Thread: Open source licenses

Open source licenses

From
DAVID Nicolas
Date:

Dear PostgreSQL Team,

 

We are a software editor that historically use PostgreSQL for one of our product.

We currently use the version 9.6 since many years and now we would like to update to the last version 13.2.

However, before that, we would like to check some points regarding the embedded components and their licenses.

 

First, we install PostgreSQL with our installer using the Zip archive of binaries (for Windows) provided by EDB (available from your website).

It seems that the EDB Zip archive embed PgAdmin and StackBuilder in addition to the PostgreSQL server.

Do you know if some others modules are added by EDB ?

 

Then, it appears that the PostgreSQL server links some open source components that are not under the PostgreSQL license( ex: openssl, libcharset, ...).

Could you please provide a list of the components included in the PostgreSQL server, with the OpenSource license type for each component ? Or even, if possible, with the license file for each component ?

 

Best regards,

 

Nicolas DAVID
WORKNC DENTAL Project Manager

Manufacturing Intelligence division

Hexagon

E: nicolas.david@hexagon.com

 

Hexagon

440 Route des Allogneraies

71850 Charnay-les-Mâcon

France

HexagonMI.com | LinkedIn | Facebook | Twitter

 

CONFIDENTIALITY NOTICE: This email and any attachments may be confidential and protected by legal privilege. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the e-mail or any attachment is prohibited. If you have received this email in error, please notify us immediately by replying to the sender and deleting this copy and the reply from your system. Thank you for your cooperation. Please note all the views and opinions published here are solely based on the author's own opinion and should not be considered necessarily as reflecting the opinion of Hexagon Manufacturing Intelligence.

 

-----Original Message-----
From: Simon Riggs <simon@2ndquadrant.com>
Sent: 17 March 2021 18:57
To: DAVID Nicolas <nicolas.david@hexagon.com>
Cc: security@postgresql.org
Subject: Re: Contact

 

This email is not from Hexagon’s Office 365 instance. Please be careful while clicking links, opening attachments, or replying to this email.

 

 

On Wed, 17 Mar 2021 at 17:29, DAVID Nicolas <nicolas.david@hexagon.com> wrote:

> I use security@postgresql.org because I cannot find suitable mail address on the web site.

> Is there a mail address to request some information regarding the open source licences of the different postgresql components?

 

The licence for all software available on postgresql.org is shown here

https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.postgresql.org%2Fabout%2Flicence%2F&amp;data=04%7C01%7C%7Ce0c997c9e991479cadf708d8e96e15c6%7C1b16ab3eb8f64fe39f3e2db7fe549f6a%7C0%7C1%7C637516006314187203%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=QL85rotciGB22m6ZOFWusHLh63pn0eXh6c%2FISLmIpfk%3D&amp;reserved=0

 

The wider PostgreSQL ecosystem consists of many optional extensions and tools, both open and closed source, each of which has different licences. There is no single central place or authority that lists or controls those components and their respective licences.  Some are listed here: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.postgresql.org%2Fdownload%2Fproduct-categories%2F&amp;data=04%7C01%7C%7Ce0c997c9e991479cadf708d8e96e15c6%7C1b16ab3eb8f64fe39f3e2db7fe549f6a%7C0%7C1%7C637516006314197196%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=Uzh1jvV%2BxHsfufp0qynDPEWuvkzJpD%2FcQqoTVp0eLcw%3D&amp;reserved=0

 

This is the wrong place to request or discuss such information. Please try pgsql-general@postgresql.org

 

--

Simon Riggs                https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.enterprisedb.com%2F&amp;data=04%7C01%7C%7Ce0c997c9e991479cadf708d8e96e15c6%7C1b16ab3eb8f64fe39f3e2db7fe549f6a%7C0%7C1%7C637516006314197196%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=1sguhDYtJZvVv4om3IjP1FFn4AbmNM0sKs6spwI6FQs%3D&amp;reserved=0

Re: Open source licenses

From
Adrian Klaver
Date:
On 3/18/21 6:32 AM, DAVID Nicolas wrote:
> Dear PostgreSQL Team,
> 
> We are a software editor that historically use PostgreSQL for one of our 
> product.
> 
> We currently use the version 9.6 since many years and now we would like 
> to update to the last version 13.2.
> 
> However, before that, we would like to check some points regarding the 
> embedded components and their licenses.
> 
> First, we install PostgreSQL with our installer using the Zip archive of 
> binaries (for Windows) provided by EDB (available from your website).
> 
> It seems that the EDB Zip archive embed PgAdmin and StackBuilder in 
> addition to the PostgreSQL server.
> 
> Do you know if some others modules are added by EDB ?

That is it:

~/postgresql-13.2-1-windows-x64-binaries/pgsql> ls
bin  doc  include  lib  pgAdmin 4  share  StackBuilder  symbols

> 
> Then, it appears that the PostgreSQL server links some open source 
> components that are not under the PostgreSQL license( ex: openssl, 
> libcharset, ...).
> 
> Could you please provide a list of the components included in the 
> PostgreSQL server, with the OpenSource license type for each component ? 
> Or even, if possible, with the license file for each component ?

That is going to depend on what the settings where when the source was 
compiled. The question is what is your concern?

> 
> Best regards,
> 
> **
> 
> *Nicolas DAVID**
> *WORKNC DENTAL Project Manager
> 
> Manufacturing Intelligence division
> 
> *Hexagon*
> 
> *E:***_nicolas.david@hexagon.com <mailto:nicolas.david@hexagon.com>_
> 
> __
> 
> Hexagon
> 
> 440 Route des Allogneraies
> 
> 71850 Charnay-les-Mâcon
> 
> France
> 
> _HexagonMI.com <https://www.hexagonmi.com/en-GB>_|_LinkedIn 
> <https://www.linkedin.com/company/hexagon-manufacturing-intelligence/>_|_Facebook 
> <https://www.facebook.com/HexagonMI>_ |_Twitter 
> <https://twitter.com/HexagonMI>_
> 


-- 
Adrian Klaver
adrian.klaver@aklaver.com



RE: Open source licenses

From
DAVID Nicolas
Date:
My concern is, I guess, the same for all the software editor using opensource components.
It is to make an inventory of all the used opensource licenses from all the used components, to check and respect the
termsof use, to preserve copyrights and intellectual property.   
Companies providing opensource components or libraries now often publish a list of the modules and their licences
becausemost of the time it is a prerequisite for the adoption in many companies.    
For example, Qt Company publishes this page: https://doc.qt.io/qt-5/licenses-used-in-qt.html.

However, when I get PostgreSql binaries for Windows (Zip archive linked to
https://www.enterprisedb.com/download-postgresql-binaries),I can see in installation-notes.html : 
  -> "The software bundled together in this package is released under a number of different Open Source licences. By
usingany component of this installation package, you agree to abide by the terms and conditions of it's licence." 
This is unclear and even if I found some license files, or header files with copyrights, I cannot know certainly the
listof installed components and their licenses. And finally, whatever if I use a component, as soon as I install it, I
distributeit and thus I have to know the conditions.  

Could the PostgreSQL Global Development Group consider to provide these information ? Is there a team or a group in
chargeof this ? Is there a direct email address to ask this kind of request ? 

Best regards,

Nicolas DAVID



Re: Open source licenses

From
Laurenz Albe
Date:
On Tue, 2021-04-06 at 13:47 +0000, DAVID Nicolas wrote:
> My concern is, I guess, the same for all the software editor using opensource components. 
> 
> It is to make an inventory of all the used opensource licenses from all the used components,
>  to check and respect the terms of use, to preserve copyrights and intellectual property.  
> 
> However, when I get PostgreSql binaries for Windows (Zip archive linked to
>  https://www.enterprisedb.com/download-postgresql-binaries), I can see in installation-notes.html :
>   -> "The software bundled together in this package is released under a number of different
>  Open Source licences. By using any component of this installation package, you agree to abide
>  by the terms and conditions of it's licence."
> 
> Could the PostgreSQL Global Development Group consider to provide these information ?
>  Is there a team or a group in charge of this ? Is there a direct email address to ask this
>  kind of request ?

These installation packages are provided by EnterpriseDB, not by the PGDG.

I think your request is reasonable, but you'll have to ask the packager.

Yours,
Laurenz Albe
-- 
Cybertec | https://www.cybertec-postgresql.com




RE: Open source licenses

From
DAVID Nicolas
Date:
Yes sure. I also did it ... without answer.
But my initial question concerned only the open source components linked to the PostgreSQL server that are not under
thePostgreSQL license( ex: openssl, libcharset, ...). 
Regarding the other modules added by EDB, I will ask again to EDB.

Best regards,

Nicolas DAVID

-----Original Message-----
From: Laurenz Albe <laurenz.albe@cybertec.at>
Sent: 06 April 2021 16:13
To: DAVID Nicolas <nicolas.david@hexagon.com>; Adrian Klaver <adrian.klaver@aklaver.com>; pgsql-general@postgresql.org
Subject: Re: Open source licenses

This email is not from Hexagon's Office 365 instance. Please be careful while clicking links, opening attachments, or
replyingto this email. 


On Tue, 2021-04-06 at 13:47 +0000, DAVID Nicolas wrote:
> My concern is, I guess, the same for all the software editor using opensource components.
>
> It is to make an inventory of all the used opensource licenses from
> all the used components,  to check and respect the terms of use, to preserve copyrights and intellectual property.
>
> However, when I get PostgreSql binaries for Windows (Zip archive
> linked to
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.enterprisedb.com%2Fdownload-postgresql-binaries&data=04%7C01%7C%7C583222a39dbd466fc37208d8f9060595%7C1b16ab3eb8f64fe39f3e2db7fe549f6a%7C0%7C1%7C637533151545577321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Kt7JKBaZ%2Ft0U3yIFh3fpGZ05NOp46NIiiLqPqDLtYaI%3D&reserved=0),
Ican see in installation-notes.html : 
>   -> "The software bundled together in this package is released under
> a number of different  Open Source licences. By using any component of
> this installation package, you agree to abide  by the terms and conditions of it's licence."
>
> Could the PostgreSQL Global Development Group consider to provide these information ?
>  Is there a team or a group in charge of this ? Is there a direct
> email address to ask this  kind of request ?

These installation packages are provided by EnterpriseDB, not by the PGDG.

I think your request is reasonable, but you'll have to ask the packager.

Yours,
Laurenz Albe
--
Cybertec |
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cybertec-postgresql.com%2F&data=04%7C01%7C%7C583222a39dbd466fc37208d8f9060595%7C1b16ab3eb8f64fe39f3e2db7fe549f6a%7C0%7C1%7C637533151545577321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7AHjlx7QlEzfBD8Lv70mGVK1xSeOUJTJxliabSdKYuk%3D&reserved=0




Re: Open source licenses

From
Laurenz Albe
Date:
On Wed, 2021-04-07 at 06:41 +0000, DAVID Nicolas wrote:
> > > It is to make an inventory of all the used opensource licenses from 
> > > all the used components,  to check and respect the terms of use, to preserve copyrights and intellectual
property.
> > >
> > > However, when I get PostgreSql binaries for Windows (Zip archive 
> > > linked to [EDB]), I can see in installation-notes.html :
> > >   -> "The software bundled together in this package is released under 
> > > a number of different  Open Source licences. By using any component of 
> > > this installation package, you agree to abide  by the terms and conditions of it's licence."
> > >
> > > Could the PostgreSQL Global Development Group consider to provide these information ?
> >
> > These installation packages are provided by EnterpriseDB, not by the PGDG.
> >
> > I think your request is reasonable, but you'll have to ask the packager.
> 
> Yes sure. I also did it ... without answer.

Not nice.

> But my initial question concerned only the open source components linked to the PostgreSQL server
> that are not under the PostgreSQL license( ex: openssl, libcharset, ...).
> Regarding the other modules added by EDB, I will ask again to EDB.

That depends on how PostgreSQL was configured.

It may be a bit cumbersome, but you could go through all the shared libraries
(DLLs) in the "bin" directory that do not belong to PostgreSQL.  The licenses
for software like OpenSSL should be easy to find.

Yours,
Laurenz Albe
-- 
Cybertec | https://www.cybertec-postgresql.com




RE: Open source licenses

From
DAVID Nicolas
Date:
Dear All,

As I solution, I wanted to start to build Postgres from source by myself, in order to better managed what it is finally
included. 
So I wanted to compile on Windows with Visual Studio.

However, in the page https://www.postgresql.org/docs/current/install-windows.html, I can see:
   " It is recommended that most users download the binary distribution for Windows, available as a graphical installer
packagefrom the PostgreSQL website. Building from source is only intended for people developing PostgreSQL or
extensions." 

Why this recommendation ? Is there any "risk" by building from source ?

Best regards,

Nicolas DAVID
WORKNC DENTAL Project Manager
Manufacturing Intelligence division
Hexagon
E: nicolas.david@hexagon.com
HexagonMI.com

CONFIDENTIALITY NOTICE: This email and any attachments may be confidential and protected by legal privilege. If you are
notthe intended recipient, be aware that any disclosure, copying, distribution or use of the e-mail or any attachment
isprohibited. If you have received this email in error, please notify us immediately by replying to the sender and
deletingthis copy and the reply from your system. Thank you for your cooperation. Please note all the views and
opinionspublished here are solely based on the author's own opinion and should not be considered necessarily as
reflectingthe opinion of Hexagon Manufacturing Intelligence.  

-----Original Message-----
From: Laurenz Albe <laurenz.albe@cybertec.at>
Sent: 07 April 2021 10:51
To: DAVID Nicolas <nicolas.david@hexagon.com>; Adrian Klaver <adrian.klaver@aklaver.com>; pgsql-general@postgresql.org
Subject: Re: Open source licenses

This email is not from Hexagon's Office 365 instance. Please be careful while clicking links, opening attachments, or
replyingto this email. 


On Wed, 2021-04-07 at 06:41 +0000, DAVID Nicolas wrote:
> > > It is to make an inventory of all the used opensource licenses
> > > from all the used components,  to check and respect the terms of use, to preserve copyrights and intellectual
property.
> > >
> > > However, when I get PostgreSql binaries for Windows (Zip archive
> > > linked to [EDB]), I can see in installation-notes.html :
> > >   -> "The software bundled together in this package is released
> > > under a number of different  Open Source licences. By using any
> > > component of this installation package, you agree to abide  by the terms and conditions of it's licence."
> > >
> > > Could the PostgreSQL Global Development Group consider to provide these information ?
> >
> > These installation packages are provided by EnterpriseDB, not by the PGDG.
> >
> > I think your request is reasonable, but you'll have to ask the packager.
>
> Yes sure. I also did it ... without answer.

Not nice.

> But my initial question concerned only the open source components
> linked to the PostgreSQL server that are not under the PostgreSQL license( ex: openssl, libcharset, ...).
> Regarding the other modules added by EDB, I will ask again to EDB.

That depends on how PostgreSQL was configured.

It may be a bit cumbersome, but you could go through all the shared libraries
(DLLs) in the "bin" directory that do not belong to PostgreSQL.  The licenses for software like OpenSSL should be easy
tofind. 

Yours,
Laurenz Albe
--
Cybertec |
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cybertec-postgresql.com%2F&data=04%7C01%7C%7Cbee5be9a5edc434dabf008d8f9a23e5b%7C1b16ab3eb8f64fe39f3e2db7fe549f6a%7C0%7C0%7C637533822516425483%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FhPlqUOT%2FIciMfm1bNBfIiBDi%2FHoh2qOi8PfApQHPBs%3D&reserved=0




Re: Open source licenses

From
Magnus Hagander
Date:
On Thu, Apr 29, 2021 at 10:35 AM DAVID Nicolas
<nicolas.david@hexagon.com> wrote:
>
> Dear All,
>
> As I solution, I wanted to start to build Postgres from source by myself, in order to better managed what it is
finallyincluded.
 
> So I wanted to compile on Windows with Visual Studio.
>
> However, in the page https://www.postgresql.org/docs/current/install-windows.html, I can see:
>    " It is recommended that most users download the binary distribution for Windows, available as a graphical
installerpackage from the PostgreSQL website. Building from source is only intended for people developing PostgreSQL or
extensions."
 
>
> Why this recommendation ? Is there any "risk" by building from source ?

The recommendation is purely one of convenience. Building PostgreSQL
on Windows is not at all as straightforward as it is on Unix,
particularly when it comes to managing the different dependencies (if
you want/need them). And as you need to redo the build when either
postgres or the dependencies have important updates, it can lead to a
lot of more work there.

But there is no "risk" other than that.

The upcoming version of the docs (now on
https://www.postgresql.org/docs/devel/install-binaries.html) will make
it more clear that we also recommend using packages on for example
Linux as well, when they are available. So the recommendation is
generic, not Windows-specific.

-- 
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/