Re: [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd party dependency approval
If there is something in Maven that says that all archetypes in a repo
have the same license and Maven asks the user to agree to the license
for that repo when adding the repo then yes. Otherwise, this is jumping
the gun IMHO. Its like saying, enter a URL and then assuming that
because the user entered the URL they are giving you implicit consent to
agree to all licenses on all things in that repo.
Further, my sense is that by adding a link to another repository (or
however it is that you do this sort of thing), the user is giving IAM
explicit permission to access the archetypes available from that
I agree with that.
Other artifacts downloaded by maven would fall in the same category
(the user enters the information to locate them or otherwise requests
their use, so he is allowing IAM to work on his behalf).
The p2 workflows show the user the various licenses involved in all the
things that are being installed. It is conceivable that the license
checks could be turned off (this has been requested in the past) but
that would, as mentioned above, be something to be done in a specific
scenario by someone making that choice.
FWIW, it's true that p2 can be used to install arbitrary things
without the user's consent. However, that's not how it *is* being
used (or rather how it should be used by an Eclipse project). A
company could take p2 and use it as part of their project to install
whatever they want; this would be an issue between that company and
their end users.
Of course do not support or encourage installing anything without the
user consent. It was my perception that by providing the information
to identify the archetype/artifact the user was already allowing
access. You summarized it perfectly above.
While I am not that familiar with Maven, someone saying that they want
to have a Foo is not equivalent to them saying, "hey I am ok with you
installing GPL code". The if you are getting something on the user's
behalf then the user should know about and be agreeing to the licenses.
If this is the case then there should not be an issue with the
repository since it is just another place to get stuff. The list of
"known repos" should be open, modifiable/extensible but beyond that I
don't see an IP issue.
of course, I could be completely off base here ...