and what = is not. > 14. Branding and release of 3rd parties containing unreleased code. (e.g.= https://docs.nvidia.com/deeplearning/frameworks/mxnet-release-notes/rel_20= -03.html) > For PiPy see: > https://pypi.org/project/mxnet/ > For Docker see: > https://hub.docker.com/u/mxnet > For web site pages see: > https://mxnet.apache.org/get_started? > https://mxnet.apache.org/get_started/download > I may of missed something, if so please add it. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org For additional commands, e-mail: general-help@incubator.apache.org