Fixing LICENCE and NOTICE for binary distributions

[Enrico Olivelli <eo...@gmail.com>]

Hello,
as Vladimir reported in [1] we have problems of our binary distributions.

Short version of the story:
- we are missing some entries in LICENSE, in my opinion we should cite
every other ASLv2 licenced project that is not of property of ASF (like
Plexus), but we are currently skipping them
- we are not handling correctly some hidden (shaded/relocated) dependencies
- some of our direct dependencies of Maven Core messed with their LICENSE,
so the data that we can download automatically (from Maven central) is not
consistent with other sources (websites for instance)

Please follow up on JIRA for the detailed discussion about every single
dependency.
I have also started a branch for the fixes, but it is only a playground for
me currently as we should decide how the LICENSE/NOTICE/.license files
should look like  before actually doing this.

I have experience of this kind of discussions in Apache BookKeeper project
and we came out with this doc [3] and a Pull request validation script that
validates as much as possible those rules.

I am tyring to understand our dependencies and our packaging of licensing
material, in order to come with a complete proposal.

Any thought or suggestion is very welcome !

Enrico

[1] https://issues.apache.org/jira/browse/MNG-6771
[2] https://github.com/apache/maven/pull/297
[3] http://bookkeeper.apache.org/community/licensing/

Re: Fixing LICENCE and NOTICE for binary distributions

[Hervé BOUTEMY <he...@free.fr>]

Le samedi 26 octobre 2019, 23:56:37 CET Enrico Olivelli a écrit :
> Hello,
> as Vladimir reported in [1] we have problems of our binary distributions.
> 
> Short version of the story:
> - we are missing some entries in LICENSE, in my opinion we should cite
> every other ASLv2 licenced project that is not of property of ASF (like
> Plexus), but we are currently skipping them
+1

> - we are not handling correctly some hidden (shaded/relocated) dependencies
+1

> - some of our direct dependencies of Maven Core messed with their LICENSE,
> so the data that we can download automatically (from Maven central) is not
> consistent with other sources (websites for instance)
this one has been fixed for future releases of upstream project, we'll need to 
have a workaround until it is released and we upgrade our dependency

> 
> Please follow up on JIRA for the detailed discussion about every single
> dependency.
> I have also started a branch for the fixes, but it is only a playground for
> me currently as we should decide how the LICENSE/NOTICE/.license files
> should look like  before actually doing this.
+1
little question: what is ".license"?

> 
> I have experience of this kind of discussions in Apache BookKeeper project
> and we came out with this doc [3]
really really interesting, thanks for the pointer

> and a Pull request validation script that
> validates as much as possible those rules.
IIUC, the team maintains the content by hand and the script checks that it is 
still consistent with the current dependencies, that's it?

> 
> I am tyring to understand our dependencies and our packaging of licensing
> material, in order to come with a complete proposal.
> 
> Any thought or suggestion is very welcome !
don't hesitate to share little steps: that will add more opportunities to help 
each other

Regards,

Hervé

> 
> Enrico
> 
> [1] https://issues.apache.org/jira/browse/MNG-6771
> [2] https://github.com/apache/maven/pull/297
> [3] http://bookkeeper.apache.org/community/licensing/





---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org