[openstack-dev] [PKG-Openstack-devel][horizon][xstatic] XStatic-Angular-Bootstrap in violation of the MIT/Expat license (forwarded from: python-xstatic-angular-bootstrap_0.11.0.2-1_amd64.changes REJECTED)

Robert Collins robertc at robertcollins.net
Tue May 5 07:00:22 UTC 2015 

On 5 May 2015 at 18:17, Matthias Runge <mrunge at redhat.com> wrote:
> On 05/05/15 05:29, Robert Collins wrote:
>
>>> Probably, but it's legally wrong (ie: worst case, you can be sued) to
>>> leave
>>> a package which is in direct violation of the license of things it
>>> contains.
>>
>>
>> So,we shouldn't use angular at all then, because as a js framework its
>> distributed to users when they use the website, but the license file
>> isn't included in that distribution.
>
> Would be good to get a legal position on this.
>
> If we're not allowed to use angular (and anybody else), I wonder how anyone
> could use it (following above logic)

Lets take a sensible, pragmatic approach here.

Firstly, upload a new tarball to pypi (a point release, not a postN
release - for uninteresting reasons pbr 0.10 produced postN versions
for local commits, and thus any postN version is not guaranteed to be
unique).

Secondly, reference that in a stable branch update to
global-requirements and horizon. Thats easy enough.

Thirdly, once our users have had time to update to the next point
release of Horizon - say 3 months - delete the file thats missing its
license statement from PyPI: upstream git has a LICENSE file, so we
are clearly not representing them well by distributing a package
without it. There's absolutely no reason to rush: if upstream were
license pedants, they would not have chosen the license they did
(because of its obvious incompatibility with js minification).

The incompatibility that I refer to is potentially serious, since a
license pedant can trivially take the position I put forward above,
but since we can reasonably assume upstream want their code to be
used, I think should be treated as a linter warning, not a fatal
error, and we should take a gentle non-contentious approach to
discussing it with them. angular-bootstrap only! has 190 committers,
angular has 1200 committers:- any rectification, even a simple rider
added to the repo, is likely to take time due to the lovely way
copyright intertwines on these things.

-Rob

-- 
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud

More information about the OpenStack-dev mailing list