peterwebster commented 10 years ago

After Paris, a medium-term need to detect and possible dependencies on GPL elements @anjackson

kris-sigur commented 10 years ago

Ran Maven's dependency reporting tool on all Wayback sub-projects. No GPL reported, only some LGPL (which should be fine).

Also a number of 'Unknown license', most of which were for Spring (which is Apache 2 at is therefor OK), but the others need to be looked at.

There are also a few non-standard licenses that probably should be vetted.

Full report follows:


(Apache 2) EasyMock (org.easymock:easymock:2.5.1 - http://www.easymock.org)
(Apache 2) Joda time (joda-time:joda-time:1.6 - http://joda-time.sourceforge.net)
(Apache License) Apache HttpCore (org.apache.httpcomponents:httpcore:4.3 - http://hc.apache.org/httpcomponents-core-ga)
(Apache License) HttpClient (commons-httpclient:commons-httpclient:3.1 - http://jakarta.apache.org/httpcomponents/httpclient-3.x/)
(Apache License, Version 2.0) An open source Java toolkit for Amazon S3 (net.java.dev.jets3t:jets3t:0.6.1 - http://jets3t.s3.amazonaws.com/index.html)
(Apache License, Version 2.0) Wayback CDX Server (org.netpreserve.openwayback:openwayback-cdx-server:2.0.0.BETA.3-SNAPSHOT - http://github.com/iipc/openwayback/openwayback-cdx-server)
(Apache License, Version 2.0) fastutil (it.unimi.dsi:fastutil:6.5.2 - http://fasutil.dsi.unimi.it/)
(Apache License, Version 2.0) jwat-arc (org.jwat:jwat-arc:1.0.1 - https://sbforge.org/display/JWAT/JWAT/jwat-arc)
(Apache License, Version 2.0) jwat-archive-common (org.jwat:jwat-archive-common:1.0.1 - https://sbforge.org/display/JWAT/JWAT/jwat-archive-common)
(Apache License, Version 2.0) jwat-common (org.jwat:jwat-common:1.0.1 - https://sbforge.org/display/JWAT/JWAT/jwat-common)
(Apache License, Version 2.0) jwat-gzip (org.jwat:jwat-gzip:1.0.1 - https://sbforge.org/display/JWAT/JWAT/jwat-gzip)
(Apache License, Version 2.0) jwat-warc (org.jwat:jwat-warc:1.0.1 - https://sbforge.org/display/JWAT/JWAT/jwat-warc)
(BSD style) XStream Core (com.thoughtworks.xstream:xstream:1.2.2 - no url defined)
(BSD) transform (com.flagstone:transform:3.0.2 - http://www.flagstonesoftware.com/transform/)
(Common Public License Version 1.0) JUnit (junit:junit:3.8.1 - http://junit.org)
(Common Public License) HTML Parser (org.htmlparser:htmlparser:1.6 - http://htmlparser.org)
(Eclipse Public License - v 1.0) (GNU Lesser General Public License) Logback Classic Module (ch.qos.logback:logback-classic:1.0.9 - http://logback.qos.ch)
(Eclipse Public License - v 1.0) (GNU Lesser General Public License) Logback Core Module (ch.qos.logback:logback-core:1.0.9 - http://logback.qos.ch)
(Eclipse Public License v1.0) Eclipse JDT Core (org.eclipse.jdt:core:3.1.1 - http://www.eclipse.org/jdt/)
(GNU LESSER GENERAL PUBLIC LICENSE) BeanShell (org.beanshell:bsh:2.0b4 - no url defined)
(GNU Lesser General Public License Version 3+) DSI Utilities (it.unimi.dsi:dsiutils:2.0.12 - http://dsiutils.dsi.unimi.it/)
(GNU Lesser General Public License version 2.1 or later) GNU IDN Library (org.gnu.inet:libidn:1.15 - http://www.gnu.org/software/libidn/)
(GNU Lesser General Public License) fastutil (fastutil:fastutil:5.0.7 - http://fastutil.dsi.unimi.it/)
(Jedis License) Jedis (redis.clients:jedis:2.0.0 - http://code.google.com/p/jedis/)
(LGPL) JSAP (com.martiansoftware:jsap:2.1 - http://www.martiansoftware.com/jsap/)
(MIT License) SLF4J API Module (org.slf4j:slf4j-api:1.7.2 - http://www.slf4j.org)
(Mozilla Public License 1.1 (MPL 1.1)) juniversalchardet (com.googlecode.juniversalchardet:juniversalchardet:1.0.3 - http://juniversalchardet.googlecode.com/)
(Public Domain) AOP alliance (aopalliance:aopalliance:1.0 - http://aopalliance.sourceforge.net)
(Sleepycat License) je (com.sleepycat:je:4.1.6 - no url defined)
(The Apache Software License, Version 2.0) Access-Control: core library and client (org.netpreserve.openwayback:openwayback-access-control-core:1.0.2 - https://github.com/iipc/openwayback/openwayback-access-control-core)
(The Apache Software License, Version 2.0) Apache Log4j (log4j:log4j:1.2.17 - http://logging.apache.org/log4j/1.2/)
(The Apache Software License, Version 2.0) CDH Hadoop Maven Wrapper (com.cloudera.cdh:hadoop-ant:0.20.2-cdh3u4 - no url defined)
(The Apache Software License, Version 2.0) Commons CLI (commons-cli:commons-cli:1.2 - http://commons.apache.org/cli/)
(The Apache Software License, Version 2.0) Commons Collections (commons-collections:commons-collections:3.2.1 - http://commons.apache.org/collections/)
(The Apache Software License, Version 2.0) Commons Configuration (commons-configuration:commons-configuration:1.8 - http://commons.apache.org/configuration/)
(The Apache Software License, Version 2.0) Commons DBCP (commons-dbcp:commons-dbcp:1.2.2 - http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/)
(The Apache Software License, Version 2.0) Commons IO (commons-io:commons-io:2.4 - http://commons.apache.org/io/)
(The Apache Software License, Version 2.0) Commons Lang (commons-lang:commons-lang:2.5 - http://commons.apache.org/lang/)
(The Apache Software License, Version 2.0) Commons Logging (commons-logging:commons-logging:1.1.1 - http://commons.apache.org/logging)
(The Apache Software License, Version 2.0) Commons Math (org.apache.commons:commons-math3:3.1.1 - http://commons.apache.org/math/)
(The Apache Software License, Version 2.0) Commons Pool (commons-pool:commons-pool:1.5.5 - http://commons.apache.org/pool/)
(The Apache Software License, Version 2.0) Data Mapper for Jackson (org.codehaus.jackson:jackson-mapper-asl:1.5.2 - http://jackson.codehaus.org)
(The Apache Software License, Version 2.0) EL (commons-el:commons-el:1.0 - http://jakarta.apache.org/commons/el/)
(The Apache Software License, Version 2.0) Guava (Google Common Libraries) (org.apache.hadoop.thirdparty.guava:guava:r09-jarjar - http://code.google.com/p/guava-libraries)
(The Apache Software License, Version 2.0) Guava: Google Core Libraries for Java (com.google.guava:guava:14.0.1 - http://code.google.com/p/guava-libraries/guava)
(The Apache Software License, Version 2.0) Jackson (org.codehaus.jackson:jackson-core-asl:1.5.2 - http://jackson.codehaus.org)
(The Apache Software License, Version 2.0) Jakarta Commons Net (commons-net:commons-net:1.4.1 - http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/)
(The Apache Software License, Version 2.0) StAX API (stax:stax-api:1.0.1 - http://stax.codehaus.org/)
(The Apache Software License, Version 2.0) hadoop-core (org.apache.hadoop:hadoop-core:0.20.2-cdh3u4 - no url defined)
(The Apache Software License, Version 2.0) webarchive-commons (org.netpreserve.commons:webarchive-commons:1.1.2 - https://github.com/iipc/webarchive-commons)
(The BSD License) xmlenc Library (xmlenc:xmlenc:0.52 - http://xmlenc.sourceforge.net)
(The JSON License) JSON in Java (org.json:json:20131018 - https://github.com/douglascrockford/JSON-java)
(Unknown license) Codec (commons-codec:commons-codec:1.2 - no url defined)
(Unknown license) Jettison (org.codehaus.jettison:jettison:1.0-beta-1 - no url defined)
(Unknown license) jstl (javax.servlet:jstl:1.2 - no url defined)
(Unknown license) oro (oro:oro:2.0.8 - no url defined)
(Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url defined)
(Unknown license) spring-aop (org.springframework:spring-aop:3.0.6.RELEASE - no url defined)
(Unknown license) spring-asm (org.springframework:spring-asm:3.0.6.RELEASE - no url defined)
(Unknown license) spring-beans (org.springframework:spring-beans:3.0.6.RELEASE - no url defined)
(Unknown license) spring-context (org.springframework:spring-context:3.0.6.RELEASE - no url defined)
(Unknown license) spring-context-support (org.springframework:spring-context-support:3.0.6.RELEASE - no url defined)
(Unknown license) spring-core (org.springframework:spring-core:3.0.6.RELEASE - no url defined)
(Unknown license) spring-expression (org.springframework:spring-expression:3.0.6.RELEASE - no url defined)
(Unknown license) spring-web (org.springframework:spring-web:3.0.6.RELEASE - no url defined)
(Unknown license) spring-webmvc (org.springframework:spring-webmvc:3.0.6.RELEASE - no url defined)
(Unknown license) xpp3_min (xpp3:xpp3_min: - http://www.extreme.indiana.edu/xgws/xsoap/xpp/mxp1/)


kris-sigur commented 10 years ago

See also use of GPL v2 code in webarchive-commons

kris-sigur commented 10 years ago

I went through the list of dependencies for the core project.

Anything with an Apache license (and this includes all the spring modules that showed up with 'unknown license') is OK.

Furthermore, anything with an LGPL, BSD, JSON, MIT or Mozilla Public License should be OK as those licenses do not place any additional burden on the project or downstream consumers.

The Common Public License and Eclipse Public License seem to be OK but need to be looked at a bit closer.

The Sleepycat license is slightly problematic. Technically we are in compliance, but anyone building on the BDB modules (which the license covers) is going to be bound by it and not just the Apache license that OpenWayback is under. See further: http://techlawgarden.com/blog/?p=1252

I couldn't find anything about: (Jedis License) Jedis (redis.clients:jedis:2.0.0 - http://code.google.com/p/jedis/)

Of the 'unknown license' list, I could not resolve for the following: (Unknown license) Jettison (org.codehaus.jettison:jettison:1.0-beta-1 - no url defined) -- I couldn't find any license info (Unknown license) jstl (javax.servlet:jstl:1.2 - no url defined) (Unknown license) xpp3_min (xpp3:xpp3_min: - http://www.extreme.indiana.edu/xgws/xsoap/xpp/mxp1/)

The others were Apache except for: (Unknown license) servlet-api (javax.servlet:servlet-api:2.5 - no url defined) -> Common Development and Distribution License (CDDL) Version 1.0 1. This license should be compatible with our Apache 2 license but I'm not 100% certain. Can someone verify?

johnerikhalse commented 10 years ago

According to https://jstl.java.net/license.html, JSTL is dual licensed under CDDL and GPL.