`
security
  • 浏览: 381052 次
  • 来自: www.pgp.org.cn
社区版块
存档分类
最新评论

Apache License更适合中国人

阅读更多

Apache License更适合中国人,正式迎接Wayer Grant的挑战

很久以前,我开始着手写一些基于Security的插件,由于我使用Eclipse,Eclipse插件似乎本身对我很有帮助,我在从事插件开发的同时,只是写一些很简单的基于BouncyCastle的工具类。有一天,我看到了Portecle, 它是KeytoolGUI的一个分支,我觉得它的功能跟KeyStore 2.4大同小异,版权信息表明,2004年以后Wayne Grant并没有再参与此软件的任何开发。
Copyright © 2004 Wayne Grant
            2004 Mark Majczyk
            2004-2005 Ville Skyttä
我着手在Protecle和KeytoolGUI的基础上编写一个安全插件,名为SecureX。Protecle和KeytoolGUI是基于Swing,我编写了一个跟他们几乎很相像的SWT使用界面(当然不少地方作了增强),我希望使用上述的copyright来发布该Eclipse插件,我这样想的理由有两个:

第一,SecureX不只是集成KeytoolGUI这个证书管理模块,而且还会集成签名,加密等模块,这样,我们将来开发界面应用的时候,我们开源队伍可以同步开发,只要我们按照Eclipse RCP规范,我们不存在任何的集成问题。
第二,SecureX不希望使用GPL,而想使用Apache License。但由于Wayne Grant多次警告,如果我relicense(使用了他的代码于SecureX,并将SecureX重新定位于Apache License),他将对我采取法律行动。其实,GPL跟Apache License的最大区别是,GPL要求修改代码必须也遵守GPL,也就是说,如果我屈服于wayne, 将SecureX应用了GPL,其他人将无法将SecureX应用于商业用途,除非他们承诺他们的商业软件遵循GPL,你说可能吗:) 相比之下,Apache License更自由,它强调使用源代码的人不需要公开自己的源代码(修改后的源代码),也就是说,如果SecureX使用Apache License,SecureX的用户可以任意修改它,并且可以选择以源代码的方式或者二进制代码的方式发布他们自己的成果(他们唯一需要做的是——在他们的成果中声明使用了SecureX的代码).

我第一次向Wayne发邮件,邀请他他的回信如下:

Hello David,

Some guidance for you.

I have copyright over KeyTool GUI.  You therefore cannot call your
application "KeyTool GUI" or anything similar.  Lazgo Software has copyright
and trademark over "KeyStore Explorer" so you cannot call it that either.

KeyTool GUI is GPL software.  If your application contains code from KeyTool
GUI then your application as a whole must obey the GPL license.  This means
that you must release your own code as GPL and not under any other license
terms.  The headers in the existing code must be left how you found them -
that is with the GPL license and my copyright intact.

I have no wish to be listed as author of your application.  Simply state on
your web site and in the application that your application is based on a
fork of KeyTool GUI of which I am the copyright owner.  For an example see
the Portecle web site (http://portecle.sourceforge.net/) - Portecle is
similar to your app in that it is a fork of KeyTool GUI.

Let me know if you have any questions.

- Wayne.

----------------------------------

Dear Waner Grant:
   I've written a Keytool Eclipse Plugin which support most features of KeyStore
2.4.
   As you know, KeyStore 2.4 is written in Swing, I rewirte your
application by SWT.
So that it has a native look and more, I integrate my XML signature module
in this
application.
   For more info, see
http://dev2dev.bea.com.cn/bbs/thread.jspa?forumID=29304&threadID=31955&tstart=0
   And i will publish this Eclipse Plugin in next two weeks. Becasue wanner
Grant
is the first author of this software, So I plan to use his name as first
author and mine
as the second author.  Will this be reasonable?
   Any Advice would be great appreciately.


Wayne的目的很简单,他要求我不能使用Keytool GUI或者KeyStore Explorer类似的名称, 并且他要求我
必须使用GPL的许可证,这一点我非常不满,我于是回信给他,强调我要求relicense GPL。我知道我这样
说有点对牛弹琴,因为他应该不会授权我relicense。

The shell is all written by me. And I will add signature and
 Watermark feature to this software,  I only use some
Util Class of your KeyTool GUI such as KeyPairUtil, DigestUtil
and X509CertUtil etc and of Course,I will not change the code
and the header of them!
 
Feel ease if I don't plan to abidance by GPL :)  I like Apache
License only.
 
The new release of SecureX Eclipse Plugin will all be free but
i will opensource in the next release becasue the code is too
bad:(

Beta SecureX plugin will be publish next week, so if you have more
advice, please let me know.
 
 
     regards
david


Wayne的回复同样让我感到很大的压力,除非我必须遵循GPL,否则我似乎无所作为:

David,

>I only use some
>Util Class of your KeyTool GUI such as KeyPairUtil, DigestUtil
>and X509CertUtil etc and of Course,I will not change the code
>and the header of them!
>
>Feel ease if I don't plan to abidance by GPL :)  I like Apache
>License only.

If an application contains GPL code then the whole application must be GPL.
Your choices are:

1) to not use any of KeyTool GUI code in your application
2) or to license your application through the GPL.

To do anything else will break the terms of the GPL license that protect
KeyTool GUI - you will be breaking the law.  You can check this for yourself
in the GPL license - http://www.gnu.org/licenses/gpl.html.  Section 2 b is
the relevant part:

"You must cause any work that you distribute or publish, that in whole or in
part contains or is derived from the Program or any part thereof, to be
licensed as a whole at no charge to all third parties under the terms of
this License."

Basically you are deriving something from KeyTool GUI code that is GPL -
even if you are only using a couple of files they are covered by the GPL
license and anything they are used for must also be GPL as a whole.

If you go ahead and any KeyTool GUI code within your application and do not
license it as GPL then I will be forced to take action.  The reason I chose
GPL as the license was to protect it from being re-licensed.

>The new release of SecureX Eclipse Plugin will all be free but
>i will opensource in the next release becasue the code is too
>bad:(

Again you cannot do this under the terms of the GPL - if you release a GPL
project then the source code must be available.  I believe the same applies
with Apache.

Get in touch if you have any questions.

Cheers,


既然我必须遵循GPL,我只能学微软的肮脏招数——模仿,并且声明我会重写他的所有类,
同时,我明确,China跟USA的国情有所不同,我完全有能力选择Apache License而绕过
源代码创建者的授权(授权我Relicense)。
我的回信如下:

Wayne:
>If you go ahead and any KeyTool GUI code within your application and do not
>license it as GPL then I will be forced to take action. 
I do think there must be some difference between countries, And when worked in
USA, GPL should be respected but what about in Other Countries that have no
law about GPL :)
 
>The new release of SecureX Eclipse Plugin will all be free but
>i will opensource in the next release becasue the code is too
>bad:(
 
What I mean is that i won't released source code that related your Keytool GUI
until I entirely rewrite your util class(KeyPairUtil, DigestUtil and X509CertUtil).
Btw,  I don't think KeyStore 2.X or 3.X can continued well when my free released of
SecureX upgrade to 2.0(now it is 0.9, 1.0 next two week) in which I plan to integrated
more features.
 
Another question:  Should GPL prevent you from released KeyStore 2.4 from KeyTool GUI?
 
Wayne, take it easy,  just Debate promote Understanding and Collaboration......
 
 
Can you tell me which ACTION will you take to?

Wayne的回信让我感到振奋,他提到我的plan work只限制用于于Eclipse,意义不大,并且他说Portcele
和JKeyManager都没有超越过他的工作——KeyStore Explorer。他承认我的工作将会损害他的商业利益,
但他将会迎接这种挑战。最后,他他的观点同样尖锐——不能修改GPL,除非不要使用他的代码。

David,

>I do think there must be some difference between countries, And when worked
>in
>USA, GPL should be respected but what about in Other Countries that have no
>law about GPL :)


I don't want to get into a debate about software licenses and law.  Nobody
is going to sue you no matter what happens - it would serve no purpose.  All
I am asking is that you obey the existing software licenses for my code.  It
is GPL and therefore cannot be relicensed to anything else except by the
copyright holder - that is, me.  Others have created forks of the KeyTool
GUI soure and respected this (for example see, Portecle).  I appreciate that
you have gotten in contact with me about what you are doing.  However, you
did ask for my advice and I have advised you not to break the existing
license.  GPL is still open source so why not use it?

> >The new release of SecureX Eclipse Plugin will all be free but
> >i will opensource in the next release becasue the code is too
> >bad:(
>

>Btw,  I don't think KeyStore 2.X or 3.X can continued well when my
>free released of
>SecureX upgrade to 2.0(now it is 0.9, 1.0 next two week) in which I plan to
>integrated
>more features.

David, others have tired (Portcele, JKeyManger) and none have succeeded in
surpassing my latter work.  I wish you every success with your work but your
prediction of 90% coverage of features is an exaggeration even with your
planned work.  In addition you are limiting your audience by writing a
plug-in for Eclipse.  The bulk of my current users do not even know what
Java is far less Eclipse.  You will get many users I am sure but as for it
hurting my work - more mature efforts have failed.  I do honestly welcome
the challenge - it always inspires me to create new features :)

>Another question:  Should GPL prevent you from released KeyStore 2.4 from
>KeyTool GUI?

As I own the copyright to KeyTool GUI I can decide what license to release
it under.  It is my own work after all :)

>Wayne, take it easy,  just Debate promote Understanding and
>Collaboration......

No problem - I will discuss this with you as long as you require.  I wish
you no ill will - I am simply attempting to protect my open source work.

>Can you tell me which ACTION will you take to?

I hope to take no action.  I am happy for you to build on as much of my open
source work as you like.  I have had no problem with others building on the
old GUI and utility classes - but they did obey the license.  As you say you
only require the use of a couple of crypto utility classes.  All I require
is your agreement that you will license as GPL or not use my code.

I truely hope we can resolve this matter.

Talk to you soon.

Cheers,
- Wayne.


面对Wayne的软硬兼施,我的言辞可能过于刻薄,并且我本人可能对收费软件过于介意,于是
开始回击:

Wanye,
       I do really have two worries:
       1. I hope sofeware is free, GPL's finally object is make more software free and
 opensource is just a measure.  After you make KeyStore Explorer a branch from
 original KeyTool GUI, it is you that firstly not follow the GPL, right? Of course, because
 you are the author, you are the owner, and you'll the authorize yourself to not
 follow.
      2. I checkout the protecle project( http://portecle.sourceforge.net/) which you recommend,
and i started to agree what you said:
->David, others have tired (Portcele, JKeyManger) and none have succeeded in
_>surpassing my latter work.
      Protecle is just KeyTool GUI 1.7 and add only jar sign, little features are added. And
most important, it doesn't provide a native look. What's that mean? It means that when my OS is
using GBK, Protecle and KeyTool GUI 1.7 can not display correctly.
      3. You say that:
-> In addition you are limiting your audience by writing a plug-in for Eclipse.
      I forgot to tell you, that you make are wrong, I am writing SecureX follow the RCP standard
so that it can work as Eclipse Plugin or work stand alone. That means I can let my audience to use
SecureX even they don't have Eclipse installed.
      Please Check : http://wiki.eclipse.org/index.php/Rich_Client_Platform
     4. You suggested that
-> I hope to take no action.  I am happy for you to build on as much of my open
-> source work as you like.  I have had no problem with others building on the
-> old GUI and utility classes - but they did obey the license.  As you say you
-> only require the use of a couple of crypto utility classes.  All I require
-> is your agreement that you will license as GPL or not use my code.
     I must let anyone knows that my purpose is to make software free, and open
is only a sort of means. I always hope that software should not PAY BEFORE USE.
I am worried that follow GPL will let most of my future work serve your KeyStore
Explorer(which is not open or free).
     And when i and my teammates added more features on SecureX, it means that
this RCP framework standarded has enought features, I will open the framework (2.0 version)
so that others can plugin their secure feature into SecureX framework(thty only needed
to follow the RCP Plugin standarded) and they can choose open their source or not(Like
what Eclipse look now) and they can choose free manner or charge manner.
     5, You are worried that my work will hurt you work:
-> You will get many users I am sure but as for it
-> hurting my work - more mature efforts have failed.  I do honestly welcome
-> the challenge - it always inspires me to create new features :)
    I guess you are worried that KeyStore Explorer will turn to use SecureX and your
earning will reduce?
    If that's true, I must get off you worry:
    You can add features to my SecureX framework and not evened to disclose you code(see
RCP Standard above) and make it charge :) My License won't prevent you from charge and won't
require to opensource.
   
    My MSN is : scut_hzq@hotmail.com but i use it rarely.

    Wait for you reply.


Wayne的回信让我感到我在表述GPL的时候有误,我感到有些惭愧,他提到他的KeyStore Explorer不可能
使用我的SecureX(如果我的SecureX被License为GPL),我检查我上面的回信,确实是我写错了,我应该
担心的是GPL让SecureX很难应用于商业用途。

David,

>I do really have two worries:
>1. I hope sofeware is free, GPL's finally object is make more
>software free and
>opensource is just a measure.

If you use the GPL then nobody, including me, can use your work in a
non-open source project - I would have to make my own work GPL - which I
have no intentions of doing.  My current work is closed source and will
remain so.  If you use another open source license such as Apache or MIT
then the opposite is true - such licenses are more liberal when it comes to
commercial uses for software.

>After you make KeyStore Explorer a branch from
>original KeyTool GUI, it is you that firstly not follow the GPL, right? Of
>course, because you are the author, you are the owner, and you'll the
>authorize yourself to
>not follow.

That's correct - only the copyright owner can relicense GPL software.  Note
that that meqans that I cannot relicense any of your work for my purposes.

>I must let anyone knows that my purpose is to make software free, and
>open is only a sort of means. I always hope that software should not PAY
>BEFORE
>USE.

That was my purpose for KeyTool GUI and why I chose the GPL - nobody but me
can relicense it.

>I am worried that follow GPL will let most of my future work serve your
>KeyStore Explorer(which is not open or free).

As I said above I cannot use any GPL code in my work.  By using the GPL your
work will be protected.  In addition I can assure you that I will not even
be looking at your code.

>5, You are worried that my work will hurt you work:

I am not worried.  I welcome the competition.

>     My MSN is : scut_hzq@hotmail.com but i use it rarely.

I have added you to my contacts list and should be online for much of today.

It sounds like we are getting closer to an understanding.  You want to
protect your work and make sure it will always be free for others to use,
right?  The solution appears to be to use the GPL.  Which would be the best
thing to do anyway from a legal standpoint as no licenses would be broken.

Cheers,
- Wayne.


在中国,GPL跟Apache这两种许可证,其实根本没有人去关心,因为大部分人都是用盗版,
谁又会去关心许可证?
我承认我使用了wayne的代码,他写了不少工具类,并且我使用了它们,如果因为GPL阻止
了我选择其他的License,我宁愿违反它。


Wayne后续的邮件我不方便公开,因为我们就license这个问题上翻脸了,Wayne甚至这样说:

I will not be rejoining any open source projects for KeyTool GUI or any
other projects.  Why on earth would I want to give my work away for nothing?
 I think that I have done enough already by writing KeyTool GUI in the
first place.

既然他已经对开源不敢任何兴趣,我又何必再跟他纠缠呢,他继续写他的商业软件,我继续
为我的SecureX添加新的功能,我的目标并不是KeyStore Explorer, 我只是想让更多人能使用
我的SecureX插件更方便地使用Java证书库。

分享到:
评论

相关推荐

    开源中国客户端源码(oschina)

    首先,从“开源”这个标签来看,我们可以了解到这个项目遵循开源软件的原则,如GNU General Public License (GPL)或Apache License等,这使得代码对所有人开放,鼓励开发者共享和改进代码。开源软件的这种特性对于...

    latlng_conv_package:地理坐标转换包php版本,集中解决国内的坐标偏移问题。涉及坐标:WGS-84(GPS原始坐标)、GCJ-02(火星坐标)、BD-09(百度坐标)

    考虑到性能问题,没有采用bc库运算。已完成的坐标转换集中为当前热门的地图资源,涉及的有:WGS-84...Licensed under the Apache License, Version 2.0 (the "License")觉得好用?就用支付宝扫一扫来打赏和捐助吧!

    MiniProgramTutorial:帮助学习微信小程序SDK

    概述微信小程序在中国越来越受欢迎。 此仓库是的友好而完整的实现。 很容易学习和使用。如何使用下载并安装 Git克隆代码git clone https://github.com/mcgradycchen/MiniProgramTutorial.git 用克隆的代码创建一个...

    multiDDNS_C 动态域名更新服务

    1. **LICENSE**:通常包含项目使用的开源许可协议,如MIT、Apache 2.0或GPL,它规定了其他人如何可以使用、修改和分发这个软件。 2. **README.md**:这是一个Markdown格式的文件,包含了项目的说明、安装指南、使用...

    2023最新ICP备案查询系统源码 附教程 Thinkphp框架.zip

    ThinkPHP是中国国内非常流行的一款开源PHP框架,它遵循Apache2开源协议发布,具有轻量级、高效、易用等特点。该框架提供了一系列的开发工具和设计模式,如MVC(Model-View-Controller)架构,使得开发者能够更快速地...

    PyPI 官网下载 | BMI500caonia-1.8.0.tar.gz

    3. `LICENSE`文件:规定了库的使用许可条件,例如MIT、Apache 2.0或GPL等开源许可证。 4. `requirements.txt`:列出库运行所必需的其他Python库及其版本,方便用户确保所有依赖项已安装。 5. `src`或`lib`目录:...

    仿慧聪网网站源码

    慧聪网是中国知名的B2B(Business-to-Business)电子商务网站,为企业提供产品展示、供求信息、企业黄页等服务。通过这个源码,开发者可以快速构建一个具有类似功能的在线交易平台。 源码中包含的文件有以下几个...

    java开源包1

    使用redis作缓存时,支持list类型的高级数据结构,更适合论坛帖子列表这种类型的数据 5. 支持混合使用redis缓存和memcached缓存。可以将列表数据缓存到redis中,其他kv结构数据继续缓存到memcached 6. 支持redis的...

    java开源包11

    使用redis作缓存时,支持list类型的高级数据结构,更适合论坛帖子列表这种类型的数据 5. 支持混合使用redis缓存和memcached缓存。可以将列表数据缓存到redis中,其他kv结构数据继续缓存到memcached 6. 支持redis的...

    java开源包2

    使用redis作缓存时,支持list类型的高级数据结构,更适合论坛帖子列表这种类型的数据 5. 支持混合使用redis缓存和memcached缓存。可以将列表数据缓存到redis中,其他kv结构数据继续缓存到memcached 6. 支持redis的...

    java开源包3

    使用redis作缓存时,支持list类型的高级数据结构,更适合论坛帖子列表这种类型的数据 5. 支持混合使用redis缓存和memcached缓存。可以将列表数据缓存到redis中,其他kv结构数据继续缓存到memcached 6. 支持redis的...

    java开源包6

    使用redis作缓存时,支持list类型的高级数据结构,更适合论坛帖子列表这种类型的数据 5. 支持混合使用redis缓存和memcached缓存。可以将列表数据缓存到redis中,其他kv结构数据继续缓存到memcached 6. 支持redis的...

    java开源包5

    使用redis作缓存时,支持list类型的高级数据结构,更适合论坛帖子列表这种类型的数据 5. 支持混合使用redis缓存和memcached缓存。可以将列表数据缓存到redis中,其他kv结构数据继续缓存到memcached 6. 支持redis的...

    java开源包10

    使用redis作缓存时,支持list类型的高级数据结构,更适合论坛帖子列表这种类型的数据 5. 支持混合使用redis缓存和memcached缓存。可以将列表数据缓存到redis中,其他kv结构数据继续缓存到memcached 6. 支持redis的...

    java开源包4

    使用redis作缓存时,支持list类型的高级数据结构,更适合论坛帖子列表这种类型的数据 5. 支持混合使用redis缓存和memcached缓存。可以将列表数据缓存到redis中,其他kv结构数据继续缓存到memcached 6. 支持redis的...

    java开源包8

    使用redis作缓存时,支持list类型的高级数据结构,更适合论坛帖子列表这种类型的数据 5. 支持混合使用redis缓存和memcached缓存。可以将列表数据缓存到redis中,其他kv结构数据继续缓存到memcached 6. 支持redis的...

    java开源包7

    使用redis作缓存时,支持list类型的高级数据结构,更适合论坛帖子列表这种类型的数据 5. 支持混合使用redis缓存和memcached缓存。可以将列表数据缓存到redis中,其他kv结构数据继续缓存到memcached 6. 支持redis的...

    java开源包9

    使用redis作缓存时,支持list类型的高级数据结构,更适合论坛帖子列表这种类型的数据 5. 支持混合使用redis缓存和memcached缓存。可以将列表数据缓存到redis中,其他kv结构数据继续缓存到memcached 6. 支持redis的...

Global site tag (gtag.js) - Google Analytics