CloudStack uses a significant amount of third party software. As part of the move to ASF there is a certain set of licenses that are compatible with ASF policy. We need to make sure that every dependency we have is in that set. If it's not we have to remove it.
The approved licenses are the followingApache License 2.0
Apache Software License 1.1. Including variants:
PHP License 3.01
BSD (without advertising clause). Including variants:
DOM4J License
MIT/X11
ICU
University of Illinois/NCSA
W3C Software License
X.Net
zlib/libpng
FSF autoconf license
DejaVu Fonts (Bitstream Vera/Arev licenses)
Academic Free License 3.0
Service+Component+Architecture+Specifications
OOXML XSD ECMA License
Microsoft Public License (MsPL)
Creative Commons Attribution (CC-A)
Creative Commons Copyright-Only Dedication
Python Software Foundation License
Adobe Postcript(R) AFM files
Boost Software License Version 1.0
Eclipse Distribution License 1.0
Component |
License |
Comment |
Status |
Actions |
Alternatives? |
paramiko |
LGPL 2.1 |
Remove - place dependency in package and note dependency in source building documentation |
Needs to be added to the project web-site and documentation as a system dependency. |
We merely need to place a dependency on python-paramiko (it's shipped in EL since EL3 which means it should be ubiquitous. This should be OK by ASF since the use of paramiko is optional. It is used in tools/migration, which is the 1.0 to 2.1 code and can be deleted. Paramiko there can be deleted as well. The python test client uses it, so whatever RPM has the test client (if any) should have a dep on paramiko. |
|
JavaMail |
CDDL or GPL (use CDDL) |
OK but requires attribution. Need to include URL to homepage within distribution. |
Included in LICENSE_BIN and NOTICE_BIN |
File bug to replace with different SMTP library; Bug filed; Brett says the license is OK. KEVIN: I think it's fine, we can close the bug? But then need the URL. |
apache-commons-email? |
Java Servlet Technology |
Sun Microsystems Binary Code License |
Remove or replace |
|
We need to look at the BlackDuck scan results to see where this came from. |
|
JavaServer Pages Standard Tag Library |
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0 |
OK but requires attribution |
|
This comes from internationalization. |
|
JUnit |
BSD or Common Public License |
No Change - Fine as Is |
BSD license included in LICENSE_BIN and NOTICE_BIN |
The download that David found (http://repo1.maven.org/maven2/junit/junit/4.10/junit-4.10.jar) includes a BSD license. However, http://www.junit.org/license is the CPL. |
|
backport-util-concurrent |
Creative Commons Public Domain Dedication |
OK but requires attribution |
Included in LICENSE_BIN and NOTICE_BIN |
ensure attribution |
|
JSch |
JSch License |
No Change - Fine as Is |
Included in LICENSE_BIN and NOTICE_BIN |
BSD-derived, OK? I believe this is OK since many Apache projects use it. |
|
iHarder.net - base64 |
Public Domain |
No Change - Fine as Is |
Alex checking if we can remove |
XXX to find out if CS uses this, possibly remove. This is in utils/src/com/cloud/utils/encoding/Base64.java at least. It is also in test/src/com/cloud/sample/Base64.java |
|
iControl.jar |
GPL |
Remove or receive approved license |
|
Kevin contact BigIP |
|
JnetPcap |
LGPLv3 |
Remove or receive approved license |
Pending deletion of deps/cloud-jnetpcap.jar from the source tree. |
Pradeep remove |
|
libvirt 0.4.5 |
LGPLv3 |
Depend on distro |
|
Pradeep remove and change CS to use distro-provided version. this should be OK since you can depend on unapproved software if it's optional. Clearly libvirt is optional since it is required for only one hypervisor. |
|
manageontap |
NetApp EULA |
Remove or receive approved license |
|
Kevin contact NetApp |
|
NetScaler SDK |
|
Remove or receive approved license |
|
NetScaler team working to issue with Apache license. (kevin owns) |
|
Trilead ssh |
Trilead EULA |
Remove or receive approved license |
Request sent to have someone remove this lib. |
XXX remove and use another ssh client |
Orion |
XAPI API |
GPLv2 |
Remove or receive approved license |
|
Kevin contact XenServer. Is this just the xapi Java bindings? If so that should be trivial to ensure that it's in our target distros. |
|
Apache Tomcat |
Apache License Version 2.0 |
No Change - Fine as Is |
|
Frank find source |
|
iBATIS for Java |
Apache License Version 2.0 |
No Change - Fine as Is |
Included in NOTICE and NOTICE_BIN. |
Source is located at least here: |
|
Orion SSH2 |
BSD 2.0 |
No Change - Fine as Is |
|
Frank find source. |
|
XStream Library |
BSD 2.0 |
No Change - Fine as Is |
|
Frank check if we can remove. |
|
Apache Jakarta Commons Discovery |
Apache 1.1 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache log4j |
Apache 1.1 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache Web Services Axis |
Apache 1.1 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache Ant |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache Jakarta Commons Codec |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache Jakarta HTTP Client |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache Jakarta HttpComponents |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache Jakarta HttpComponents |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache Web Services Axis |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache Xerces Java XML Parser |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache-Jakarta Collections |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache-Jakarta DBCP |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache-Jakarta Lang |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Apache-Web Services Commons Util |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Code Generation Library |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
ehcache |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
excanvas |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
google-gson |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Jakarta Commons-Logging |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
Jetty - Java HTTP Servlet Server |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
selenium |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
jquery-easing |
BSD 2.0 |
No Change - Fine as Is |
|
approved -- fine |
|
VMware Infrastructure Java API |
BSD 2.0 |
No Change - Fine as Is |
|
approved -- fine | Uhhhh where is this in source??? --DavidN |
|
VMware Java SDK |
Proprietary, freely redistributable, but certainly not open source. |
Perhaps by the above? |
|
(this is in deps/vmware-*) |
|
Bouncy Castle Crypto APIs |
MIT License V2 |
No Change - Fine as Is |
|
approved -- fine |
|
flot |
MIT License V2 |
No Change - Fine as Is |
|
approved -- fine |
|
jquery-ui |
MIT License V2 |
No Change - Fine as Is |
|
approved -- fine |
|
pymysql |
MIT License V2 |
No Change - Fine as Is |
|
approved -- fine |
|
UUID - generate UUIDs in Java |
MIT License V2 |
No Change - Fine as Is |
|
approved -- fine |
|
jquery-validate |
MIT License V2 |
Use under MIT |
|
approved -- fine |
|
jqueryjs |
MIT License V2 |
Use under MIT |
|
approved -- fine |
|
GSON Closure Compiler |
Apache License Version 2.0 |
No Change - Fine as Is |
|
approved – fine |
|
reset.css |
Public Domain |
Unknown |
|
does ASF recognize public domain? can the author have given up his moral rights under copyright in the jurisdiction in which he resides/created the work? |
|
URLEncoder |
ASLv2 |
No Change - Fine as is |
|
located in utils/src/com/cloud/utils/encoding/URLEncoder.java - double fork (original fork from java.net.URLEncoder by Craig McClanahan and Remy Maucherat, and then we also made changes) |
|
OpenStack Swift Client |
ASLv2 |
No Change - Fine as is |
|
located in scripts/storage/secondary/swift and scripts/vm/hypervisor/xenserver/swift |
|
slf4j-api |
MIT |
No Change - Fine as is |
Included in LICENSE, NOTICE, LICENSE_BIN and NOTICE_BIN |
located in deps/awsapi-lib/rampart-lib - Needs attribution |
|
QUnit v1.4.0pre |
MIT |
No Change - Fine as is |
|
located in ui/lib/qunit/qunit.js and ui/lib/qunit/qunit.css |
|
Component |
License |
Comment |
Action |
|
GlassFish |
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0 |
Apache site states that "small amounts" of such source are OK. |
Is this a "small amount"? Needs attribution or removal. |
|
Copyright (c) 2000-2005 INRIA, France Telecom |
Unknown License |
No Change - Fine as Is |
file bug to remove/rewrite |
|
GSON Closure Compiler |
Apache License Version 2.0 |
No Change - Fine as Is |
approved – fine |
|
utils/src/com/cloud/utils/encoding/Base64.java |
Public domain |
No Change - Fine as is |
|
|
utils/src/javax/ejb/Local.java |
CDDL or GPL |
We would choose CDDL |
|
|
utils/src/javax/persistence/* |
CDDL or GPL |
We would choose CDDL |
|
|
WAF |
BSD |
No Change - Fine as is |
Included in LICENSE and NOTICE files |
|