Maven and Software Licensing: Some Comments January 17, 2004 Summary Sakai is using the Maven software from The Apache Software Foundation to install Sakai software. The Maven software and associated plug-ins use technology to resolve three problems in software distribution: Software from multiple sources under different licensing agreements, software that cannot be redistributed but required for the application, and changes in licensing terms and conditions. Maven (and the associated plug-ins) capabilities: • Extract the licenses from all software included in the distribution, Maven converts them to license text and provides reports. • Instead of including all software in the distribution, Maven can download software from a source (Website) and include it in the installation. • When updating an existing installation, Maven can compare the license agreements of the new distribution with the previously installed version to identify those with differences. These capabilities may not be sufficient “adequate notice” of license terms and conditions. Sakai could include, in the documentation, a brief discussion of actions the user should take to verify the license terms and agreements apply to the user’s specific installation (especially if it is commercial entity) and to make users are aware that the terms and conditions of licenses of included or downloaded software may be different from the Sakai license. Background Sakai Chief Architect Charles Severance identified the issue in his November 17, 2004 e- mail “Topic for discussion - Maven and its impact on licensing terms and install process.” He wrote: Historically, the viral nature of license agreements (GPL as the most extreme example), means that as one assembles a distribution of software (i.e. A tar ball to download), one must look at all of the "included" license agreements and adjust one's license agreement accordingly. With Maven, a distribution can can *automatically* "self-assemble" a myriad of dependent components *after* the distribution is downloaded and installation has begun. The beauty of this situation is that the license terms of the initial download do not have to "include" or "reflect" the license terms of the elements which are "assembled" on the end-user's system under the control of Maven. Each of those software elements is governed by its own license agreement with the end-user. The license is not between the component owner(i.e. MySql) and the software integrator (i.e. Sakai) but rather between the component owner (i.e. MySql)and the end user (University of Lancaster). As such, we can produce a distribution which automatically installs the MySql connector (GPL'd code) on the user's system in the right place in Tomcat without ever including it in the Sakai download. This eliminates the nasty manual steps needed to hand- install any GPL components after an open-open software tool has been downloaded and half-installed. This message identified both the problem and the use of Maven as a solution. Since then Maven plug-ins have been developed that extend the capabilities. The combinations of software that are included in a “solution” can lead to unintended violation of copyright. This is especially true if software is included in another software product or distribution. The MySQL database is an example. The company has two licenses. One for those who download and use the software themselves. Another when the software is used as part of a product or is redistributed with a product. Users have often wanted a “Quick Start” distribution that creates a running software system through a single download. Since many software solutions require a database, developers have tended to include a database product that permits redistribution. For example, uPortal included the Hypersonic database management system in the Quick Start version. Hypersonic is a small system and operates well for small database. However, in production most uPortal users use MySQL or Oracle. In those cases the user either had to have an installed (and licensed) version of Oracle or download the code from MySQL separately since redistribution was not permitted.1 uPortal “Quick Start” software was distributed using the less powerful Ant installation software. Sakai Software Distribution The use of Maven will permit a simple installation to include software that does include redistribution-restricted software, and if the user uses the license reporting capabilities, will provide the information needed to remain in compliance. Unfortunately software developers are unaware and software users may not read and understand the combinations of terms and conditions of many separate licenses. Through efforts of the Open Source Initiative to reduce the number of open source licenses, this will be less of a problem in the future. 1 MySQL is available under open source and commercial licensing agreements. In 2004 MySQL changed its licensing terms incorporate a “FLOSS Exception” that applied to MySQL 4 or subsequent versions. This improvement makes the licensing both broader and more complex. These licenses have not been tested in the courts to define “adequate notice.” Until that time Sakai could have an Appendix on licensing included, as MySQL does, in its documentation so the reader would be aware that multiple licenses may apply and to interpret the limitations. In summary, the problem is real, but perhaps not significant for colleges and universities (as contrasted to commercial firms). The Maven solution is very helpful for everyone. There are examples of text that could be included in Sakai documentation that would provide guidance to developers and users about the multiple licenses. From: Charles Severance <[email protected]> To: sakai <[email protected]> Subject: Topic for discussion - Maven and its impact on licensing terms and install process Date: Wed, 17 Nov 2004 13:11:56 -0500 (EST) This is an idea that has been rolling around in my mind for a few days so I figured that I would just drop it out there for folks to talk and think about. Historically, the viral nature of license agreements (GPL as the most extreme example), means that as one assembles a distribution of software (i.e. A tar ball to download), one must look at all of the "included" license agreements and adjust one's license agreement accordingly. With Maven, a distribution can can *automatically* "self-assemble" a myriad of dependent components *after* the distribution is downloaded and installation has begun. The beauty of this situation is that the license terms of the initial download do not have to "include" or "reflect" the license terms of the elements which are "assembled" on the end-user's system under the control of Maven. Each of those software elements is governed by its own license agreement with the end-user. The license is not between the component owner(i.e. MySql) and the software integrator (i.e. Sakai) but rather between the component owner (i.e. MySql) and the end user (University of Lancaster). As such, we can produce a distribution which automatically installs the MySql connector (GPL'd code) on the user's system in the right place in Tomcat without ever including it in the Sakai download. This eliminates the nasty manual steps needed to hand-install any GPL components after an open-open software tool has been downloaded and half-installed. Because many of these "viral" licenses allow free re-distribution, the viral code can live on literally any maven repository for download and install at run-time in the user's system. So we end up in Sakai where our license terms only reflect the code that we build that is in our download. Given that our download does not include any other code - we can keep our license terms however we like. To me this brings us to a completely new phase where viral and no-viral code can be combined in far more ways than ever before. The net result is that the value and utility of both viral and non-viral software is greatly enhanced. It also means that making a decision to go viral is not the life-and-death choice that it was formerly. It means that the only important clauses in licenses is the "unlimited" redistribution clause. It effectively inoculates software from a viral license - unless there is truly a desire to pull the viral software inside of the newly formed application. But for software that is separable by an API, viral clauses cease to be a barrier to integration. 1 17 January 2005 And cross-project license negotiations become trivially simple because they are no longer necessary because of Maven :) I would observe that our current Quick Start distribution already follows the pattern where there are no (with the exception of the James stuff) jars that are part of the distribution and that (nearly) all jars come through the Maven process that happens - post-download. Someone should write a CHE article about this... /Chuck ---------------------- This automatic notification message was sent by CTools (https://ctools.umich.edu) from the Mellon Sakai site. You can modify how you receive notifications at MyWorkspace > Preferences. X-Account-Key: account2 X-UIDL: <[email protected]> X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: <[email protected]> Received: from bologna.ds.itd.umich.edu ([141.211.253.101]) by oe-mp1.bizmailsrvcs.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id <20041117181156.NZXD21330.oe- [email protected]> for <[email protected]>; Wed, 17 Nov 2004