Details

    • Number of attachments :
      0

      Description

      Chris - please make sure no releases go out until these issues have been settled and a more complete ip check has been done.

      I'm marked this as blocker.
      (Follow up from email list)

      ----------------------------------------------------------------
      I've been thinking about IP issues the last few days, and did a very quick
      review of parts of geoserver. I found a few issues - I'm sure there are
      others.

      I'm making a jira task with this in it and marking it as "blocking" until
      the issues have been addressed. I'll also put this in the wiki so people
      can add/subtract/update:

      http://docs.codehaus.org/display/GEOS/IP+Issues

      Most of issues I found were with the Image Format writers (thats where I
      looked the most). The nice thing is that Simone and Alessio have a nice
      GIF and PNG writer (based on JAI) in the WCS branch that should be very
      easy to integrate into the main geoserver code (until its properly in
      geotools). I'm quite sure they'll help. See
      IMGCoverageResponseDelegate.java (in the WCS geoserver branch) and
      WorldImageWriter (in the geotools coverage_branch plugin/image). I highly
      recommend this route as this code is maintained and tested by them and
      there should be no IP issues with it (assuming that the JAI jars are
      redistributable – see below).

      The other issues were mostly ensuring that geoserver is living up to the
      license of the tools being used (be they jars, html, datasets, etc...).

      ================================================================

      Image Writer Issues
      -------------------

      a) GIFOutputStream.java in
      GEOS\src\org\vfny\geoserver\wms\responses\map\gif\

      This is used by the GIFLegendGraphicProducer, and has been in geoserver
      for a long time. Unfortunately, its license (see the top of the file):

      -----------------------------------
      Copyright (c) 2000, 2001 by [...]

      This code is free for public use in any non-commercial application. All
      other uses are restricted without prior consent of the author, [...].
      The author assumes no liability for the suitability of this
      code in any application.
      -------------------------------------

      This is clearly a problem - its incompatible with GPL. At the very least
      geoserver need to stop distributing this immediately. I believe this is
      one of the most serious issues I found.

      b) PNG Writer (GEOS\src\org\vfny\geoserver\wms\responses\map\png)

      home page: http://www.catcode.com/pngencoder/

      This is LGPL code, so it shouldnt really be in actually inside
      geoserver. I recommend deleting it and use the GCE's WorldImageWriter or put it in
      its own jar.

      c) GIF Writer # 2 (GEOS\src\org\vfny\geoserver\wms\responses\map\gif)

      This is actually two things:
      a) colour reduction (NeuQuant.java)
      b) GIF writer (rest of the code in that directory) homepage: http://jmge.net/java/gifenc/

      The licenses are a bit complicated.

      NeuQuant.java's file says (see the actual header for more details):
      --------------------------
      ...
      <reference to an academic paper>
      ...
      Any party obtaining a copy of these files from the author, directly
      or indirectly, is granted, free of charge, a full and unrestricted
      irrevocable, world-wide, paid up, royalty-free, nonexclusive right and license
      to deal in this software and documentation files (the "Software"),
      including without limitation the rights to use, copy, modify, merge, publish,
      distribute, sublicense, and/or sell copies of the Software, and to permit persons who
      receive copies from any such party to do so, with the only requirement
      being that this copyright notice remain intact.
      ---------------------------

      The actual GIF code is licensed in two parts:
      i) J. M. G. Elliott's changes:
      --------------------------------
      As for my part of the code, I hereby release it, on a strictly "as
      is" basis, to the public domain.
      --------------------------------
      ii) original license for Jef Poskanzer's GifEncoder.java which
      Gif89Encoder is based on:
      --------------------------------
      // Copyright (C) 1996 by Jef Poskanzer <jef@acme.com>. All rights
      reserved.
      //
      // Redistribution and use in source and binary forms, with or without
      // modification, are permitted provided that the following conditions
      // are met:
      // 1. Redistributions of source code must retain the above copyright
      // notice, this list of conditions and the following disclaimer.
      // 2. Redistributions in binary form must reproduce the above copyright
      // notice, this list of conditions and the following disclaimer in the
      // documentation and/or other materials provided with the distribution.
      //
      // THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
      // ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
      // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
      // ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
      // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
      // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
      // OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
      // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
      // OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
      // SUCH DAMAGE.
      --------------------------------

      I've modified the GIF writer so it produces good results, but I
      wouldnt call it "perfect". I recommend it all be deleted, give them credit
      on the website for using it in the past, and replace it all with the GCE's
      WorldImageWriter. If its decided to be kept, then (at least) the
      copyright and disclaimer needs to be added to the documentation and binary
      (see license above) and moved it to its own jar.

      d. basic.java (GEOS\src\org\vfny\geoserver\wms\responses\map\gif)

      This appears to be PostgreSQL JDBC test code! It wasnt being used by
      anything. I have no idea how it got there! I've deleted it; it has to be
      ensured that it doesnt somehow find its way back in! (Postgresql, I
      believe, is BSD-licensed)

      SUMMARY - remove all the old image writer code, and use the GCE's WorldImageWriter.
      Or, make sure all the licenses are properly adhered to.

      ==========================================================================

      JARS


      There are a bunch of jars being re-distributing. Some of these jars have
      binary re-distribution licences that I'm not sure are actually being
      living up to. For example, Jetty and Xerces both have licenses that say:

      ---------------
      ...
      4 (a) You must give any other recipients of the Work or Derivative
      Works a copy of this License; and
      ...
      ---------------

      And I couldn't find a copy of the license in our distribution. The
      licenses have other sipulations.

      Also note that there is actual Jetty source code (I believe its a modified
      artistic (or apache) license) inside the geoserver archive, which makes it
      bit confusing as to what our license is.

      ALL THE JARS MUST BE CHECKED TO SEE WHAT THE REQUIREMENTS ARE FOR RE-DISTRIBUTION.

      They also should be check to see if they're compatible with a GPL/LGPL
      licensed project (and visa-versa).

      Dont forget to check to see if the JAI jars (based on the JAI-open-source-
      project) are okay to re-distribute. If not, they need to be removed and
      tell everyone to install JAI from sun (which will almost certainly be
      needed when the WCS branch merges in since it is heavily JAI based and
      will be much better with the "native" code instead of the 100% java jars).

      Source Code
      -----------
      At the very least, a quick check of the source files to see if all the
      files have the appropriate (c) copyright/license headers on them. Files
      that don't would alert indicate high-priority places to check. A more
      indepth evaluation is probably required.

      Also note that the files are (c) TOPP, but I'm not sure what the ownership
      is for patches applied and bug reports/suggestions from the mailing list.
      Dont know if this is an issue or not.

      CITE/Demo/Config
      ----------------
      There's a lot of "stuff" in the configuration directories (ie. cite/
      schemas/ data_dirs/). These need to be checked to see if these are okay
      to re-distribute [modified] versions of them. There's OGC .xsd files
      (some have been modified with vender specific options + <InlineFeature>),
      some mapbuilder demos, html files, and some datasets.

      Someone needs to actually check these and make sure that there's no IP
      concerns. This is especially true for the datasets. Often times the
      license for the datasets at least requires some type of acknowledgement
      (or (c) copyright statement).

      [sigma] Demo Site
      -----------------
      Before the demo site goes live, the license of the datasets must be check
      to ensure that the license is being aheared to (see above). This probably
      means adding some type of acknowledgement/copyright statements. Some of
      VMAP0 is for non-commerical use only. I'm not sure how you do this for
      WMS/WFS access to the datasets (at the very least put the notices in the
      GetCapabilities document and in the html).

      Also note that the data-load instructions in the wiki have programs which are
      mini-distributions of geotools. They have geotools-required .jars in them which
      may require the addition of licenses (etc...) with them. (See "JARS", above).

      Geotools
      --------
      There's been a few possible cases of Geotools accidently including code
      from sun's included-with-the-sdk source - and I'm sure other issues will
      be found. These have, apparently, been fixed. I dont know what the
      implication are for re-distributing the old copies inside geoserver.

      Redistributing old copies
      -------------------------
      As above, I dont know what to do about re-distributing old copies of
      geoserver that might have IP issues.

      I dont mean to cause anyone panic, and I dont think going through all the
      above is a lot of work. But, it needs to be done.

      dave

        Activity

          People

          • Assignee:
            Chris Holmes
            Reporter:
            dblasby
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: