From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id gH9pBftGWGIsEwEAgWs5BA (envelope-from ) for ; Thu, 14 Apr 2022 18:08:27 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id UDMMAvtGWGL2cQAAauVa8A (envelope-from ) for ; Thu, 14 Apr 2022 18:08:27 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8A17213E6C for ; Thu, 14 Apr 2022 18:08:26 +0200 (CEST) Received: from localhost ([::1]:47622 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nf21B-0007xh-FM for larch@yhetil.org; Thu, 14 Apr 2022 12:08:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46328) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nf20p-0007w5-0z for guix-patches@gnu.org; Thu, 14 Apr 2022 12:08:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:34902) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nf20o-0002Y3-81 for guix-patches@gnu.org; Thu, 14 Apr 2022 12:08:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nf20o-0003fG-3m for guix-patches@gnu.org; Thu, 14 Apr 2022 12:08:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#32947] Add java-xalan. Resent-From: Frank Pursel Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 14 Apr 2022 16:08:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 32947 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxime Devos Cc: 32947@debbugs.gnu.org Received: via spool by 32947-submit@debbugs.gnu.org id=B32947.164995245414043 (code B ref 32947); Thu, 14 Apr 2022 16:08:02 +0000 Received: (at 32947) by debbugs.gnu.org; 14 Apr 2022 16:07:34 +0000 Received: from localhost ([127.0.0.1]:57032 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nf20M-0003eR-4c for submit@debbugs.gnu.org; Thu, 14 Apr 2022 12:07:34 -0400 Received: from mail-ej1-f42.google.com ([209.85.218.42]:42536) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nf20K-0003eE-7F for 32947@debbugs.gnu.org; Thu, 14 Apr 2022 12:07:32 -0400 Received: by mail-ej1-f42.google.com with SMTP id i27so10948280ejd.9 for <32947@debbugs.gnu.org>; Thu, 14 Apr 2022 09:07:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+KSEWIEE5vpwCJpsyF9yfGOLjzBkjCrE04oblxE3cRc=; b=enyqs61YE+M/psmGaQNnQjn0xxCJeNK7HqnC6lCTB4HOemakhGziKSf9CUEuaQTFhS Wej6kYqxHBQXObIrI/8F2Fx/s7xAwtdJLsNWklSekb/150W+7qPbLYXfkiNSe7K1Q5FF RnS8522VAuCPjAD98NWidjN/G1Yj560cg6AaSQly8Du2/sfvu4BiJZUs9Dm/EmjAhGI9 BjLhuvllleekf27eC4TxA7G7NZw5I+HhP65UYOpkDcG0jGFh+kG0fcG/nSvalhGsGY8l wDjg+k49Sk3U16tIew+E/MKdEV2np4OjIr+hwEO15w4wO5JUHPyWB1nAagqC9dX2nzQh 19fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+KSEWIEE5vpwCJpsyF9yfGOLjzBkjCrE04oblxE3cRc=; b=v41Ii7lq0qZZtSYdjVsKMQwhAzFDkdvxUbXAxL+GgOVk54838M5xwLqDpSH3xEkFtk xYE1MRYIEjQveQZtk48/GifarMABdMTLK+xcCgJpBnSjHBDO9MjOsIYZcUr60SIi/T3n leqlkzZZShUlEy312nv1zNNF/oa19X+YfFvl/6z7PzA28BRto0a96D2d/YX8TOoT0hRV 3c56NZ9I8fMBJ314uILDI1EjlNaZED4FLqwtakGsZhNqxTcO3fdJJCxveAZh9vhWJQ4H AyLasuxup07OU9L46yyQ+C+t4lBcFIlo8VSyghihNOlF5wGISIONnDDVahEsOP1bu39u J2nA== X-Gm-Message-State: AOAM533JlcJZN6Hpcx21hzrbDbhnwDM8hGqDHGT/dbAkBopzt03yGunT Zf++fBKHa9bHtBSakqaKBKF7XxTspbcno2nZGRE= X-Google-Smtp-Source: ABdhPJycP7MeE/O9e6rvJKRQcAHgYxZ2dz+5oljc/3VmeME+wiR8COunqrCtftvhMevqaR2To7YVEPVwRfaEWUTtoss= X-Received: by 2002:a17:906:e18:b0:6e8:69c2:528c with SMTP id l24-20020a1709060e1800b006e869c2528cmr2818530eji.439.1649952446112; Thu, 14 Apr 2022 09:07:26 -0700 (PDT) MIME-Version: 1.0 References: <87y217gjfa.fsf@Ginko.local.i-did-not-set--mail-host-address--so-tickle-me> <5f00452a6bed768c7df78fee59c045f08d1a8dce.camel@telenet.be> <2533f258c513aeb666823c6c3a48748f988a9ee6.camel@telenet.be> In-Reply-To: From: Frank Pursel Date: Thu, 14 Apr 2022 16:07:13 +0000 Message-ID: Content-Type: multipart/alternative; boundary="00000000000072661105dc9f7d81" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1649952506; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=+KSEWIEE5vpwCJpsyF9yfGOLjzBkjCrE04oblxE3cRc=; b=ENLYZ2ZlmTNFzqNeE2WFvkg8SUp1XBXw8gobUGH8Xf7fDgWGp2473GdRWB6gJlOhN6Vig4 7Mt9hP7sfTLpYfo+vp6t8AWAe+BJgGFFv0/GRJVMcm9HpSWDQeXhkiUpRe1wb6h4zrEbl7 UoMlW9Qu3BL0PfYvmMv/A25k9FWksGnfn5xOWtC6UPF2JdKwOwAu9yvE4bre8AitQK//NR ZWZfEa59spTPEdueiYUPsQdyzsP38P1LOqfX8/1LwNm3b0w2LST57BzVECWnpaj7rp5Zok ZeQ6YGGsA7Obgk6k9vsHt1s+soPQmFDpBAq3VDj1VeuZuBd6pOMiJ66hC8S9Jw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1649952506; a=rsa-sha256; cv=none; b=uyLd+GmvVZA2nuM6Zsmt4yOMGgA8HX7ffIPyTPBVlRppCAas03hZMAFx8D9lR6aNxMjCTG fvpTPwz38KZeMXhbm/CzFKV433Kl+zcnk8E4Sh+nYcQrQvCLrJGFWhFSUJP0+vPpjYFFmO JYmW7OCDOOrYvwFv1jfTMD6gChOoaSCesQeeD8T6rGKGiYh1Czvbyw9O57paDUPQTri6Ls 9tMoa1DEUSy7szD0MfgEh8G5Eq7EY9H79ZviscRQAy2xr5vGhe/0OFk9b/JHr1menem6FC wupSPWvkgxfzYYxF6qswpifcGS30Xs6qAxX8ffQB6c+AHbh6QSROtrAEmsz1RQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=enyqs61Y; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 5.95 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=enyqs61Y; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 8A17213E6C X-Spam-Score: 5.95 X-Migadu-Scanner: scn1.migadu.com X-TUID: DeksUBvLOQpx --00000000000072661105dc9f7d81 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Well, I certainly have never intended to be an accomplice to intellectual property theft. Having formally asked the question that cannot be the case. I also thought you handled the 'framing' of the issue nicely. Your perspective caused me to further investigate IntStack.java. It may be helpful to know that the class IntStack is an extension of IntVector.java which contains none of the suspicious references to JDK1.0. For IntStack.java to have originated in the JDK so too must have IntVector.java and there doesn't appear to be any similar evidence that this is the case. I can also offer that xdocs/sources/xalan/history.xml documents that IntStack.java has been modified multiple times to address bug reports and for optimizations. I really don't know how those attributable modifications would affect the licensing but apache has clearly tailored this code to suite the needs of xalan. It also provides the email addresses of past modifiers that might still be around to more clearly identify the origin of the code. Though it was some time ago. This code appears to have been settled since 2006. 15 year old open source code is unusual by today's standards. Regards, Frank On Thu, Apr 14, 2022 at 8:30 AM Maxime Devos wrote= : > Frank Pursel schreef op wo 13-04-2022 om 23:43 [+0000]: > > I think that IntStack.java has almost no economic value and so the > > comparison to a commercial package is not really appropriate. > > It is not about the commercial aspect, it is about the potential > proprietariness. > > > We are not asking for a bug fix, or for clarification of a > > behaviour. > > Violating the (copyright, maybe contract) law seems like a bug to me > (TBC it is not known yet if this is the case, it just seems plausible > to me at this moment). > > > We are questioning if they are meeting their own stated > > licensing criteria! > > The problem is not if Apacha meets their own license (it seems that > they do, since they explicitly release the source code with their > license headers etc. The potential problem is Sun's licensing of > JDK1.0, which we (as distribution) might indirectly be in violation of > by including java-xalan. > > Also, it's all about how the question is framed -- asking =E2=80=98did yo= u > violate the licensing terms=E2=80=99 doesn't seem advisable, but =E2=80= =98Does IntStack > indeed come from JDK1.0, and if so, can I use it under the ASL license > like the rest?=E2=80=99 would just be asking for confirmation (and somewh= at > positive, because it seems to imply we want to use xalan). > > > I would feel bad asking this of them because I imagine they > > are no better equipped to answer questions about JDK1.0 than we are. > > They are probably not well-equipped to answer questions about JDK1.0. > However, they _are_ well-equiped to answer questions about theirselves, > presumably they remember what they mean by @since and where their > source code came from. > > > Worse, if we believe such impropriety is possible why would be > > believe what they tell us anyway? > > FWIW, IMO it would only be impropriety because of the current law (and > somewhat unclear attribution). Also, by assuming good faith. > > > I think to ask for this to be investigated, > > at minimum, you would need to find the actual file from JDK1.0 that > > you feel was appropriated. > > JDK1.0 is propietary, why would I look into its sources? Also, > probably the sources aren't available anyway, given that it is > proprietary. > > > I don't think we should be asking upstream > > to work on investigation of a suspicious licensing that cannot > > improve their software in any functional way. > > Moving from being in violation in the law to not seems like a > functional improvement to me (assuming it was actually in violation, > which has not been determined). Illegal software is, for many > practical purposes, not functional. > > More generally, ignorance is not an excuse, and I imagine willfull > ignorance to be even less so. > > Anyway, I've sent a mail upstream, presumably it will eventually appear > in the archive at > . > > Greetings, > Maxime. > --00000000000072661105dc9f7d81 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Well, I certainly have never intended to be an accomp= lice to intellectual property theft.=C2=A0 Having formally asked the questi= on that cannot be the case.=C2=A0 I also thought you handled the 'frami= ng' of the issue nicely.=C2=A0

Your persp= ective caused me to further investigate IntStack.java.=C2=A0 It may be help= ful to know that the class IntStack is an extension of IntVector.java which= contains none of the suspicious references to JDK1.0.=C2=A0 For IntStack.j= ava to have originated in the JDK so too must have IntVector.java and there= doesn't appear to be any similar evidence that this is the case.
=

I can also offer that xdocs/sources/xalan/history.xml d= ocuments that IntStack.java has been modified multiple times to address bug= reports and for optimizations.=C2=A0 I really don't know how those att= ributable modifications would affect the licensing but apache has clearly t= ailored this code to suite the needs of xalan.=C2=A0 It also provides the e= mail addresses of past modifiers that might still be around to more clearly= identify the origin of the code.=C2=A0 Though it was some time ago.=C2=A0 = This code appears to have been settled since 2006.=C2=A0=C2=A0 15 year old = open source code is unusual by today's standards.=C2=A0
=
Regards,
Frank

On Thu, Apr 14, 2022 at 8:= 30 AM Maxime Devos <maximedevo= s@telenet.be> wrote:
Frank Pursel schreef op wo 13-04-2022 om 23:43 [+0000]:
> I think that IntStack.java has almost no economic value and so the
> comparison to a commercial package is not really appropriate.

It is not about the commercial aspect, it is about the potential
proprietariness.

> We are not asking for a bug fix, or for clarification of a
> behaviour.

Violating the (copyright, maybe contract) law seems like a bug to me
(TBC it is not known yet if this is the case, it just seems plausible
to me at this moment).

> We are questioning if they are meeting their own stated
> licensing criteria!

The problem is not if Apacha meets their own license (it seems that
they do, since they explicitly release the source code with their
license headers etc.=C2=A0 The potential problem is Sun's licensing of<= br> JDK1.0, which we (as distribution) might indirectly be in violation of
by including java-xalan.

Also, it's all about how the question is framed -- asking =E2=80=98did = you
violate the licensing terms=E2=80=99 doesn't seem advisable, but =E2=80= =98Does IntStack
indeed come from JDK1.0, and if so, can I use it under the ASL license
like the rest?=E2=80=99 would just be asking for confirmation (and somewhat=
positive, because it seems to imply we want to use xalan).

> I would feel bad asking this of them because I imagine they
> are no better equipped to answer questions about JDK1.0 than we are.
They are probably not well-equipped to answer questions about JDK1.0.
However, they _are_ well-equiped to answer questions about theirselves,
presumably they remember what they mean by @since and where their
source code came from.

> Worse, if we believe such impropriety is possible why would be
> believe what they tell us anyway?

FWIW, IMO it would only be impropriety because of the current law (and
somewhat unclear attribution).=C2=A0 Also, by assuming good faith.

> I think to ask for this to be investigated,
> at minimum, you would need to find the actual file from JDK1.0 that > you feel was appropriated.

JDK1.0 is propietary, why would I look into its sources?=C2=A0 Also,
probably the sources aren't available anyway, given that it is
proprietary.

> I don't think we should be asking upstream
> to work on investigation of a suspicious licensing that cannot
> improve their software in any functional way.

Moving from being in violation in the law to not seems like a
functional improvement to me (assuming it was actually in violation,
which has not been determined).=C2=A0 Illegal software is, for many
practical purposes, not functional.

More generally, ignorance is not an excuse, and I imagine willfull
ignorance to be even less so.

Anyway, I've sent a mail upstream, presumably it will eventually appear=
in the archive at
<https://marc.info/?l=3Dxa= lan-j-users&r=3D1&b=3D202204&w=3D2>.

Greetings,
Maxime.
--00000000000072661105dc9f7d81--