Rich Unger's Blog

I prefer my JARs sunny-side up

So, I'm sitting at my laptop, building netbeans... oh, wait ... OK, so I'm sitting ... oh, sorry, hold on... so, ... oh crap, not again.

Another scrambled jar.

This has to be the most rediculous, hoop-jumping compromise ever developed between a legal department and an engineering team. I really hope someone from Sun Legal will comment on this blog post, because I'd really like some public discussion with them on this subject.

For those of you who don't build netbeans source code, and are therefore in blissful ignorance of what I'm talking about, let me fill you in. The netbeans source code makes use of a number of third-party libraries. Any that are not licensed with the SPL are "scrambled" in the netbeans CVS tree, and during the build process, it gets unscrambled, but only after a popup window forces you to click through the license.

Mind you, I'm not just talking about proprietary libraries. You have to click through the Apache license every time you do a clean build of netbeans. In fact, there's very little here that is not OSI approved, aside from the javac bridge, which basically amounts to agreeing to the same license you agreed to already when downloading the jdk.

This stinks for a number of reasons:

1. It's annoying to me and everyone else who builds the netbeans source tree. Chances are, anyone building the tree has enough awareness of what's in the product that we shouldn't have to go through all this every time we do a fresh build.

2. No other OSS project out there feels the need to put these kinds of click-throughs when merely linking to OSS libraries with other licenses.

3. It's bad for the perception of netbeans as being open. This causes real damage to netbeans as a product, and is therefore counterproductive for Sun.

4. It causes all kinds of issues with automated scripts that prevent people from working with the netbeans tree (e.g. Gentoo, or anyone wanting to do headless builds).

This looks like a "cover-your-ass" maneuver left over from an earlier time when Sun had less of an understanding of how to work with OSS. Remember, NetBeans was one of Sun's first forays into OSS. Haven't other Sun projects come up with more refined CYA methodoligies by now?

Please, would a Sun lawyer like to comment? Let's get rid of the "scrambled jar" dinosaur!

Comments

• Ah finally!!! Thanks Rich. You're doing a great service to the netbeans community by bringing this issue under the spotlight. I hope a lawyer answers up & relieves us of the license pop-up horror. I've always dreaded doing a clean build for just this reason. It really is a nightmare. A pain - literally. Can't we have one unified, human-readable agreement that blankets the zillion other "attorney-readable" agreements that now popup during a build? (And, before the someone asks - -Dnetbeans.no.pre.unscramble=true only delays the inevitable) Will someone from the legal team kindly answer this?

  Posted by: bharathch on July 28, 2005 at 04:14 AM

• Grrr - the java.net comment mechanism is really cludgy. The penultimate sentence should read -
  And, before the question pops up or someone asks - -Dnetbeans.no.pre.unscramble=true only delays the inevitable

  Posted by: bharathch on July 28, 2005 at 04:17 AM

• FWIW, the previous situation was worse: the 3rd-party JARs could not be kept in netbeans.org CVS at all, so you had to download them separately (with a click-through)... and manually verify that you had downloaded the right version to match your sources... and this download was only updated daily, so effectively you could not participate in CVS development if someone from Sun had changed a binary that day. A mess.

  Tip: if you're part of an organization that does routine source builds of NetBeans, and are getting sick of manually accepting licenses (or need to use a continuous builder), you can request the "master key" which will disable the acceptance dialogs permanently - you then implicitly agree to any license terms which are used by scrambled JARs unlocked by the master key. You can request the master key on nbdiscuss@netbeans.org - I guess you need to say who your employer is and why you need it, or something like this, I'm not sure.

  Posted by: jglick on July 28, 2005 at 08:23 AM

• Incidentally we had a discussion with our lawyers last week. They were visiting Prague. I showed the build process to our lawyers. In the short followup discussion we all quickly agreed that this is indeed ridiculous.

  Bottom line: the unscrambling monster will be killed. When? Soon. It's on my plate. I have to write up something and review it with our lawyers.

  I understand our lawyers' mindset. They want to make 100% sure the users know what they get with the software, including the associated legal terms. The current mechanism we use satisfies this goal very well :-). Probably too well.

  This is kind of similar to the tension between security and usability. If the machine is not plugged into the network at all and has no floppy, CD/DVD drive,... it would be a lot more secure, but such a machine is hardly considered usable according to today's standard.

  Anyway, common sense will win. You've have been heard.
  

  Posted by: ttran on July 31, 2005 at 07:09 AM

• I understand our lawyers' mindset. They want to make 100% sure the users know what they get with the software, including the associated legal terms.
  I guess I understand that. I also think it's rather ironic that, while the process makes it absolutely clear to any lawyer who may be doing a cvs checkout and building the source tree (and I'm sure lawyers do that all the time), it confuses the hell out of any engineer, and creates all kinds of mailing list traffic about netbeans not being "true" open source.It's not legal safeguards I'm against. I just think it's woefully misplaced in the build process.Anyway, I'm glad to hear that something's in the works.

  Posted by: richunger on July 31, 2005 at 08:13 PM

• +1 for open source NetBeans and +1 for open source Glassfish.

  Posted by: mparaz on October 18, 2005 at 04:55 AM

This work is licensed under a Creative Commons License.