@License(name = “Apache”,version = “2.0″) annotations and GPL
Published October 23rd, 2007 in Apache, GPL, Java, LiceningIs your Open Source project correctly licensed? When I was thinking about my open source projects I remember I was shocked. They probably haven’t been correctly licensed (they were in the end) What license you can use depends on the third party open source projects you use. But not only that, it depends on what links to what.
(Sorry for all the license typos :-)
Suppose I have two servers, one licensed under the Apache 2.0 license and one licensed under the GPL. And the GPL version uses the Alfresco GPL CIFS server, no problem. I can mix those licenses in my project and use the GPLed Alfresco server, although parts of my project are Apache 2.0 (the first server). But when my Apache 2.0 server directly uses the GPL Alfresco server, I’m no longer allowed to distribute my project with the GPL Alfresco code because I violate their license.
To prevent problems some people do license audits by looking at the Java code in the repository, the imports and then looking at the dependent libraries and their licenses. Reposita will have this feature soon. Maven is working on it by analysing dependencies. But in the end it depends on what code is calling what code, not what code is packaged with what library, or what code imports what code (some people claim a Java import equals linking though) or what license files might be packaged with the project.
So we need a way to annotate code with the license it has, so we can at runtime - for example with aspects - check if Apache 2.0 code directly calls GPL code. Then we’re in trouble.
Java 5 to the rescue. With Java 5 Sun introduced annotations. We now can write a @License annotation and annotate our code with the @License() annotation.
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE})
public @interface License {
String name();
String version();
}
Annotating our code like this:
@License(name = "Apache",version = "2.0")
public class Example {
public void doWhatever() { ... }
}
helps us in the end to determine the license of the code programmatically. Either by wrapping method calls in aspects and checking the license of the caller and the callee or for example by checking all classes in a jar. The first example could be used during a QA test or during code audits. The aspects then would be removed for deployment. The second variant works great for license audits, merger and acquisitions, new projects, open source projects etc. This would enable us to more directly audit classes, code and their license and not depend on the JavaDoc license header (where sometimes the JavaDoc or license header gives the wrong information, because the license has changed several times).
For this to work most open source projects need to annotate their code though ;-) I guess we need a JSR and some standard annotations and conventions to make this work for all.
Thanks for listening.
Update: Some Feedback: analysing import does not help. With more and more dependency injection (Spring XML, Guice annotations) there is no longer an import relationship between your code and the third party code. License violations can then only be determined at runtime.
5 Responses to “@License(name = “Apache”,version = “2.0″) annotations and GPL”
- 1 Pingback on Nov 4th, 2007 at 5:42 am
the annotation would be good at package level I think. Except that’s not a java feature.
Also, it is possible to use GPL in a GPL-incompatible app provided it is done so through an API that is mutually compatible. Remember the MIT licensed SAX API? You still have to distribute source for the gpl bit, but the rest can be non-gpl. The creation of the api cannot be a gratuitous refactor of an existing library solely fir the purpose of getting out of a license situation. Sax was a weird API…
Lastly, guice (and picocontainer) are different to spring for the most part. The former do depend on imported classes. The latter prefers XML markup. XML markup ain’t a way round gpl rules though. At least not without reading the supporting notes to the gpl 100 times.
“Except that’s not a java feature.” ? Package level annotations? I thought package level annotations can be done with package-info.java and @Target({ElementType.PACKAGE}) (My IDEA tells me that this is possible). So you could annotate licenses at the package level.
Yes, mixing licenses is possible, but needs a lot of attention to do it right. Radeox for example has a Apache 2.0 core and some BSD APIs.
And yes, XML might not be away around GPL. But it can be. But as with mixing licenses, this is a tricky question and there are different opinions.
And considering Guice: I’m not sure what using annotations, or annotating clases with your licensed annotations really means in the context of “linking”. Noone has thought that through I think.
that package-info.java thing would be a neat trick. Something similar could work for copyright. When coding pico2’s annotation support, I looked at directly supporting guice’s @inject. Theres some weirdness in respect of the classpath - getAnnotations() will alwaysvcome back with a result even if there were classdefs for annotations missing from the classpath. The resulting set of annoations for a member/etc would silently omit those for missing classdefs. Thus @license and @copyright could be added to jdk7 and sorta work for jars aimed at jdk5 as long as @since was ommitted for those new annotations.
Guice/pico and the new by-class-def side of Spring - almost certainly gpl entangled by virtue of import :-(
On a case by case basis of course.
I guess the same for copyright would be a good idea. A container could know about licenses and issue a warning when injecting incompatible stuff. This would make some managers in companies happy.