[Talk:JakartaPOIAudits/20030205 JakartaPOIAudits/20030205]
Auditor: AndrewCOliver Project: POI
Although its not official, I'm more or less the defacto current member in charge of Jakarta POI.
Because there seem to be questions on a number of projects as to their license usage, I thought it would be nice for me to go and audit POI voluntarily. Although I do not like such issues as licenses and other things, I realize that staying legitmate affects you my peers and all of Apache and I do this as a service to protect myself as well as all of you (you're welcome).
The Jakarta POI project uses the following:
under various subdirs of /lib
- Commons Logging * (http://jakarta.apache.org/commons/logging.html) ASL
- log4-j * (http://jakarta.apache.org/log4j) ASL
- Xalan 2.2 ** (http://xml.apache.org/xalan) ASL
- Xerces 2.2 ** (http://xml.apache.org/xerces) ASL
Although the following are not required for POI, they are used/provided by Centipede (http://krysalis.org/centipede) at build time and for generating our site:
under /tools/cents
- Primarily these are centipede tools I am not delineating those as they are just part of centipede
[gstein: what's the license for Centipede? it isn't stated on this page...] Krysalis says ASL
2. checkstyle - LGPL (http://checkstyle.sourceforge.net/) - I was unaware of this before the audit. Apparently Centipede uses this to produce this: http://jakarta.apache.org/poi/metrics/checkstyle/ - I do not personally find checkstyle useful but other developers on the project (namely Nicola ken) do.
It is my personal understanding that this is acceptable provided that POI does not directly reference them nor the jar include or require them. I would like direction from the board whether the use of build tools which use LGPL is OK (POI itself does not use LGPL). If the board requests I will disable the use of checkstyle (which will make Nicola Ken cry). Also I would like guidence on whether just leaving it out of our CVS repository and letting it be downloaded at build time is fine. (it is the build and not POI which is using it)
[gstein: LGPL build tools should be totally fine. Heck, we use gcc (GPL'd) to build Apache httpd.]
3. javasrc - NO LICENSE (public domain) - (http://home.austin.rr.com/kjohnston/javasrc.htm)
[gstein: where is the statement that this is public domain? "no license" means no rights.]
4. jdepend - BSD - (http://www.clarkware.com/software/JDepend.html)
5. junit - IBM CPL - (http://www.opensource.org/licenses/ibmpl.php)
6. umldoclet - Public Domain - (http://objectclub.esm.co.jp/uml-doclet/README)
- loaded optionally via some JVM parameters
- used for centipede and XML->Java record (value object of sorts) generation in the build
- used for centipede and XML->Java record (value object of sorts) generation in the build
In summary, there are no controversial licensing issues for the Jakarta POI project itself. The only area of question is whether Centipede's use of LGPL libraries and POI's use of Centipede as a build tool constitutes a problem. We are eager to resolve this in the event the board sees this as a problem. It is our preference to continue using checkstyle unless there is an actual legal issue.
[gstein: as long as the build tool's license does not infect the build results, then we're fine. Note that gcc's license has an explicit comment that its GPL license does not apply to the build results. Tools that we use to build would hopefully have the same exception. But I don't see that our use of a tool would imply that our code is a derivative work and, thus, subject to that tool's copyright and license.]
I appreciate your time and consideration in reviewing this audit. Because I value your time, I will keep this on the wiki and provide updates. You may find them here:
http://wiki.apache.org/old/JakartaPOIAudits
Note: It was answered by board member Sam Ruby that it is totally acceptable for POI to use LGPL code in its build, however storing LGPL code in the CVS repository was against Apache policy. Therefore it was removed and is automatically downloaded ONLY if it is needed for instance to run the "checkstyle". It will only be a problem for those either running the old build (it will be automatically downloaded regardless) but this isn't a legal concern, and anyone who has a problem with that just needs to use the new build 
as the old one will be deleted soon anyhow.