[Geoserver-devel] IP issues

I've been thinking about IP issues the last few days, and did a very quick
review of parts of geoserver. I found a few issues - I'm sure there are
others.

I'm making a jira task with this in it and marking it as "blocking" until
the issues have been addressed. I'll also put this in the wiki so people
can add/subtract/update:

http://docs.codehaus.org/display/GEOS/IP+Issues

Most of issues I found were with the Image Format writers (thats where I
looked the most). The nice thing is that Simone and Alessio have a nice
GIF and PNG writer (based on JAI) in the WCS branch that should be very
easy to integrate into the main geoserver code (until its properly in
geotools). I'm quite sure they'll help. See
IMGCoverageResponseDelegate.java (in the WCS geoserver branch) and
WorldImageWriter (in the geotools coverage_branch plugin/image). I highly
recommend this route as this code is maintained and tested by them and
there should be no IP issues with it (assuming that the JAI jars are
redistributable -- see below).

The other issues were mostly ensuring that geoserver is living up to the
license of the tools being used (be they jars, html, datasets, etc...).

================================================================

Image Writer Issues
-------------------

a) GIFOutputStream.java in
GEOS\src\org\vfny\geoserver\wms\responses\map\gif\

This is used by the GIFLegendGraphicProducer, and has been in geoserver
for a long time. Unfortunately, its license (see the top of the file):

-----------------------------------
Copyright (c) 2000, 2001 by [...]

This code is free for public use in any non-commercial application. All
other uses are restricted without prior consent of the author, [...].
The author assumes no liability for the suitability of this
code in any application.
-------------------------------------

This is clearly a problem - its incompatible with GPL. At the very least
geoserver need to stop distributing this immediately. I believe this is
one of the most serious issues I found.

b) PNG Writer (GEOS\src\org\vfny\geoserver\wms\responses\map\png\)

home page: PNG Encoder

This is LGPL code, so it shouldnt really be in actually inside
geoserver. I recommend deleting it and use the GCE's WorldImageWriter
or put it in
its own jar.

c) GIF Writer # 2 (GEOS\src\org\vfny\geoserver\wms\responses\map\gif)

This is actually two things:
a) colour reduction (NeuQuant.java)
b) GIF writer (rest of the code in that directory) homepage:
http://jmge.net/java/gifenc/

The licenses are a bit complicated.

NeuQuant.java's file says (see the actual header for more details):
--------------------------
...
<reference to an academic paper>
...
Any party obtaining a copy of these files from the author, directly
or indirectly, is granted, free of charge, a full and unrestricted
irrevocable, world-wide, paid up, royalty-free, nonexclusive right and license
to deal in this software and documentation files (the "Software"),
including without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons who
receive copies from any such party to do so, with the only requirement
being that this copyright notice remain intact.
---------------------------

The actual GIF code is licensed in two parts:
i) J. M. G. Elliott's changes:
--------------------------------
As for my part of the code, I hereby release it, on a strictly "as
is" basis, to the public domain.
--------------------------------
ii) original license for Jef Poskanzer's GifEncoder.java which
Gif89Encoder is based on:
--------------------------------
// Copyright (C) 1996 by Jef Poskanzer <jef@anonymised.com>. All rights
reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions
// are met:
// 1. Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// 2. Redistributions in binary form must reproduce the above copyright
// notice, this list of conditions and the following disclaimer in the
// documentation and/or other materials provided with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
// ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
// ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
// OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
// OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
// SUCH DAMAGE.
--------------------------------

I've modified the GIF writer so it produces good results, but I
wouldnt call it "perfect". I recommend it all be deleted, give them credit
on the website for using it in the past, and replace it all with the GCE's
WorldImageWriter. If its decided to be kept, then (at least) the
copyright and disclaimer needs to be added to the documentation and binary
(see license above) and moved it to its own jar.

d. basic.java (GEOS\src\org\vfny\geoserver\wms\responses\map\gif)

This appears to be PostgreSQL JDBC test code! It wasnt being used by
anything. I have no idea how it got there! I've deleted it; it has to be
ensured that it doesnt somehow find its way back in! (Postgresql, I
believe, is BSD-licensed)

SUMMARY - remove all the old image writer code, and use the GCE's
WorldImageWriter.
Or, make sure all the licenses are properly adhered to.

==========================================================================

JARS
----

There are a bunch of jars being re-distributing. Some of these jars have
binary re-distribution licences that I'm not sure are actually being
living up to. For example, Jetty and Xerces both have licenses that say:

---------------
...
4 (a) You must give any other recipients of the Work or Derivative
Works a copy of this License; and
...
---------------

And I couldn't find a copy of the license in our distribution. The
licenses have other sipulations.

Also note that there is actual Jetty source code (I believe its a modified
artistic (or apache) license) inside the geoserver archive, which makes it
bit confusing as to what our license is.

ALL THE JARS MUST BE CHECKED TO SEE WHAT THE REQUIREMENTS ARE FOR
RE-DISTRIBUTION.

They also should be check to see if they're compatible with a GPL/LGPL
licensed project (and visa-versa).

Dont forget to check to see if the JAI jars (based on the JAI-open-source-
project) are okay to re-distribute. If not, they need to be removed and
tell everyone to install JAI from sun (which will almost certainly be
needed when the WCS branch merges in since it is heavily JAI based and
will be much better with the "native" code instead of the 100% java jars).

Source Code
-----------
At the very least, a quick check of the source files to see if all the
files have the appropriate (c) copyright/license headers on them. Files
that don't would alert indicate high-priority places to check. A more
indepth evaluation is probably required.

Also note that the files are (c) TOPP, but I'm not sure what the ownership
is for patches applied and bug reports/suggestions from the mailing list.
Dont know if this is an issue or not.

CITE/Demo/Config
----------------
There's a lot of "stuff" in the configuration directories (ie. cite/
schemas/ data_dirs/). These need to be checked to see if these are okay
to re-distribute [modified] versions of them. There's OGC .xsd files
(some have been modified with vender specific options + <InlineFeature>),
some mapbuilder demos, html files, and some datasets.

Someone needs to actually check these and make sure that there's no IP
concerns. This is especially true for the datasets. Often times the
license for the datasets at least requires some type of acknowledgement
(or (c) copyright statement).

[sigma] Demo Site
-----------------
Before the demo site goes live, the license of the datasets must be check
to ensure that the license is being aheared to (see above). This probably
means adding some type of acknowledgement/copyright statements. Some of
VMAP0 is for non-commerical use only. I'm not sure how you do this for
WMS/WFS access to the datasets (at the very least put the notices in the
GetCapabilities document and in the html).

Also note that the data-load instructions in the wiki have programs which are
mini-distributions of geotools. They have geotools-required .jars in them which
may require the addition of licenses (etc...) with them. (See "JARS", above).

Geotools
--------
There's been a few possible cases of Geotools accidently including code
from sun's included-with-the-sdk source - and I'm sure other issues will
be found. These have, apparently, been fixed. I dont know what the
implication are for re-distributing the old copies inside geoserver.

Redistributing old copies
-------------------------
As above, I dont know what to do about re-distributing old copies of
geoserver that might have IP issues.

I dont mean to cause anyone panic, and I dont think going through all the
above is a lot of work. But, it needs to be done.

dave

Ciao a tutti,
thanks dave for the great work.
Talking about the image writers, once we backport the coverage branch
we will get the ability to write to many formats almost for free.

If you checked the WCS branch you saw that I replaced the old delegate
for producing images. I think that with at most 5 to 7 days of work
(after the back port) we should be able to produce:

1>gif
2>jpeg
3>png
4>tiff
5>geotiff
6>jeg2k (even if ImageIO support still sucks)
7>bmp
8>KML,KMZ (thanks alessio)
9>Too tired to look up the others.

Of course a bit of help would be much appreciated :-).

Simone.

On 5/24/06, David Blasby <dblasby@anonymised.com> wrote:

I've been thinking about IP issues the last few days, and did a very quick
review of parts of geoserver. I found a few issues - I'm sure there are
others.

I'm making a jira task with this in it and marking it as "blocking" until
the issues have been addressed. I'll also put this in the wiki so people
can add/subtract/update:

http://docs.codehaus.org/display/GEOS/IP+Issues

Most of issues I found were with the Image Format writers (thats where I
looked the most). The nice thing is that Simone and Alessio have a nice
GIF and PNG writer (based on JAI) in the WCS branch that should be very
easy to integrate into the main geoserver code (until its properly in
geotools). I'm quite sure they'll help. See
IMGCoverageResponseDelegate.java (in the WCS geoserver branch) and
WorldImageWriter (in the geotools coverage_branch plugin/image). I highly
recommend this route as this code is maintained and tested by them and
there should be no IP issues with it (assuming that the JAI jars are
redistributable -- see below).

The other issues were mostly ensuring that geoserver is living up to the
license of the tools being used (be they jars, html, datasets, etc...).

================================================================

Image Writer Issues
-------------------

a) GIFOutputStream.java in
GEOS\src\org\vfny\geoserver\wms\responses\map\gif\

This is used by the GIFLegendGraphicProducer, and has been in geoserver
for a long time. Unfortunately, its license (see the top of the file):

-----------------------------------
Copyright (c) 2000, 2001 by [...]

This code is free for public use in any non-commercial application. All
other uses are restricted without prior consent of the author, [...].
The author assumes no liability for the suitability of this
code in any application.
-------------------------------------

This is clearly a problem - its incompatible with GPL. At the very least
geoserver need to stop distributing this immediately. I believe this is
one of the most serious issues I found.

b) PNG Writer (GEOS\src\org\vfny\geoserver\wms\responses\map\png\)

home page: http://www.catcode.com/pngencoder/

This is LGPL code, so it shouldnt really be in actually inside
geoserver. I recommend deleting it and use the GCE's WorldImageWriter
or put it in
its own jar.

c) GIF Writer # 2 (GEOS\src\org\vfny\geoserver\wms\responses\map\gif)

This is actually two things:
a) colour reduction (NeuQuant.java)
b) GIF writer (rest of the code in that directory) homepage:
http://jmge.net/java/gifenc/

The licenses are a bit complicated.

NeuQuant.java's file says (see the actual header for more details):
--------------------------
...
<reference to an academic paper>
...
Any party obtaining a copy of these files from the author, directly
or indirectly, is granted, free of charge, a full and unrestricted
irrevocable, world-wide, paid up, royalty-free, nonexclusive right and license
to deal in this software and documentation files (the "Software"),
including without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons who
receive copies from any such party to do so, with the only requirement
being that this copyright notice remain intact.
---------------------------

The actual GIF code is licensed in two parts:
i) J. M. G. Elliott's changes:
--------------------------------
As for my part of the code, I hereby release it, on a strictly "as
is" basis, to the public domain.
--------------------------------
ii) original license for Jef Poskanzer's GifEncoder.java which
Gif89Encoder is based on:
--------------------------------
// Copyright (C) 1996 by Jef Poskanzer <jef@anonymised.com>. All rights
reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions
// are met:
// 1. Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// 2. Redistributions in binary form must reproduce the above copyright
// notice, this list of conditions and the following disclaimer in the
// documentation and/or other materials provided with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
// ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
// ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
// OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
// OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
// SUCH DAMAGE.
--------------------------------

I've modified the GIF writer so it produces good results, but I
wouldnt call it "perfect". I recommend it all be deleted, give them credit
on the website for using it in the past, and replace it all with the GCE's
WorldImageWriter. If its decided to be kept, then (at least) the
copyright and disclaimer needs to be added to the documentation and binary
(see license above) and moved it to its own jar.

d. basic.java (GEOS\src\org\vfny\geoserver\wms\responses\map\gif)

This appears to be PostgreSQL JDBC test code! It wasnt being used by
anything. I have no idea how it got there! I've deleted it; it has to be
ensured that it doesnt somehow find its way back in! (Postgresql, I
believe, is BSD-licensed)

SUMMARY - remove all the old image writer code, and use the GCE's
WorldImageWriter.
Or, make sure all the licenses are properly adhered to.

==========================================================================

JARS
----

There are a bunch of jars being re-distributing. Some of these jars have
binary re-distribution licences that I'm not sure are actually being
living up to. For example, Jetty and Xerces both have licenses that say:

---------------
...
4 (a) You must give any other recipients of the Work or Derivative
Works a copy of this License; and
...
---------------

And I couldn't find a copy of the license in our distribution. The
licenses have other sipulations.

Also note that there is actual Jetty source code (I believe its a modified
artistic (or apache) license) inside the geoserver archive, which makes it
bit confusing as to what our license is.

ALL THE JARS MUST BE CHECKED TO SEE WHAT THE REQUIREMENTS ARE FOR
RE-DISTRIBUTION.

They also should be check to see if they're compatible with a GPL/LGPL
licensed project (and visa-versa).

Dont forget to check to see if the JAI jars (based on the JAI-open-source-
project) are okay to re-distribute. If not, they need to be removed and
tell everyone to install JAI from sun (which will almost certainly be
needed when the WCS branch merges in since it is heavily JAI based and
will be much better with the "native" code instead of the 100% java jars).

Source Code
-----------
At the very least, a quick check of the source files to see if all the
files have the appropriate (c) copyright/license headers on them. Files
that don't would alert indicate high-priority places to check. A more
indepth evaluation is probably required.

Also note that the files are (c) TOPP, but I'm not sure what the ownership
is for patches applied and bug reports/suggestions from the mailing list.
Dont know if this is an issue or not.

CITE/Demo/Config
----------------
There's a lot of "stuff" in the configuration directories (ie. cite/
schemas/ data_dirs/). These need to be checked to see if these are okay
to re-distribute [modified] versions of them. There's OGC .xsd files
(some have been modified with vender specific options + <InlineFeature>),
some mapbuilder demos, html files, and some datasets.

Someone needs to actually check these and make sure that there's no IP
concerns. This is especially true for the datasets. Often times the
license for the datasets at least requires some type of acknowledgement
(or (c) copyright statement).

[sigma] Demo Site
-----------------
Before the demo site goes live, the license of the datasets must be check
to ensure that the license is being aheared to (see above). This probably
means adding some type of acknowledgement/copyright statements. Some of
VMAP0 is for non-commerical use only. I'm not sure how you do this for
WMS/WFS access to the datasets (at the very least put the notices in the
GetCapabilities document and in the html).

Also note that the data-load instructions in the wiki have programs which are
mini-distributions of geotools. They have geotools-required .jars in them which
may require the addition of licenses (etc...) with them. (See "JARS", above).

Geotools
--------
There's been a few possible cases of Geotools accidently including code
from sun's included-with-the-sdk source - and I'm sure other issues will
be found. These have, apparently, been fixed. I dont know what the
implication are for re-distributing the old copies inside geoserver.

Redistributing old copies
-------------------------
As above, I dont know what to do about re-distributing old copies of
geoserver that might have IP issues.

I dont mean to cause anyone panic, and I dont think going through all the
above is a lot of work. But, it needs to be done.

dave

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmdlnk&kid7521&bid$8729&dat1642
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
Simone Giannecchini
Software Engineer
Freelance Consultant

http://simboss.wordpress.com/

°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

David Blasby wrote:

I've been thinking about IP issues the last few days, and did a very quick
review of parts of geoserver. I found a few issues - I'm sure there are
others.

Thanks for taking these issues seriously Dave, looking at what you have found
so far leaves me a be daunted on the geotools front.

I'm making a jira task with this in it and marking it as "blocking" until
the issues have been addressed. I'll also put this in the wiki so people
can add/subtract/update:

http://docs.codehaus.org/display/GEOS/IP+Issues

...snip...
wow so that is where you have been hiding :slight_smile: I am sure this
is exactly the kind of list we need out of the geotools IP check.

Geotools
--------
There's been a few possible cases of Geotools accidently including code
from sun's included-with-the-sdk source - and I'm sure other issues will
be found. These have, apparently, been fixed. I dont know what the
implication are for re-distributing the old copies inside geoserver.

The only trouble is the arcsde support in old geoserver releases, I know the
apache project was very keen on just stopping the distribution channel the
moment a problem was found.

We could cut off downloads of all old versions of geotools, geoserver
and udig?

Redistributing old copies
-------------------------
As above, I dont know what to do about re-distributing old copies of
geoserver that might have IP issues.

To be strict - cut off the downloads at SF, to not be strict fix the problems
as soon as possible and ensure that there is a new version that is issue free.

Middle ground?
- cut off all downloads while the new version is preped
- issue a patch release for old version (well stable branches would be fine)
- and then turn the pipe back on.

I dont mean to cause anyone panic, and I dont think going through all the
above is a lot of work. But, it needs to be done.

I thought the same about geotools, but asking for volunteers is tough, perhaps
this is time for those on the PMC to earn their danger pay or something.

Jody

First here is a link to the Jira item dave mentioned:
- http://jira.codehaus.org/browse/GEOS-624

I will be adding comments there...

Ok, just closed this issue. I think all should be good now. Check the comments of the issue to follow up. Now we just need to make a release.

Chris

Jody Garnett wrote:

First here is a link to the Jira item dave mentioned:
- http://jira.codehaus.org/browse/GEOS-624

I will be adding comments there...

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Chris Holmes
The Open Planning Project
http://topp.openplans.org