[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible problematic terms of use of OSGi library

Am 09.12.2015 um 02:18 schrieb Mikołaj Izdebski:
> On Tue, Dec 8, 2015 at 1:01 PM, Arnaud Vandyck <avandyck@gmail.com> wrote:
>> I was on my way trying to package org.osgi.core 6 and before downloading I
>> have to agree with this page:
>> https://www.osgi.org/developer/downloads/release-6/release-6-no-form/
>> In the "License Grant", it seems that it could be problematic to package
>> osgi in Debian. Am I right?
>> Any thoughts?
> My thoughts on this matter:
> OSGi code can be consider part of specification, which is non-free.
> Downloading code from upstream page requires accepting non-free
> license first. Upstream website does not have a separate license page
> for code accompanying the specification.
> License headers alone can't be used as authoritative information about
> licensing of the project as a whole. Many projects don't add their own
> copyright headers, but retain headers of files coming from other
> projects they forked or bundled.
> So IMHO licensing and DFSG status of OSGi code is not clear. Other
> GNU/Linux distros (at least Fedora and RHEL) decided against packaging
> and distributing any code from OSGi alliance.

If you are questioning the license terms of OSGi packages in Debian,
then there is only one way to find out if your suspicion is correct.
Please contact the copyright holder(s) and ask them to clarify the
license terms of their source distributions of the OSGi specification.
If you get an authoritative and public response from the copyright
holder(s) that the Apache 2.0 license does not apply to their
distributed code on maven central (see [1], from where we downloaded
those files), then please file bug reports against all OSGi packages
with severity serious and explain why those package are not in
compliance with the original intent of the copyright holders and why
they violate the DFSG. All packages that violate the DFSG will then be
removed ASAP.

At the moment we distribute the OSGi specification under the terms of
the Apache-2.0 license and we have no indication that we misrepresent
the original intent of the copyright holder. All files are clearly
marked as distributed under the terms of the Apache-2.0 license with
copyright OSGi Alliance. If they were modified by another party, the
Apache 2.0 license requires that:

"You must cause any modified files to carry prominent notices
  stating that You changed the files;"

Since there is no sign of any modification, we must assume that the OSGi
Alliance is the copyright holder that distributed those files without
any modifications by third parties under the terms of the Apache-2.0
license until there is unmistakable evidence that those license headers
are wrong, manipulated and not the original intent of the copyright holder.

My point of view:


If you agree to those license terms you are allowed to download the
specification in _bytecode format_, not as source files. This is similar
to the Android project where binary distributions may have different
license terms to ensure that there is only one "official" version.
However the source files are freely licensed and those files are
distributed by Debian. We have the same situation here.





Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: