incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: Binary Convenience Package Dependencies
Date Mon, 05 Jan 2015 22:59:02 GMT
The "answers" below are not on behalf of the ASF, but based on what the
common sense appears to be, from my individual perspective.

In particular, your project is not relieved from learning what a license
requires of it and demonstrating satisfaction of such requirements.

 -- replying below to --
From: Alex Harui [] 
Sent: Monday, January 5, 2015 09:52
Subject: Re: Binary Convenience Package Dependencies

[ ... ]
>2A) If your build script downloads an MPL jar, must it provide an option
>to download the source?
>2B) If your build script downloads an MPL jar, is any other additional
>warning or explicit action required?

   It depends on what the governing license requires with respect to 
   Whatever is being done with the download.  If you are redistributing
   the jar or anything in it, see (2C).

   As a *practice* it can be valuable to download accompanying licenses
   and to make it clear where the download is obtained.  That's a matter
   of being transparent with regard to the provenance of code being used
   and what version it is, etc.  That can matter in the event there is a
   later concern about revelations of upstream defects, vulnerabilities,
   and such.

   Presumably the upstream source will provide any determination on the
   availability of source code.  (In (2B) there is no indication that the
   ASF project is accessing such source code itself.)
>2C) If your binary package bundles an MPL jar (assuming the answer to #1
>allows it), must it provide an option to download the source?

   This item has nothing to do with the ASF policy about category B software.
   For (2C), the obligation is to comply with the MPL license with respect
   to redistribution of a binary component that is provided under that 
      In particular, what other ASF projects might or might not do is not a
   reliable precedent for what your project does.  What your project must
   do is comply with the applicable license.  There may be additional steps
   required as part of the ASF policy and recommendations, but the minimum
   is determined by the governing license.
      For example, your project's LICENSE and NOTICE files included in your
   binary package bundle will likely also address the presence of the 
   MPL-licensed dependency, as required in accordance with ASF policy.


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message