incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <>
Subject Re: Help with Dependency Licensing
Date Wed, 12 Apr 2017 15:30:19 GMT
On Wednesday, April 12, 2017 8:23 AM, Shane Curcuru <> wrote:

 Nick Couchman wrote on 4/11/17 10:26 AM:
>> Hello, everyone,I'm currently working on the Guacamole incubator
>> project, and am developing an extension for the project that has
>> dependencies on binaries (JARs via Maven) that are licensed under
>> Category-X licenses.  We've already determined that we cannot
>> distribute a binary version of this extension, but, since it is an
>> extension (and not core to the functionality of the product), we
>> should be able to distribute the source code with build instructions
>> for the users. 
> It's not completely clear from your description what specific bits of
> code are going where, so a more detailed description might help.  But my
> first guess would be no.  The CatX policy is pretty clear: don't include
> Category X code in Apache repos or releases:
So, I'm writing an extension for the Guacamole client that allows authentication against RADIUS
servers.  Guacamole is written in Java and leverages the Maven repository to pull in dependencies.
 There are a couple of different implementations of RADIUS libraries for Java, the most complete
of which is JRadius.  JRadius is licensed under LGPL-2.1.  The only other freely-available
option is TinyRadius, which is extremely incomplete, is also LGPL-licensed.  So, barring
writing my own implementation of a RADIUS library, I'm kind of out of options.
Some things to note regarding the use of JRadius:- I am not including source code for JRadius
in the project.  I am using the Java classes, downloaded by Maven in binary format, and calling
those classes from the source code.- This is an authentication extension to the Guacamole
client, and is not "core" functionality.- At this point, we do not plan to distribute any
binary code related to this extension.  The plan is to put the extension source code in the
main repository and provide instructions for building the component.  A section in the legal
page referenced above asks about Apache-licensed components depending on components that use
prohibited licenses, and the answer (roughly) is that you cannot distribute the components
(check) and it cannot be core to the product (this *extension* is not).

> The reasoning for this is twofold:
> - Legal issues.  We obviously want to carefully comply with how everyone
> else's licenses, so GPL or any similar kind of code is inappropriate to
> use in any Apache work.
> - Policy issues.  Immaterial of caselaw or potential legal rulings, the
> ASF only wants to incorporate third party works in ways that respect the
> intent of third party licenses.  The JSON license is an example here,
> since it's unspecific call for 'Good, not Evil' is incompatible with our
> policy that our users can use the software for whatever they want.
> In any case, it sounds like your PPMC needs to provide a more detailed
> description of the issue, and open a Legal JIRA to get a definitive answer:

I'll open a Legal JIRA.

To unsubscribe, e-mail:
For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message