Shared publicly  - 
 
Could one publish the sun.security.* package on #Maven? It's #GPLv2 with classpath exception, so it should be doable...
1
Jan Wildeboer's profile photoJames Roper's profile photoMark Little's profile photoHenry Story's profile photo
21 comments
 
If you use only the pristine sources and make sure the sources are available from a defined place, you should be fine. If you change the sources for this to work, you must make the sources available yourself and put your changes under GPLv2 too. But IANAL. 
 
Would not want to change the sources, just use exactly what is there... It would be good to get a lawyer to make a +1 on the stackexchange question, and then the question would be would that be a reasonable thing to do technically... But it's good that it does not sound a priori silly.... I am liking the idea more and more.
 
You should try to avoid using these packages anyway, since they're not guaranteed to be portable.
 
+Mark Little , unless they are using native code - which I have not yet noticed, they should be fully portable. What is not portable is to rely on their existing in the JVM distribution you are using - since apparently IBM's JVM does not have those classes. But if you could place them in a jar on Maven, and then build code that would try to load a class, and then on a ClassNotFoundExcpetion, load the maven jar, all should be fine. The sun.security.* code is I think better than BouncyCastle.
 
Let me put it another way then: there's no guarantee that those interfaces and associated implementations will be available in future releases. You'd be better off looking for something that is portable.

Now as far as legality of distribution in maven is concerned ... I'm no lawyer either, but after having spent several years working with our lawyers around these areas, I tend to consult with one on every such occasion just to be on the safe side. If it looks obviously OK to the casual observer, it may not be so obvious to a legal team.
 
those classes are available on java6, java7 and I think java8. So that's good enough for me, and I think for most people. If they removed those classes then the code would presumably still work for a long time, especially the ASN1 parsing code, because I don't see that changing soon if at all. :-) In any case Bouncy Castle is also changing all the time, and there is no guarantee there at all that they won't change often and incompatible. Eg. currently to build an X509 Cert I'd need to load another huge jar (where I did not have to a year and a half ago)
 
It's still a risk. But YMMV. ;-)
 
I'll check here, but it'll be next week.
 
Ah thanks. I'll point the Play2.0 folks to this thread, because they wrote something using that library, and this could be of interest to them too.
 
Thanks Mark. The stuff Henry does is really important IMHO so if we can help, we should!
 
If Richard Fontana would be here, he could share his wisdom on this question. Maybe +Carlo Piana can take a look?
 
Ok, I didn't realise I'd used com.sun.* libs in that, I'll have to fix that.  I'm not a lawyer, but the point of GPL is to allow it to be redistributed and modified, as long as the source code is made available under the same terms, and Maven makes this simple.  One thing I'd probably want to investigate is trademarks, I've never understood why CentOS has to remove all the RedHat trademarks from RHEL, if it's all open source.

Another option would be to repackage BC to include just those classes that we need, it's an MIT license so it's much more permissive as to what can be done.  You just lose the ability to use it as a security provider (because the JDK verifies that it's signed before loading it).  But using the classes directly is no problem.
 
+James Roper it is actually quite simple. Copyright, trademarks and patents are different regimes that typically don't overlap. Red Hat and the shadow man logo are protected as trademarks and licenced under the trademark regime. Replace trademark with patent in your statement to see the point. I can opensoure a program that implements one-click-shopping that I wrote myself, but that wouldn't automagically give me a patent license from Amazon. 
 
Yes, that makes sense, but it's a bit different in this situation.  If Amazon wrote a one click shopping app, and open sourced it, would you then have a license to use it, modify it and redistribute it under the terms of that open source license?  And if RedHat creates an open source Linux distribution, and puts their logo in it, do you have a license to modify and redistribute it under the terms of that license?  And if Oracle open sources a library that is namespaced using a trademark they own (sun), do you have a license to modify and/or redistribute it under the terms of that license?  I would have said the answer in all those cases is yes, since the company owning the patent/copyright has issued the license, but that doesn't explain why CentOS has to remove the RedHat trademarks.
 
Whatever these other intellectual issues are, the gnu licence says one should be able to re-publish under the same licence as long as one publishes the code as is. So I can't see the whole thing being made illegal because the package names contain "sun". They were published under a licence with than name! Otherwise republishing gnu code would be illegal too...  Anyway, it is all to their honor: the code in there seems pretty well written.
 
Let me repeat that I am not a lawyer, but after some investigation I could not see Oracle objecting at least if the strictest reasonable interpretation of GPLv2 notice and source requirements was followed.
 
Thanks +Mark Little . Did you (other legal opinion is also of interest :-) check that the classpath exception would allow an Apache licenced project like Play2.0 to pull a maven jar in? 
Add a comment...