Copy link to clipboard
Copied
Hello Adobe-Team,
we have been using ADOBE ColdFusion since 2003 and would like to continue using this technology in our organization (Volkswagen Nutzfahrzeuge).
However, we are currently facing an issue where some components are missing or incomplete in the notice files of ColdFusion.
We opened a ticket with Adobe regarding this issue in June 2023, but we have yet to receive any response.
I urgently need a solution; otherwise, we will have to shut down the applications we have been developing with ColdFusion for many years.
I am requesting your assistance.
The ColdFusion ticket number is: [ColdFusion case# 108222] Re: URGENT! ColdFusion Notice-File
Please also refer to the attached document with the results of our internal review.
And here is the translation for the results:
For many components, the complete license text is missing. A web link cannot be accepted. The full license text must be provided at least once per license. This applies, among others, to the Apache 2.0, LGPL 2.1, and MPL 1.1 licenses. This list is not exhaustive. We request that the manufacturer checks the entire notice file for the completeness of the license texts.
IBM Lotus Sametime
Is this an open-source component?
If so, no license has been provided.
However, I don't believe the entire application is open-source. Please verify!!!!!
There is also no license provided for these components. Please verify:
Intrinsyc J-Integra
jadoZoom
J-Integra for COM
JNBridgePro
RSA BSAFE CertJ
RSA BSAFE Crypto-J
Zion JBuddy ISV Client Software
For the OpenOffice SDK component, the LGPL 3.0 is listed as the license (without the license text). The license text is required, along with the text for the GPL 3.0."
Since GNU licenses are applicable, either the source code must be provided along with the program, or an offer to provide it later is required.
I hope you can assist us with this matter
Copy link to clipboard
Copied
Welcome to the Adobe ColdFusion Forum, a meeting-place for people interested in discussing anything related to ColdFusion.
First off, I am not an Adobe employee. Like most here, I am a developer, hence a ColdFusion user/customer just like you. However, I have taken the liberty of sending an e-mail to Adobe ColdFusion Support (cfsup[at]adobe.com) on your behalf. I hope you will get an answer from them soon.
Copy link to clipboard
Copied
Dear BKBK, thank you very much for your help and especially for sending an email to support. I also hope that Adobe contacts us as soon as possible. We would like to continue using CF here at the company.
Copy link to clipboard
Copied
My pleasure, @CelinaGB .
The issue seems to be no more than a question-answer formality. I hope that things will work out and that you will continue using ColdFusion.
Copy link to clipboard
Copied
While I don't doubt there's sloppiness in the cf files specifying every possible license--and I am glad to see a push to get things clarified, I'm still curious where these "requirements" you discuss are specified?
For instance, you state, "For many components, the complete license text is missing. A web link cannot be accepted. The full license text must be provided at least once per license." (Emphasis mine.)
So is there some public authority stating that? It may be an obvious one to you in your role in what we'll guess is a German company. The EU also imposes rules that I realize companies selling there must abide by.
But like BKBK I ask this as a fellow CFer, not an Adobe representative. And I encourage you to clarify what I ask, both for our sake (following along here) and for Adobe's. It could be that the first tier support folks (who got your email last year) also didn't discern an authority behind your request, let alone the implications of failing to reply. Perhaps they passed it to someone else who dropped the ball. Still, someone should have offered SOME reply, of course.
Copy link to clipboard
Copied
Hi Charlie,
Here at Volkswagen in Germany, where I work, we developed a system in ColdFusion. The system is working great and is being installed in several of the company's factories. However, we have a department here that analyzes systems (FOSS-Process). Unfortunately, during this analysis, our lawyers and some colleagues from IT-Security noticed the absence of some licenses that, by the way, are not open source. Therefore, if we do not receive an updated file with all the licenses from Adobe, we will have to deactivate the system in all factories, which would be a significant loss for the users. I don't understand why Adobe isn't communicating with us. I would like to know if there is a way to disable these installation packages for these licenses, but we haven't received any response so far.
Copy link to clipboard
Copied
Celina, 3 things.
1) To be clear, ColdFusion is NOT an open source product. I sense now you're seeking confirmation of that, whereas when you asked about it originally I presumed you were asking about a specific component within it. (If learning that CF is not itself open-source might change your folks' drive for finding these licenses, do let us know here.)
2) If Instead you really do refer only to specific packages, note first that Adobe does indeed incorporate both commercial and open source libraries and products into cf, for our benefit.
(And I suspect most people simply accept that without regard to being concerned about provenance. But with a growing concern for grc--governance, risk, and compliance--such a question as you raise was probably inevitable.)
3) Finally, you ask if there "is a way to disable these installation packages for these licenses", and the answer to that is YES.
a) First, regardless of what version of cf you're running, some of the libraries you refer to involve things that can optionally installed/enabled/disabled during installation or afterward. The jnbridge library is about .net integration, and the open office library is about integration with that feature, while the jintegra library is about COM integration, and so on. That said, even by not enabling some things, the integration would remain in the product.
b) On the other hand (and even better news for you, it seems) is that if you're running on cf2021 or higher, that now is designed in a modular fashion such that one can add or remove all aspects of use of some feature. This can be done via the cf admin "package management" page, or the command line cfpm tool, or even during install if the new zip approach is used with its cfinstall script asking what packages to install.
Of course, if you remove a package that would be needed because your cfml code relies on it, that cfml code would fail. And note that the cfpm cli tool also offers a feature to scan your cfml code base to identify what packages WOULD be needed to run that code.
4) Again, we here responding as community contributors (BKBK and I) don't work for Adobe. We can agree that someone SHOULD have responded to you already (based on your direct email to them), and perhaps his note to them or just someone there eventually noticing this thread will get you direct help from them.
Or maybe with what I've shared here you may be able to get closer to what you need, even if you don't hear back from them soon.
Finally, I'll note that if you/your folks may need assistance with the things I've outlined, I'm also available for remote, screenshare-based, very short-term consulting. I can help you get started with all the things I discussed in perhaps an hour. Such short-term consulting to help cf folks in all I do, daily, helping a couple hundred clients a year. (I realize that very large orgs can be challenged arranging such a tiny engagement, but I just wanted to make the offer.) More at the consulting page of carehart.org.
But as you can see, I'm also open to engaging here, and we all want to help see you get to resolution.
Copy link to clipboard
Copied
I'm not Charlie, and I don't know exactly what your FOSS-Process department does or what German law requires, so please forgive me in advance if I make incorrect assumptions. But you are not licensing these products, Adobe is. Why does Adobe have to provide you with the license text at all? Adobe may not be using the same license as you would be required to use if you downloaded the third-party product and installed it yourself.
Also, as Charlie notes, you can remove some components using the module install/uninstall stuff. But you won't be able to uninstall everything that Adobe's included, like Tomcat or Log4J. Some of those may be open source products, others may be proprietary. Again, for the open-source ones, Adobe should (I think) be responsible for licensing them, not your company.
I do agree that Adobe should provide a manifest of third-party libraries and components so that you can deal with supply chain issues, but that's a different discussion I think. You might consider opening a support ticket about that.
Dave Watts, Eidolon LLC