3 Replies Latest reply on Oct 4, 2017 4:21 AM by kaekl

    Redistribution of Infinispan Server / License Compliance

    kaekl
    kaekl Sep 22, 2017 8:07 AM

      Hi All,

       

      we are looking into redistributing Infinispan-Server (currently in version 8.6.2.Final) in a commercial context.

       

      To be able to do this in a compliant fashion, we'd like to better understand the licensing aspects of all integrated open source components and their associated licenses.

       

      Looking into the downloaded Infinispan-Server archive we found the following details:

       

      infinispan-server-8.2.6.Final/copyright.txt     (list of names and emails of contributors to infinispan(-server) we assume)

      infinispan-server-8.2.6.Final/LICENSE.txt     (LGPL 2.1 license text, which we regard the license for all Infinispan-Server artifacts and configuration files)

      infinispan-server-8.2.6.Final/docs/licenses   (folder containing license information of the infinispan-server distribution)

      infinispan-server-8.2.6.Final/docs/licenses/licenses.xml     (an xml descriptor with dependency lists and licenses meta data)

       

      Based on this we performed a deeper analysis. We basically synchronized the information in licenses.xml with the JAR files contained inside the archive.

       

      We found that there are significant differences and ambiguities between the two sources of information. The result in brief:

       

      • There are several JARs listed in the XML, which are not included in the distribution.
      • There are several JARs in the distribution, where no license information is associated in the licenses.xml.
      • For some artifacts there is a mismatch between the version in the distribution and the version referred to in the licenses.xml.
      • And for several artifacts there are ambiguities in terms of the effective license.

       

      I'm very interested in straightening this out. But I think I need a contact with whom I can exchange the detailed results of the analysis and clarify questions. Internally we have very strict policies on the redistribution of open source components and clear ethics to value the open source community effort.

       

      Did I miss any information that is of relevance for me, that is not part of the distribution? In general there is an ambiguity between plain infinispan artifacts (JARs; Apache License 2.0) and the Infinispan-Server Distribution (ZIP; LGPL 2.1 + subcomponents). In terms of documentation I couldn't find any background on the matter.

       

      Looking forward for feedback...

       

      Best regards

        • 1. Re: Redistribution of Infinispan Server / License Compliance
          nadirx
          nadirx Sep 25, 2017 3:19 AM (in response to kaekl)

          Hey Karsten,

           

          thanks for asking. We have been addressing this in 9.1 onwards but it is not trivial because many components that server depends on also provide incomplete, incorrect or missing license coordinates.

          Infinispan 9.1.1.Final attempts to fix this by providing license information for all components and normalizing licenses (the number of micro-variations is staggering).

          If you would like to help, we would welcome it very much, but please work with either the master (9.2) or 9.1.x branches. We can then backport to any old branches.

           

          Tristan

            • Actions
          • 2. Re: Redistribution of Infinispan Server / License Compliance
            kaekl
            kaekl Sep 27, 2017 2:51 AM (in response to nadirx)

            Hi Tristan,

             

            thanks for the quick reply.

             

            I could also work with the 9.1.x or master branch. I will have a deeper look inside what you have been doing lately. However I will earliest have a chance to do this at Friday.

             

            In the meantime I have two general questions (that are rather branch independent):

             

            Is there some documentation that outlines how you approach this and what the goals are with respect to license management? Can you point me to something in this area?

             

            Under which license do you consider the Infinispan JAR files (prefix 'infinispan-'). If we look into the artefacts we see LGPL 2.1 (e.g. in infinispan-commons.jar). When you follow the project information on GitHub source is under Apache License 2.0 (infinispan/README.md at master · infinispan/infinispan · GitHub). For us, we would regard the content of the binary (the LGPL 2.1) to be the effective license. However we would need to research that for all JAR files. Is there a general hint that I have overseen? Or, can you explain it in one or two sentences?

             

            Cheers,

            Karsten

             

            PS: here is a list of the Infinispan JARs in the (8.2.6) distribution:

             

            infinispan-cachestore-jdbc-8.1.0.Final.jar

            infinispan-cachestore-jdbc.jar

            infinispan-cachestore-leveldb.jar

            infinispan-cachestore-remote-8.1.0.Final.jar

            infinispan-cachestore-remote.jar

            infinispan-cachestore-rest.jar

            infinispan-cli-interpreter.jar

            infinispan-client-hotrod-8.1.0.Final.jar

            infinispan-client-hotrod.jar

            infinispan-commons-8.1.0.Final.jar

            infinispan-commons.jar

            infinispan-core-8.1.0.Final.jar

            infinispan-core.jar

            infinispan-directory-provider.jar

            infinispan-lucene-directory.jar

            infinispan-management-console-8.2.2.Final.jar

            infinispan-objectfilter.jar

            infinispan-query-dsl.jar

            infinispan-query.jar

            infinispan-remote-query-client.jar

            infinispan-remote-query-server.jar

            infinispan-scripting.jar

            infinispan-server-cli-8.2.6.Final.jar

            infinispan-server-commons-8.2.6.Final.jar

            infinispan-server-core.jar

            infinispan-server-endpoints-8.2.6.Final.jar

            infinispan-server-event-logger-8.2.6.Final.jar

            infinispan-server-hotrod.jar

            infinispan-server-infinispan-8.2.6.Final.jar

            infinispan-server-jgroups-8.2.6.Final.jar

            infinispan-server-memcached.jar

            infinispan-server-rest-classes.jar

            infinispan-server-websocket.jar

            infinispan-tasks-api.jar

            infinispan-tasks.jar

              • Actions
            • 3. Re: Redistribution of Infinispan Server / License Compliance
              kaekl
              kaekl Oct 4, 2017 4:21 AM (in response to kaekl)

              I'd like to add the following information to my last question:

               

              When I build the infinispan Artifacts (e.g. infinispan-commons) from the sources I can find the Apache License 2.0 being included in the META-INF folder (META-INF/LICENSE.txt). The license includes a RedHat copyright statement.

               

              When I however look in to the infinispan-commons JAR contained in the infinispan-server distribution I see also a license included in META-INF/LICENSE.txt. This time however the general LGPL 2.1 without any RedHat specifics.

               

              When I download the infinispan-commons JAR from Maven Central I again find the LGPL 2.1 without RedHat specifics.

               

              Could you please enlighten me whether this is intentional or not. What are the backgrounds?

               

              Again our conclusion is that the effective license is the LGPL.

               

              Thanks for the clarification...

               

              Best regards,

              Karsten

                • Actions