You wrote, WDIT?  

I think that has almost no economic value and so the
comparison to a commercial package is not really appropriate.  We
could ask upstream (file a bug report) but the question is pretty
awkward.  We are not asking for a bug fix, or for clarification of a
behaviour.  We are questioning if they are meeting their own stated
licensing criteria!  Besides that such a ticket is very difficult to
resolve.  I would feel bad asking this of them because I imagine they
are no better equipped to answer questions about JDK1.0 than we are.
Worse, if we believe such impropriety is possible why would be believe
what they tell us anyway?  I think to ask for this to be investigated,
at minimum, you would need to find the actual file from JDK1.0 that
you feel was appropriated. I don't think we should be asking upstream
to work on investigation of a suspicious licensing that cannot improve
their software in any functional way.

I appreciate your keen sensitivity to the code but I don't think this
feedback to apache is helpful and is likely not even true.

Frank Pursel

On Tue, Apr 12, 2022 at 9:33 AM Maxime Devos <> wrote:
Frank Pursel schreef op ma 11-04-2022 om 16:36 [+0000]:
> I looked at the org.apache.xml/uitls/ file you pointed
> out.  I think the header license certainly prevails here for
> several reasons.  First it is subpackage of the org.apache tree for
> which the source license is clearly stated.

I can search for a leak of the source code of Windows, copy it to
another project, obfuscate its origin a bit by removing author
information, copyright information and the old license header and
add a ASL license header and rename it to fit inside the other project.
That doesn't make it actually ASL, it just makes it a copyright

> Second, looking at the code (without being a java guru; the code is
> that simple) we can see that there is no dependency on any JDK.
> The statement '@since JDK1.0' appears to be true in the sense that
> any JDK can compile this since 1.0.  We demonstrate that it builds
> with JDK8 whenever we run this package through guix build and so, I
> see no licensing concerns over the '@since JDK1.0' annotation. 

This is not what @since means, at least according to the Javadoc
documentation (maybe Apache Xalan assigns its own custom meaning).
According to

  This tag means that this change or feature has existed since the
  software release specified by the since-text value, for example:
  @since 1.5.

  For Java platform source code, the @since tag indicates the version  
  of the Java platform API specification [...]

so IMO it looks like this code was once part of JDK 1.0.

Maybe this is OK, maybe the license of JDK 1.0 allows this, maybe it
doesn't but Apache has gained some kind of permission from Sun, maybe
it's not legally OK, maybe it never was part of JDK 1.0.  I think we'll
just have to ask upstream what's going on, WDYT?