Sonatype Blog
Latest Posts

Join Brian Fox tomorrow, Wednesday, May 23 at 11AM EDT or 2PM EDT (GMT-0400) for a 30 minute tour of Insight for CI. In this demo, Brian will show how Insight for CI will help you:

• Generate a detailed bill of materials for every build in Hudson and Jenkins.
• Find and fix license, security and quality problems quickly.
• Set rules to notify you of problems, fail builds, or establish workflows.

If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.

Two sessions are available tomorrow, Wednesday, May 23. Choose the best time for you:

Register – 11:00AM EDT (GMT-0400)

Register – 2:00PM EDT (GMT-0400)

Due to high demand, we have added a second webinar presentation next Wednesday at 2PM EDT (GMT-0400) to accommodate multiple time zones. Here are the details for the presentation:

Join Brian Fox this Wednesday, May 23 at 11AM EDT or 2PM EDT (GMT-0400) for a 30 minute tour of Insight for CI. In this demo, Brian will show how Insight for CI will help you:

• Generate a detailed bill of materials for every build in Hudson and Jenkins.
• Find and fix license, security and quality problems quickly.
• Set rules to notify you of problems, fail builds, or establish workflows.

If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.

Two sessions are now available on Wednesday, May 23. Choose the best time for you:

Register – 11:00AM EDT (GMT-0400)

Register – 2:00PM EDT (GMT-0400)

One of my responsibilities at Sonatype is creating the pages that communicate licensing and security information in Nexus Professional and Insight for CI. We have a large team that is responsible for these pages and making sure that we’re providing accurate information. You would be surprised at the number of interesting edge cases that we identify in the process of scanning 400,000+ artifacts in Central. From invalid licenses to exotic, one-off licenses that include odd requirements, everyone who works on this team has had to become an expert in OSS licensing.

The following post about Meteor, a new, node.js-based approach to building web applications backed by MongoDB got my attention because it highlights some of the tricky integration issues we’ve had to think about when coming up with hypothetical use-cases for Insight. Here’s a quote that captures the complex relationships between Meteor, originally a GPL-licensed Javascript library, and an Apache-licensed library to access MongoDB:

From Olov Lassus’s popular blog post “Meteor meets NoGPL”

“The copyleft (viral, contaminating, whatever you want to call it) aspect of GPL is tricky. Take MongoDB as an example. Meteor uses it by importing the node-mongodb-native package (require(‘mongodb’)). That one is Apache 2.0 licensed, which is a permissive license that happens not to be compatible with Meteor’s GPL (v2) license, at least not according to the FSF. Tricky. Dependency chains, bindings between JS ↔ C and RPC makes it trickier even. I wouldn’t be surprised to see Meteor change to a GPL + a-bunch-of-OSS-exceptions license similar to what Qt and MySQL used to have, to avoid issues like this.”

Don’t get me wrong, I’m not questioning the Meteor team’s right to choose whatever license they want, but I noticed this post because these are the kinds of relationships that we’ve been trying to sort out between different libraries in Central. We’ve encounter libraries that advertise themselves as BSD-style licenses which end up requiring dependencies on GPL components. This highlights the problem of licensing intent versus licensing reality. Just because a particular components is licensed under a particular license doesn’t mean you can actually use it under the terms of that license.

Lots of activity on Olov Lassus’ twitter feed and many opinions on the hacker news threads.  This one was good about the ambiguity of the GPL w.r.t. derivative works.

Note: Meteor has since changed the license to MIT, which makes this very interesting project that much more compelling to a wider audience.

As we’ve been busy building out the Insight product line we’ve spent significant time considering the issues associated with “conflicting” and “invalid” licenses — licenses which upon consumption preclude further redistribution without being in violation of the licensing terms.  Conflicting (or incompatible) licenses are problematic for development organizations using open source software as there is no effective way to consume and then redistribute the software (or derivative work).  You simply cannot combine GPL and EPL 1.0, for example, because it is not possible to maintain compliance with all licensing obligations specified by both under any licensing construct upon further distribution.  EPL cannot be consumed within GPL and vice versa.  See http://www.gnu.org/licenses/license-list.html#EPL for additional information.

If you consume both EPL and GPL in a Maven POM or another build, and then you subsequently ship that software, you would not be able to satisfy your obligations as a distributor and would therefore be in violation of one or both of the licenses.   As developers, we have enough to worry about already.  This a job best done by the tools we use — in this case Insight for CI and Nexus Professional.  Depending on your circumstances, having your CI system alert upon detecting incompatible licensing constructs at build time reduces risk and costs by catching problems early in the development lifecycle.

(more…)

Join Brian Fox Wednesday, May 23 at 11AM EDT (GMT-0400) for a 30 minute tour of our latest innovation, Insight for CI. Brian will show you how Insight for CI will help you:

• Gain visibility and control at build time in Hudson and Jenkins.
• Find and fix license, security and quality problems quickly.
• Set rules to notify you of problems or to fail builds.

If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.

Reserve Your Seat Here