|Re: [iam-dev] Re: [technology-pmc] Eclipse IAM: Possible need for 3rd party dependency approval|
Jeff McAffer wrote:
If there is something in Maven that says that all archetypes in a repo have the same license and Maven asks the user to agree to the license for that repo when adding the repo then yes.
I don't think there is any such thing in Maven
Otherwise, this is jumping the gun IMHO. Its like saying, enter a URL and then assuming that because the user entered the URL they are giving you implicit consent to agree to all licenses on all things in that repo.Jeff, if I follow your logic, we have pretty much the same situation with CVS plugin distributed with Eclipse Platform. So, user can enter an CVS url and then checkout some projects with gazillion of dependencies and custom builders configured to run on JDT build. But there was not any license confirmation or anything in the CVS project checkout UI.
Generally, all artifacts in Maven repositories have license placeholder (and artifacts that came from the Maven namespace are all APL licensed). The archetype license could be shown to the user, but as a user I think I will find it quite annoying if license confirmation would be shown to me every time I need to create project. Just imagine that new Java project wizard would ask you to confirm the EPL license every time. :-) Also, before license can be shown to the user artifact descriptor would need to be downloaded first.Of course do not support or encourage installing anything without the user consent. It was my perception that by providing the information to identify the archetype/artifact the user was already allowing access. You summarized it perfectly above.While I am not that familiar with Maven, someone saying that they want to have a Foo is not equivalent to them saying, "hey I am ok with you installing GPL code". The if you are getting something on the user's behalf then the user should know about and be agreeing to the licenses. If this is the case then there should not be an issue with the repository since it is just another place to get stuff. The list of "known repos" should be open, modifiable/extensible but beyond that I don't see an IP issue.of course, I could be completely off base here ...
Back to the top