CloudStack uses a significant amount of third party software. As part of the move to ASF there is a certain set of licenses that are compatible with ASF policy. We need to make sure that every dependency we have is in that set. If it's not we have to remove it.
The approved licenses are the followingApache License 2.0
Apache Software License 1.1. Including variants:
PHP License 3.01
BSD (without advertising clause). Including variants:
DOM4J License
MIT/X11
ICU
University of Illinois/NCSA
W3C Software License
X.Net
zlib/libpng
FSF autoconf license
DejaVu Fonts (Bitstream Vera/Arev licenses)
Academic Free License 3.0
Service+Component+Architecture+Specifications
OOXML XSD ECMA License
Microsoft Public License (MsPL)
Creative Commons Attribution (CC-A)
Creative Commons Copyright-Only Dedication
Python Software Foundation License
Adobe Postcript(R) AFM files
Boost Software License Version 1.0
Eclipse Distribution License 1.0
Component | License | Comment | Status | Actions | Alternatives? |
paramiko | LGPL 2.1 | Remove - place dependency in package and note dependency in source building documentation | Needs to be added to the project web-site and documentation as a system dependency. | We merely need to place a dependency on python-paramiko (it's shipped in EL since EL3 which means it should be ubiquitous. This should be OK by ASF since the use of paramiko is optional. It is used in tools/migration, which is the 1.0 to 2.1 code and can be deleted. Paramiko there can be deleted as well. The python test client uses it, so whatever RPM has the test client (if any) should have a dep on paramiko. |
|
JavaMail | CDDL or GPL (use CDDL) | OK but requires attribution. Need to include URL to homepage within distribution. | Included in LICENSE and NOTICE where appropriate. | File bug to replace with different SMTP library; Bug filed; Brett says the license is OK. KEVIN: I think it's fine, we can close the bug? But then need the URL. | apache-commons-email? |
Java Servlet Technology | Sun Microsystems Binary Code License | Remove or replace |
| We need to look at the BlackDuck scan results to see where this came from. |
|
JavaServer Pages Standard Tag Library | COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0 | OK but requires attribution | Included in LICENSE and NOTICE where appropriate. | This comes from internationalization. |
|
JUnit | BSD or Common Public License | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | The download that David found (http://repo1.maven.org/maven2/junit/junit/4.10/junit-4.10.jar) includes a BSD license. However, http://www.junit.org/license is the CPL. |
|
backport-util-concurrent | Creative Commons Public Domain Dedication | OK but requires attribution | Included in LICENSE and NOTICE where appropriate. | ensure attribution |
|
JSch | JSch License | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | BSD-derived, OK? I believe this is OK since many Apache projects use it. |
|
iHarder.net - base64 | Public Domain | No Change - Fine as Is | Alex checking if we can remove | XXX to find out if CS uses this, possibly remove. This is in utils/src/com/cloud/utils/encoding/Base64.java at least. It is also in test/src/com/cloud/sample/Base64.java |
|
iControl.jar | GPL | Remove or receive approved license | Optional build item. Will exclude from ASF release. | Kevin contact BigIP |
|
JnetPcap | LGPLv3 | Remove or receive approved license | Pending deletion of deps/cloud-jnetpcap.jar from the source tree. | Pradeep remove |
|
libvirt 0.4.5 | LGPLv3 | Depend on distro | Optional build item, until we have a properly licensed version to target. | Pradeep remove and change CS to use distro-provided version. this should be OK since you can depend on unapproved software if it's optional. Clearly libvirt is optional since it is required for only one hypervisor. |
|
manageontap | NetApp EULA | Remove or receive approved license |
| Kevin contact NetApp |
|
NetScaler SDK |
| Remove or receive approved license | Optional build item, until we have a properly licensed version to target. | NetScaler team working to issue with Apache license. (kevin owns) |
|
Trilead ssh | Trilead EULA | Remove or receive approved license | Included in LICENSE and NOTICE where appropriate. | XXX remove and use another ssh client | Orion |
XAPI API | GPLv2 | Remove or receive approved license |
| Kevin contact XenServer. Is this just the xapi Java bindings? If so that should be trivial to ensure that it's in our target distros. |
|
Apache Tomcat | Apache License Version 2.0 | No Change - Fine as Is |
| Frank find source |
|
iBATIS for Java | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | Source is located at least here: |
|
XStream Library | BSD 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | Frank check if we can remove. |
|
Apache Jakarta Commons Discovery | Apache 1.1 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache log4j | Apache 1.1 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache Web Services Axis | Apache 1.1 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache Ant | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache Jakarta Commons Codec | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache Jakarta HTTP Client | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache Jakarta HttpComponents | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache Jakarta HttpComponents | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache Web Services Axis | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache Xerces Java XML Parser | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache-Jakarta Collections | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache-Jakarta DBCP | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache-Jakarta Lang | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Apache-Web Services Commons Util | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Code Generation Library | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
ehcache | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
excanvas | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
google-gson | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Jakarta Commons-Logging | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
Jetty - Java HTTP Servlet Server | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
selenium | Apache License Version 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
jquery-easing | BSD 2.0 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
VMware Java SDK | Proprietary, freely redistributable, but certainly not open source. | Perhaps by the above? | Optional build item, until we have a properly licensed version to target. | (this is in deps/vmware-*) |
|
Bouncy Castle Crypto APIs | MIT License V2 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
flot | MIT License V2 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
jquery-ui | MIT License V2 | No Change - Fine as Is | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
jquery-validate | MIT License V2 | Use under MIT | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
jqueryjs | MIT License V2 | Use under MIT | Included in LICENSE and NOTICE where appropriate. | approved -- fine |
|
reset.css | Public Domain | Unknown | Included in LICENSE and NOTICE where appropriate. | does ASF recognize public domain? can the author have given up his moral rights under copyright in the jurisdiction in which he resides/created the work? |
|
URLEncoder | ASLv2 | No Change - Fine as is |
| located in utils/src/com/cloud/utils/encoding/URLEncoder.java - double fork (original fork from java.net.URLEncoder by Craig McClanahan and Remy Maucherat, and then we also made changes) |
|
OpenStack Swift Client | ASLv2 | No Change - Fine as is | Included in LICENSE and NOTICE where appropriate. | located in scripts/storage/secondary/swift and scripts/vm/hypervisor/xenserver/swift |
|
slf4j-api | MIT | No Change - Fine as is | Included in LICENSE and NOTICE where appropriate. | located in deps/awsapi-lib/rampart-lib - Needs attribution |
|
QUnit v1.4.0pre | MIT | No Change - Fine as is | Included in LICENSE and NOTICE where appropriate. | located in ui/lib/qunit/qunit.js and ui/lib/qunit/qunit.css |
|
Component | License | Status | Comment | Action | |
GlassFish | COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0 | Included in LICENSE and NOTICE where appropriate. | Apache site states that "small amounts" of such source are OK. | Is this a "small amount"? Needs attribution or removal. | |
GSON Closure Compiler | Apache License Version 2.0 | Included in LICENSE and NOTICE where appropriate. | No Change - Fine as Is | approved – fine |
|
WAF | BSD | Included in LICENSE and NOTICE where appropriate. | No Change - Fine as is | Included in LICENSE and NOTICE files |
|
...