Plugin Licenses

[Gavin Mogan]

So on the docs sig gitter channel we started talking about surfacing more data (like number of issues) on the plugins website, and after looking at other examples, especially NPM, I started to think about plugin licenses.

Our plugin docs say unless otherwise stated, plugins are MIT license.

https://wiki.jenkins.io/display/JENKINS/Before+starting+a+new+plugin

Clearly identify the license(s) which applies to your plugin:
Licensing is really important when it comes to contributing code. As such, we encourage you to follow one or several of the following practices:
(1) Add a license header at the top of each of your source code files;
(2) Add a LICENSE file at the root of your Maven project;
(3) Fill the <licenses> section of your POM.
If nothing is defined, your code will be assumed to fall under the MIT license terms.

So I started to hack something together to gather the info to see if its at all useful.

https://gist.github.com/halkeye/2e9f62da5999dceb12848c1f9a61fee0

I didn't do deep analysis, just eyeballing the results, for the most part, its MIT (explicit or not), Apache 2.0, or GNU, though 2 concerns me

[NOTMIT] ci-with-toad-devops-toolkit -  Continuous Integration with Toad DevOps Toolkit License Agreement
[NOTMIT] ci-with-toad-edge -  Continuous Integration with Toad Edge License Agreement

So my question is.

1) Is there any point in exposing this information, mostly for plugin site, but maybe update center. Would it matter to you?

2) Do we want to somehow prevent plugins licensed under non standard open source licenses from being uploaded to the public update center?

Gavin

[Daniel Beck]

> On 23. Apr 2020, at 01:54, 'Gavin Mogan' via Jenkins Developers <jenkin...@googlegroups.com> wrote:
>
> [NOTMIT] ci-with-toad-devops-toolkit - Continuous Integration with Toad DevOps Toolkit License Agreement
> [NOTMIT] ci-with-toad-edge - Continuous Integration with Toad Edge License Agreement

Interesting.

https://github.com/jenkinsci/ci-with-toad-edge-plugin/blob/master/LICENSE
https://github.com/jenkinsci/ci-with-toad-devops-toolkit-plugin/blob/master/LICENSE

It's a modified 3-clause BSD license with an additional clause clarifying trademark use.

I do not know whether that violates https://jenkins.io/project/governance/#license but I would guess so.

> 2) Do we want to somehow prevent plugins licensed under non standard open source licenses from being uploaded to the public update center?

Isn't possible with hosted Artifactory (at least as of ~2 years ago), we can only identify them and suspend distribution after the fact.

[Robert Reeves]

>It's a modified 3-clause BSD license with an additional clause clarifying trademark use.

We have a registered trademark for Liquibase and we use Apache 2.0. They should update it or have the plugin removed.

[Gavin Mogan]

> Isn't possible with hosted Artifactory (at least as of ~2 years ago), we can only identify them and suspend distribution after the fact.

Since I used update center to generate this. This is something that could be built into update center. Since we have the whitelisted list on the governance page, we can just make a property file that has a whitelisted list.

> They should update it or have the plugin removed.

The two I listed haven't been updated in 2+ years. I suspect a lot of the bad ones won't be touched unless they get in jail.

I just found the data interesting. I may ask the users list to see if exposing license data on plugin site is a useful.

Gavin

On Thu, Apr 23, 2020 at 6:27 AM Robert Reeves <r...@datical.com> wrote:

>It's a modified 3-clause BSD license with an additional clause clarifying trademark use.

We have a registered trademark for Liquibase and we use Apache 2.0. They should update it or have the plugin removed.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB29492448C43D2C96D2B2211183D30%40CY4PR06MB2949.namprd06.prod.outlook.com.

[Daniel Beck]

> On 23. Apr 2020, at 15:27, Robert Reeves <r...@datical.com> wrote:
>
> They should update it or have the plugin removed.

FYI https://github.com/jenkins-infra/update-center2/pull/371

[Oleg Nenashev]

+1 for immediate depublishing. Usage of non-OSI licenses in plugins potentially causes legal risks for Jenkins users.

Maybe we should also start forcing an explicit license specification in pom.xml and LICENSE for future plugin POM versions (5.0?). It has been discussed a few times in the previous years, but IIRC we did not add mandatory checks

[Baptiste Mathus]

Agreed. It's never been clarified enough. 

And this is a problem, because contrary to what we can read sometimes, the default license is proprietary, not OSS.

On Fri, Apr 24, 2020 at 12:54 PM Oleg Nenashev <o.v.ne...@gmail.com> wrote:

+1 for immediate depublishing. Usage of non-OSI licenses in plugins potentially causes legal risks for Jenkins users.

Maybe we should also start forcing an explicit license specification in pom.xml and LICENSE for future plugin POM versions (5.0?). It has been discussed a few times in the previous years, but IIRC we did not add mandatory checks

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/f203c1b1-30a8-4cd4-ad90-8577b301e971%40googlegroups.com.

[Slide]

I generally check the license during hosting request review. I could add something to the automated checker that I use to check the LICENSE and/or the pom.xml

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPyTVp0ow20VCaJ7PdAhfBQYMdj4%3DBKz%2Bk-9LN8JdMU1SQMWLw%40mail.gmail.com.

--

Website: http://earl-of-code.com

[James Nord]

the license in the pom only refers to source code in that repo, not the plugin.

the plugin can include many dependencies that are licensed differently (which is why the about page for a plugin shows much more than the top level license for a plugin).

Also i hate to say it but those pesky JavaScript libraries....

[Oleg Nenashev]

Well, we cannot have an ideal solution. IMO plugin maintainers are responsible to ensure that plugins they ship are compliant with license requirements of the dependencies they include.

Some developer tooling would be great, but just imagine GPL or Zero-prosperity license included in a supposedly-MIT component.

What we definitely need is do document our license requirements in https://www.jenkins.io/doc/developer and to explicitly state that the Jenkins Hosting team reserves right to immediately depublish plugin with severe license violations.

BR, Oleg

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/-KprgkVIDpQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a7b2e0ec-1f22-4a54-aab5-25cc5180cb8f%40googlegroups.com.

[Daniel Beck]

> On 27. Apr 2020, at 10:46, Oleg Nenashev <o.v.ne...@gmail.com> wrote:
>
> What we definitely need is do document our license requirements in https://www.jenkins.io/doc/developer

https://www.jenkins.io/doc/developer/publishing/preparation/#license is very clear about this, and is linked as the first preparation step from the "Guide to Plugin Hosting".

https://www.jenkins.io/doc/developer/publishing/source-code-hosting/ mentions it as well.

[James Nord]

> Well, we cannot have an ideal solution.

iff you use the maven plugin-pom as your parent then we do correctly record licenses for the plugin including maven transitive dependencies.  

we do not track javascript libs yet - but if any tooling looked at the plugin's hpi licenses.xml (plugin.hpi!/WEB-INF/licenses.xml) rather than the pom.xml then this info is available today. (and when javascript is correctly handled it would be done for free.

Now I have no idea what the gradle and other builders do (but it is probable not this)

/James

On Monday, April 27, 2020 at 9:47:07 AM UTC+1, Oleg Nenashev wrote:

Well, we cannot have an ideal solution. IMO plugin maintainers are responsible to ensure that plugins they ship are compliant with license requirements of the dependencies they include.

Some developer tooling would be great, but just imagine GPL or Zero-prosperity license included in a supposedly-MIT component.

What we definitely need is do document our license requirements in https://www.jenkins.io/doc/developer and to explicitly state that the Jenkins Hosting team reserves right to immediately depublish plugin with severe license violations.

BR, Oleg

On Mon, Apr 27, 2020 at 10:32 AM James Nord <james...@gmail.com> wrote:

the license in the pom only refers to source code in that repo, not the plugin.

the plugin can include many dependencies that are licensed differently (which is why the about page for a plugin shows much more than the top level license for a plugin).

Also i hate to say it but those pesky JavaScript libraries....

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/-KprgkVIDpQ/unsubscribe.

To unsubscribe from this group and all its topics, send an email to jenkin...@googlegroups.com.

[Gavin Mogan]

> we do not track javascript libs yet - but if any tooling looked at the plugin's hpi licenses.xml (plugin.hpi!/WEB-INF/licenses.xml) rather than the pom.xml then this info is available today. (and when javascript is correctly handled it would be done for free.

My initial report was just pom.xml cause I was having trouble pulling in random files, and I was curious, not wanting to do actual implementation yet.

On Tue, Apr 28, 2020 at 12:03 PM James Nord <jn...@cloudbees.com> wrote:

> Well, we cannot have an ideal solution.


iff you use the maven plugin-pom as your parent then we do correctly record licenses for the plugin including maven transitive dependencies.  

we do not track javascript libs yet - but if any tooling looked at the plugin's hpi licenses.xml (plugin.hpi!/WEB-INF/licenses.xml) rather than the pom.xml then this info is available today. (and when javascript is correctly handled it would be done for free.

Now I have no idea what the gradle and other builders do (but it is probable not this)

/James

On Monday, April 27, 2020 at 9:47:07 AM UTC+1, Oleg Nenashev wrote:

Well, we cannot have an ideal solution. IMO plugin maintainers are responsible to ensure that plugins they ship are compliant with license requirements of the dependencies they include.

Some developer tooling would be great, but just imagine GPL or Zero-prosperity license included in a supposedly-MIT component.

What we definitely need is do document our license requirements in https://www.jenkins.io/doc/developer and to explicitly state that the Jenkins Hosting team reserves right to immediately depublish plugin with severe license violations.

BR, Oleg

On Mon, Apr 27, 2020 at 10:32 AM James Nord <james...@gmail.com> wrote:

the license in the pom only refers to source code in that repo, not the plugin.

the plugin can include many dependencies that are licensed differently (which is why the about page for a plugin shows much more than the top level license for a plugin).

Also i hate to say it but those pesky JavaScript libraries....

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/-KprgkVIDpQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkin...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a7b2e0ec-1f22-4a54-aab5-25cc5180cb8f%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/12015cf1-3b3a-447b-8030-d62d91d4f4dd%40googlegroups.com.