Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd party dependency approval

Further, my sense is that by adding a link to another repository (or however it is that you do this sort of thing), the user is giving IAM explicit permission to access the archetypes available from that repository.

I agree with that.
Other artifacts downloaded by maven would fall in the same category (the user enters the information to locate them or otherwise requests their use, so he is allowing IAM to work on his behalf).
If there is something in Maven that says that all archetypes in a repo have the same license and Maven asks the user to agree to the license for that repo when adding the repo then yes. Otherwise, this is jumping the gun IMHO. Its like saying, enter a URL and then assuming that because the user entered the URL they are giving you implicit consent to agree to all licenses on all things in that repo.
FWIW, it's true that p2 can be used to install arbitrary things without the user's consent. However, that's not how it *is* being used (or rather how it should be used by an Eclipse project). A company could take p2 and use it as part of their project to install whatever they want; this would be an issue between that company and their end users.
The p2 workflows show the user the various licenses involved in all the things that are being installed. It is conceivable that the license checks could be turned off (this has been requested in the past) but that would, as mentioned above, be something to be done in a specific scenario by someone making that choice.
Of course do not support or encourage installing anything without the user consent. It was my perception that by providing the information to identify the archetype/artifact the user was already allowing access. You summarized it perfectly above.
While I am not that familiar with Maven, someone saying that they want to have a Foo is not equivalent to them saying, "hey I am ok with you installing GPL code". The if you are getting something on the user's behalf then the user should know about and be agreeing to the licenses. If this is the case then there should not be an issue with the repository since it is just another place to get stuff. The list of "known repos" should be open, modifiable/extensible but beyond that I don't see an IP issue.

of course, I could be completely off base here ...


Back to the top