Geek Answers Handbook

How to deal with dead open source relationships?

I am trying to prepare a project for an open source release and run into a problem ... This project depends on several open source components that I just stored in the jar files in my lib directory to meet. Some of them date back several years, and at least they are from an open source project whose website disappeared and whose source I could not find a copy (Radeox library).

My dilemma is that I donโ€™t know how to pack my project when I let it go ... I should not include a JAR file without a source, because it violates the terms of the license under which I used the code but I donโ€™t think that This JAR file is easy to find, so I also donโ€™t want to have a README that says "find this JAR, good luck!".

What is the best practice in this case? (except "save the source of all the JARs that you import from now on!) And secondly, does anyone know where I can find the source for this particular library?

Thanks!

+6
software-distribution binary open-source distribution
source share
3 answers

Our approach was to get the source when purchasing binary files. Then, for the reason that you are quoting, we constantly archive all our third-party dependencies locally. This is a little painful, because using a third-party library is a bit more complicated than just downloading the archive and going, but this means that when the library is out of date, we can continue to fulfill both our client obligations and our legal ones.

Remember, we support software that is almost 15 years old, and some of our third-party packages precede the popular network, so our decision may be redundant for you.

There are other benefits; we had to fix some of these products in order to fix errors or add features that supporting developers could not or did not want to add, but which we need and that fit easily into this procedure.

+2
source share

If the license indicates that you must include the source, you must include the source.

Try contacting the authors. Perhaps this Ohloh link will help. If you cannot contact them, perhaps you can get a copy of the source from another project that uses the library. As a last resort, you can try Google cache or archive.org.

+3
source share

Update: Bingo !!

Here is the Radeox Subversion repository . Go to http://svn.codehaus.org/radeox/main/trunk/src/java/org/radeox/ for the source code.

Earlier ...

It seems that Stefan Schmidt, the author, is currently blogging at http://www.codemonkeyism.com . His contact information, including email, here , and a post from August 2007 talked about deploying the project to Reposita.org (which does not seem to have been raised yet). His presentations put him on ImobilienScout24 last year.

I am sure that you are in danger, depending on a dead, unsupported project. We just cleared our software from several of these dependencies and sleep much better. They included Axis 1.4 for SOAP web services (abandoned with serious thread errors in 2005), replaced by vanilla Java logic; kxml parser (also abandoned in 2005), replaced by JAXP; and an HTTP client without a name (so we could not find the old source), replaced by the Apache HTTP Client. Radeox sounds like a more complicated case.

Get legal advice and work hard to find the source and / or Stefan, documenting everything you do. This may be enough because you can distribute binary files while working on an alternative strategy.

+3
source share

More articles:


All Articles