You are viewing a plain text version of this content. The canonical link for it is here.
Posted to pluto-dev@portals.apache.org by Elliot Metsger <em...@jhu.edu> on 2007/03/27 20:28:06 UTC
LICENSE and NOTICE in META-INF
So I got pinged again by the repository folks, this time Daniel Kulp.
None of our maven artifacts have a LICENSE or NOTICE file in them, and
apparently this is also required per
http://www.apache.org/legal/src-headers.html:
> Does the policy apply to binary/object files, such as executables or
> JAR files?
>
> Yes. Even if there are no source files within the release, the
> LICENSE file and NOTICE file are still both required within every ASF
> distribution -- whether the unit of distribution is a .jar, .msi,
> .tar/.?gz, .zip, .exe installer, or any other file format used for
> distributions. For example, Windows .exe files must not be used as a
> unit of distribution unless they are installers and include the
> LICENSE and NOTICE files in their installation.
This is in Jira as PLUTO-349.
I'm not sure where this leaves us with our existing releases.
Elliot
Re: LICENSE and NOTICE in META-INF
Posted by Elliot Metsger <em...@jhu.edu>.
Ate,
Nice, thanks for the pointer!!!
I will definitely take a look at the maven-remote-resources-plugin and
see if it will meet our needs.
Best,
Elliot
Ate Douma wrote:
> Elliot Metsger wrote:
>> So I got pinged again by the repository folks, this time Daniel Kulp.
>>
>> None of our maven artifacts have a LICENSE or NOTICE file in them, and
>> apparently this is also required per
>> http://www.apache.org/legal/src-headers.html:
>>
>>> Does the policy apply to binary/object files, such as executables or
>>> JAR files?
>>>
>>> Yes. Even if there are no source files within the release, the
>>> LICENSE file and NOTICE file are still both required within every ASF
>>> distribution -- whether the unit of distribution is a .jar, .msi,
>>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>>> distributions. For example, Windows .exe files must not be used as a
>>> unit of distribution unless they are installers and include the
>>> LICENSE and NOTICE files in their installation.
>>
>> This is in Jira as PLUTO-349.
>
> Elliot,
>
> Not sure if this is going to work for Pluto but I've tried out the new
> (Alpha) for Jetspeed-2.
> Its purpose is exactly doing this: adding the Apache NOTICE and LICENSE
> files to all artifacts.
> It automatically downloads the Apache LICENSE as well as *generates* a
> NOTICE file based upon all the dependencies used.
> Now, its still in an Alpha state and not (yet) working 100% for
> Jetspeed-2 as it depends on the dependencies providing a proper pom.xml
> itself.
> As Jetspeed-2 uses "bad" dependencies this results in a not fully
> satifactory NOTICE file, but maybe for Pluto this might work out just fine.
>
> Using the plugin is just a matter of putting the following in the main
> (parent) pom.xml and you're set:
>
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-remote-resources-plugin</artifactId>
> <version>1.0-alpha-4</version>
> <executions>
> <execution>
> <goals>
> <goal>process</goal>
> </goals>
> <configuration>
> <resourceBundles>
>
> <resourceBundle>org.apache:apache-jar-resource-bundle:1.0</resourceBundle>
> </resourceBundles>
> <properties>
> <addLicense>true</addLicense>
> </properties>
> </configuration>
> </execution>
> </executions>
> </plugin>
>
> Regards,
>
> Ate
>
>
>>
>> I'm not sure where this leaves us with our existing releases.
>>
>> Elliot
>>
Re: LICENSE and NOTICE in META-INF
Posted by Elliot Metsger <em...@jhu.edu>.
There's version 1.2 of the resource bundle jar. I'm goign to give that
a try..
Ate Douma wrote:
> Elliot Metsger wrote:
>> So I got pinged again by the repository folks, this time Daniel Kulp.
>>
>> None of our maven artifacts have a LICENSE or NOTICE file in them, and
>> apparently this is also required per
>> http://www.apache.org/legal/src-headers.html:
>>
>>> Does the policy apply to binary/object files, such as executables or
>>> JAR files?
>>>
>>> Yes. Even if there are no source files within the release, the
>>> LICENSE file and NOTICE file are still both required within every ASF
>>> distribution -- whether the unit of distribution is a .jar, .msi,
>>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>>> distributions. For example, Windows .exe files must not be used as a
>>> unit of distribution unless they are installers and include the
>>> LICENSE and NOTICE files in their installation.
>>
>> This is in Jira as PLUTO-349.
>
> Elliot,
>
> Not sure if this is going to work for Pluto but I've tried out the new
> (Alpha) maven-remote-resources-plugin for Jetspeed-2.
> Its purpose is exactly doing this: adding the Apache NOTICE and LICENSE
> files to all artifacts.
> It automatically downloads the Apache LICENSE as well as *generates* a
> NOTICE file based upon all the dependencies used.
> Now, its still in an Alpha state and not (yet) working 100% for
> Jetspeed-2 as it depends on the dependencies providing a proper pom.xml
> itself.
> As Jetspeed-2 uses "bad" dependencies this results in a not fully
> satifactory NOTICE file, but maybe for Pluto this might work out just fine.
>
> Using the plugin is just a matter of putting the following in the main
> (parent) pom.xml and you're set:
>
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-remote-resources-plugin</artifactId>
> <version>1.0-alpha-4</version>
> <executions>
> <execution>
> <goals>
> <goal>process</goal>
> </goals>
> <configuration>
> <resourceBundles>
>
> <resourceBundle>org.apache:apache-jar-resource-bundle:1.0</resourceBundle>
> </resourceBundles>
> <properties>
> <addLicense>true</addLicense>
> </properties>
> </configuration>
> </execution>
> </executions>
> </plugin>
>
> Regards,
>
> Ate
>
>
>>
>> I'm not sure where this leaves us with our existing releases.
>>
>> Elliot
>>
Re: LICENSE and NOTICE in META-INF
Posted by Elliot Metsger <em...@jhu.edu>.
There are some 3rd party jars like Sun stuff. We can hack the plugin to
manually map the information for missing projects if people think we
need to do so.
David H. DeWolf wrote:
> Does it really matter if the incomplete poms are Apache projects? We've
> already got all the legal stuff necessary for those.
>
> Elliot Metsger wrote:
>> Yes, the plugin is cool, but Pluto too uses artifacts that have
>> incomplete POMs, which results in a incomplete/inaccurate NOTICE file.
>>
>> Those problems won't go away by themselves of course as the POM for
>> Xerces 2.6.2 is unlikely to change.
>>
>>
>>> This product includes software, Unnamed -
>>> xerces:xmlParserAPIs:jar:2.6.2, developed
>>> by
>>> $project.organization.name ($project.organization.url).
>>> This product includes software, Unnamed -
>>> commons-logging:commons-logging-api:pom:1.1, developed
>>> by
>>> $project.organization.name ($project.organization.url).
>>
>>
>> Will have to figure out what to do....
>>
>> Elliot
>>
>> Ate Douma wrote:
>>> Elliot Metsger wrote:
>>>> So I got pinged again by the repository folks, this time Daniel Kulp.
>>>>
>>>> None of our maven artifacts have a LICENSE or NOTICE file in them, and
>>>> apparently this is also required per
>>>> http://www.apache.org/legal/src-headers.html:
>>>>
>>>>> Does the policy apply to binary/object files, such as executables or
>>>>> JAR files?
>>>>>
>>>>> Yes. Even if there are no source files within the release, the
>>>>> LICENSE file and NOTICE file are still both required within every ASF
>>>>> distribution -- whether the unit of distribution is a .jar, .msi,
>>>>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>>>>> distributions. For example, Windows .exe files must not be used as a
>>>>> unit of distribution unless they are installers and include the
>>>>> LICENSE and NOTICE files in their installation.
>>>>
>>>> This is in Jira as PLUTO-349.
>>>
>>> Elliot,
>>>
>>> Not sure if this is going to work for Pluto but I've tried out the
>>> new (Alpha) maven-remote-resources-plugin for Jetspeed-2.
>>> Its purpose is exactly doing this: adding the Apache NOTICE and
>>> LICENSE files to all artifacts.
>>> It automatically downloads the Apache LICENSE as well as *generates*
>>> a NOTICE file based upon all the dependencies used.
>>> Now, its still in an Alpha state and not (yet) working 100% for
>>> Jetspeed-2 as it depends on the dependencies providing a proper
>>> pom.xml itself.
>>> As Jetspeed-2 uses "bad" dependencies this results in a not fully
>>> satifactory NOTICE file, but maybe for Pluto this might work out just
>>> fine.
>>>
>>> Using the plugin is just a matter of putting the following in the
>>> main (parent) pom.xml and you're set:
>>>
>>> <plugin>
>>> <groupId>org.apache.maven.plugins</groupId>
>>> <artifactId>maven-remote-resources-plugin</artifactId>
>>> <version>1.0-alpha-4</version>
>>> <executions>
>>> <execution>
>>> <goals>
>>> <goal>process</goal>
>>> </goals>
>>> <configuration>
>>> <resourceBundles>
>>>
>>> <resourceBundle>org.apache:apache-jar-resource-bundle:1.0</resourceBundle>
>>>
>>> </resourceBundles>
>>> <properties>
>>> <addLicense>true</addLicense>
>>> </properties>
>>> </configuration>
>>> </execution>
>>> </executions>
>>> </plugin>
>>>
>>> Regards,
>>>
>>> Ate
>>>
>>>
>>>>
>>>> I'm not sure where this leaves us with our existing releases.
>>>>
>>>> Elliot
>>>>
>>
Re: LICENSE and NOTICE in META-INF
Posted by "David H. DeWolf" <dd...@apache.org>.
Does it really matter if the incomplete poms are Apache projects? We've
already got all the legal stuff necessary for those.
Elliot Metsger wrote:
> Yes, the plugin is cool, but Pluto too uses artifacts that have
> incomplete POMs, which results in a incomplete/inaccurate NOTICE file.
>
> Those problems won't go away by themselves of course as the POM for
> Xerces 2.6.2 is unlikely to change.
>
>
>> This product includes software, Unnamed -
>> xerces:xmlParserAPIs:jar:2.6.2, developed
>> by
>> $project.organization.name ($project.organization.url).
>> This product includes software, Unnamed -
>> commons-logging:commons-logging-api:pom:1.1, developed
>> by
>> $project.organization.name ($project.organization.url).
>
>
> Will have to figure out what to do....
>
> Elliot
>
> Ate Douma wrote:
>> Elliot Metsger wrote:
>>> So I got pinged again by the repository folks, this time Daniel Kulp.
>>>
>>> None of our maven artifacts have a LICENSE or NOTICE file in them, and
>>> apparently this is also required per
>>> http://www.apache.org/legal/src-headers.html:
>>>
>>>> Does the policy apply to binary/object files, such as executables or
>>>> JAR files?
>>>>
>>>> Yes. Even if there are no source files within the release, the
>>>> LICENSE file and NOTICE file are still both required within every ASF
>>>> distribution -- whether the unit of distribution is a .jar, .msi,
>>>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>>>> distributions. For example, Windows .exe files must not be used as a
>>>> unit of distribution unless they are installers and include the
>>>> LICENSE and NOTICE files in their installation.
>>>
>>> This is in Jira as PLUTO-349.
>>
>> Elliot,
>>
>> Not sure if this is going to work for Pluto but I've tried out the new
>> (Alpha) maven-remote-resources-plugin for Jetspeed-2.
>> Its purpose is exactly doing this: adding the Apache NOTICE and
>> LICENSE files to all artifacts.
>> It automatically downloads the Apache LICENSE as well as *generates* a
>> NOTICE file based upon all the dependencies used.
>> Now, its still in an Alpha state and not (yet) working 100% for
>> Jetspeed-2 as it depends on the dependencies providing a proper
>> pom.xml itself.
>> As Jetspeed-2 uses "bad" dependencies this results in a not fully
>> satifactory NOTICE file, but maybe for Pluto this might work out just
>> fine.
>>
>> Using the plugin is just a matter of putting the following in the main
>> (parent) pom.xml and you're set:
>>
>> <plugin>
>> <groupId>org.apache.maven.plugins</groupId>
>> <artifactId>maven-remote-resources-plugin</artifactId>
>> <version>1.0-alpha-4</version>
>> <executions>
>> <execution>
>> <goals>
>> <goal>process</goal>
>> </goals>
>> <configuration>
>> <resourceBundles>
>>
>> <resourceBundle>org.apache:apache-jar-resource-bundle:1.0</resourceBundle>
>>
>> </resourceBundles>
>> <properties>
>> <addLicense>true</addLicense>
>> </properties>
>> </configuration>
>> </execution>
>> </executions>
>> </plugin>
>>
>> Regards,
>>
>> Ate
>>
>>
>>>
>>> I'm not sure where this leaves us with our existing releases.
>>>
>>> Elliot
>>>
>
Re: LICENSE and NOTICE in META-INF
Posted by Elliot Metsger <em...@jhu.edu>.
Yes, the plugin is cool, but Pluto too uses artifacts that have
incomplete POMs, which results in a incomplete/inaccurate NOTICE file.
Those problems won't go away by themselves of course as the POM for
Xerces 2.6.2 is unlikely to change.
> This product includes software, Unnamed - xerces:xmlParserAPIs:jar:2.6.2, developed by
> $project.organization.name ($project.organization.url).
> This product includes software, Unnamed - commons-logging:commons-logging-api:pom:1.1, developed by
>
> $project.organization.name ($project.organization.url).
Will have to figure out what to do....
Elliot
Ate Douma wrote:
> Elliot Metsger wrote:
>> So I got pinged again by the repository folks, this time Daniel Kulp.
>>
>> None of our maven artifacts have a LICENSE or NOTICE file in them, and
>> apparently this is also required per
>> http://www.apache.org/legal/src-headers.html:
>>
>>> Does the policy apply to binary/object files, such as executables or
>>> JAR files?
>>>
>>> Yes. Even if there are no source files within the release, the
>>> LICENSE file and NOTICE file are still both required within every ASF
>>> distribution -- whether the unit of distribution is a .jar, .msi,
>>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>>> distributions. For example, Windows .exe files must not be used as a
>>> unit of distribution unless they are installers and include the
>>> LICENSE and NOTICE files in their installation.
>>
>> This is in Jira as PLUTO-349.
>
> Elliot,
>
> Not sure if this is going to work for Pluto but I've tried out the new
> (Alpha) maven-remote-resources-plugin for Jetspeed-2.
> Its purpose is exactly doing this: adding the Apache NOTICE and LICENSE
> files to all artifacts.
> It automatically downloads the Apache LICENSE as well as *generates* a
> NOTICE file based upon all the dependencies used.
> Now, its still in an Alpha state and not (yet) working 100% for
> Jetspeed-2 as it depends on the dependencies providing a proper pom.xml
> itself.
> As Jetspeed-2 uses "bad" dependencies this results in a not fully
> satifactory NOTICE file, but maybe for Pluto this might work out just fine.
>
> Using the plugin is just a matter of putting the following in the main
> (parent) pom.xml and you're set:
>
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-remote-resources-plugin</artifactId>
> <version>1.0-alpha-4</version>
> <executions>
> <execution>
> <goals>
> <goal>process</goal>
> </goals>
> <configuration>
> <resourceBundles>
>
> <resourceBundle>org.apache:apache-jar-resource-bundle:1.0</resourceBundle>
> </resourceBundles>
> <properties>
> <addLicense>true</addLicense>
> </properties>
> </configuration>
> </execution>
> </executions>
> </plugin>
>
> Regards,
>
> Ate
>
>
>>
>> I'm not sure where this leaves us with our existing releases.
>>
>> Elliot
>>
Re: LICENSE and NOTICE in META-INF
Posted by Ate Douma <at...@douma.nu>.
Elliot Metsger wrote:
> So I got pinged again by the repository folks, this time Daniel Kulp.
>
> None of our maven artifacts have a LICENSE or NOTICE file in them, and
> apparently this is also required per
> http://www.apache.org/legal/src-headers.html:
>
>> Does the policy apply to binary/object files, such as executables or
>> JAR files?
>>
>> Yes. Even if there are no source files within the release, the
>> LICENSE file and NOTICE file are still both required within every ASF
>> distribution -- whether the unit of distribution is a .jar, .msi,
>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>> distributions. For example, Windows .exe files must not be used as a
>> unit of distribution unless they are installers and include the
>> LICENSE and NOTICE files in their installation.
>
> This is in Jira as PLUTO-349.
Elliot,
Not sure if this is going to work for Pluto but I've tried out the new (Alpha) maven-remote-resources-plugin for Jetspeed-2.
Its purpose is exactly doing this: adding the Apache NOTICE and LICENSE files to all artifacts.
It automatically downloads the Apache LICENSE as well as *generates* a NOTICE file based upon all the dependencies used.
Now, its still in an Alpha state and not (yet) working 100% for Jetspeed-2 as it depends on the dependencies providing a proper pom.xml itself.
As Jetspeed-2 uses "bad" dependencies this results in a not fully satifactory NOTICE file, but maybe for Pluto this might work out just fine.
Using the plugin is just a matter of putting the following in the main (parent) pom.xml and you're set:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-remote-resources-plugin</artifactId>
<version>1.0-alpha-4</version>
<executions>
<execution>
<goals>
<goal>process</goal>
</goals>
<configuration>
<resourceBundles>
<resourceBundle>org.apache:apache-jar-resource-bundle:1.0</resourceBundle>
</resourceBundles>
<properties>
<addLicense>true</addLicense>
</properties>
</configuration>
</execution>
</executions>
</plugin>
Regards,
Ate
>
> I'm not sure where this leaves us with our existing releases.
>
> Elliot
>
Re: LICENSE and NOTICE in META-INF
Posted by Elliot Metsger <em...@jhu.edu>.
I have made progress. I have a patch for the
maven-remote-resources-plugin which allows one to add <supplement>
elements to the maven-remote-resources-plugin in your POM:
<artifactId>maven-remote-resources-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>process</goal>
</goals>
<configuration>
<supplements>
<supplement>
<![CDATA[
<project>
<groupId>xerces</groupId>
<artifactId>xmlParserAPIs</artifactId>
<name>Apache Xerces</name>
<url>http://xerces.apache.org/</url>
<organization>
<name>Apache Software Foundation</name>
<url>http://www.apache.org/</url>
</organization>
</project>
]]>
</supplement>
... more <supplement> elements ...
Anything included in the <supplement> is merged with the existing model
for the artifact. Right now <groupId> and <artifactId> are required
elements.
The CDATA is kind of ugly but I don't know how/have time to make it
better. I plan to add support for packaging the supplements up in a jar
file instead of polluting the pom with hundreds of lines of XML.
I'll put the plugin in Pluto under a Pluto groupId, extending the
maven-remote-resources plugin, so we can move forward with a release
(maven release plugin wouldn't allow us to release with a dependency on
a snapshot version of maven-remote-resources). I'll submit a patch to
the Maven group, and hopefully it will get accepted for the next release
of the maven-remote-resources plugin.
Hopefully I'll have this banged out by tomorrow eve.
Elliot
David H. DeWolf wrote:
> I'd say we do that and also add download urls for all of them so they
> appear like xml-apis.
<snip>
Re: LICENSE and NOTICE in META-INF
Posted by Elliot Metsger <em...@jhu.edu>.
Okie dokie i'll get cracking.
E
David H. DeWolf wrote:
> I'd say we do that and also add download urls for all of them so they
> appear like xml-apis.
>
> Elliot Metsger wrote:
>> Here are all the "bad" entries. They include 3rd party jars.
>>
>> We can hack the plugin to map a groupId to the missing project info if
>> people think we need to do so.
>>
>> esm:~/src/pluto-1.1.x$ find . -name NOTICE|xargs cat | grep Unnamed
>> |sort -u
>> This product includes/uses software, Unnamed -
>> avalon-framework:avalon-framework:jar:4.1.3
>> This product includes/uses software, Unnamed -
>> commons-beanutils:commons-beanutils:jar:1.7.0
>> This product includes/uses software, Unnamed -
>> commons-logging:commons-logging-api:pom:1.1
>> This product includes/uses software, Unnamed -
>> commons-logging:commons-logging:jar:1.0
>> This product includes/uses software, Unnamed -
>> javax.servlet:jstl:jar:1.0.6
>> This product includes/uses software, Unnamed -
>> javax.servlet:servlet-api:jar:2.3
>> This product includes/uses software, Unnamed - junit:junit:jar:3.7
>> This product includes/uses software, Unnamed - log4j:log4j:jar:1.2.12
>> This product includes/uses software, Unnamed - logkit:logkit:jar:1.0.1
>> This product includes/uses software, Unnamed - taglibs:standard:jar:1.0.6
>> This product includes/uses software, Unnamed -
>> xerces:xercesImpl:jar:2.6.2
>> This product includes/uses software, Unnamed -
>> xerces:xmlParserAPIs:jar:2.6.2
>> This product includes/uses software, Unnamed -
>> xml-apis:xml-apis:jar:1.0.b2 (http://xml.apache.org/commons/#external)
>>
>> Elliot Metsger wrote:
>>> Ok what do people think? Using the latest apache resources jar we
>>> still have some "bad" entries in our NOTICE files. Here are four
>>> examples of "bad" entries:
>>>
>>> This product includes/uses software, Unnamed -
>>> javax.servlet:servlet-api:jar:2.3
>>> This product includes/uses software, Unnamed -
>>> xerces:xmlParserAPIs:jar:2.6.2
>>> This product includes/uses software, Unnamed -
>>> commons-logging:commons-logging-api:pom:1.1
>>> This product includes/uses software, Unnamed -
>>> xml-apis:xml-apis:jar:1.0.b2 (http://xml.apache.org/commons/#external)
>>>
>>> I'm inclined to say that the "bad" entries are good enough, and
>>> satisfy the requirements of the NOTICE file. What do people think?
>>>
>>> Just to contrast, here are "good" entries:
>>> This product includes/uses software, Plexus Common Utilities,
>>> developed by Codehaus (http://www.codehaus.org/)
>>> This product includes/uses software, Maven Reporting API
>>> (http://maven.apache.org/maven-reporting/maven-reporting-api),
>>> developed by Apache Software Foundation (http://www.apache.org/)
>>> This product includes/uses software, Maven Repository Metadata Model
>>> (http://maven.apache.org/maven-repository-metadata),
>>> developed by Apache Software Foundation (http://www.apache.org/)
>>> This product includes/uses software, Maven Plugin Registry Model
>>> (http://maven.apache.org/maven-plugin-registry),
>>> developed by Apache Software Foundation (http://www.apache.org/)
>>> This product includes/uses software, JTidy
>>> (http://jtidy.sourceforge.net),
>>> developed by JTidy (http://jtidy.sf.net)
>>> This product includes/uses software, Portlet API
>>> (http://www.jcp.org/en/jsr/detail?id=168)
>>>
>>>
>>> Elliot
>>>
>>>
>>> Elliot Metsger wrote:
>>>> So I got pinged again by the repository folks, this time Daniel Kulp.
>>>>
>>>> None of our maven artifacts have a LICENSE or NOTICE file in them, and
>>>> apparently this is also required per
>>>> http://www.apache.org/legal/src-headers.html:
>>>>
>>>>> Does the policy apply to binary/object files, such as executables or
>>>>> JAR files?
>>>>>
>>>>> Yes. Even if there are no source files within the release, the
>>>>> LICENSE file and NOTICE file are still both required within every ASF
>>>>> distribution -- whether the unit of distribution is a .jar, .msi,
>>>>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>>>>> distributions. For example, Windows .exe files must not be used as a
>>>>> unit of distribution unless they are installers and include the
>>>>> LICENSE and NOTICE files in their installation.
>>>>
>>>> This is in Jira as PLUTO-349.
>>>>
>>>> I'm not sure where this leaves us with our existing releases.
>>>>
>>>> Elliot
>>
Re: LICENSE and NOTICE in META-INF
Posted by "David H. DeWolf" <dd...@apache.org>.
I'd say we do that and also add download urls for all of them so they
appear like xml-apis.
Elliot Metsger wrote:
> Here are all the "bad" entries. They include 3rd party jars.
>
> We can hack the plugin to map a groupId to the missing project info if
> people think we need to do so.
>
> esm:~/src/pluto-1.1.x$ find . -name NOTICE|xargs cat | grep Unnamed
> |sort -u
> This product includes/uses software, Unnamed -
> avalon-framework:avalon-framework:jar:4.1.3
> This product includes/uses software, Unnamed -
> commons-beanutils:commons-beanutils:jar:1.7.0
> This product includes/uses software, Unnamed -
> commons-logging:commons-logging-api:pom:1.1
> This product includes/uses software, Unnamed -
> commons-logging:commons-logging:jar:1.0
> This product includes/uses software, Unnamed - javax.servlet:jstl:jar:1.0.6
> This product includes/uses software, Unnamed -
> javax.servlet:servlet-api:jar:2.3
> This product includes/uses software, Unnamed - junit:junit:jar:3.7
> This product includes/uses software, Unnamed - log4j:log4j:jar:1.2.12
> This product includes/uses software, Unnamed - logkit:logkit:jar:1.0.1
> This product includes/uses software, Unnamed - taglibs:standard:jar:1.0.6
> This product includes/uses software, Unnamed - xerces:xercesImpl:jar:2.6.2
> This product includes/uses software, Unnamed -
> xerces:xmlParserAPIs:jar:2.6.2
> This product includes/uses software, Unnamed -
> xml-apis:xml-apis:jar:1.0.b2 (http://xml.apache.org/commons/#external)
>
> Elliot Metsger wrote:
>> Ok what do people think? Using the latest apache resources jar we
>> still have some "bad" entries in our NOTICE files. Here are four
>> examples of "bad" entries:
>>
>> This product includes/uses software, Unnamed -
>> javax.servlet:servlet-api:jar:2.3
>> This product includes/uses software, Unnamed -
>> xerces:xmlParserAPIs:jar:2.6.2
>> This product includes/uses software, Unnamed -
>> commons-logging:commons-logging-api:pom:1.1
>> This product includes/uses software, Unnamed -
>> xml-apis:xml-apis:jar:1.0.b2 (http://xml.apache.org/commons/#external)
>>
>> I'm inclined to say that the "bad" entries are good enough, and
>> satisfy the requirements of the NOTICE file. What do people think?
>>
>> Just to contrast, here are "good" entries:
>> This product includes/uses software, Plexus Common Utilities,
>> developed by Codehaus (http://www.codehaus.org/)
>> This product includes/uses software, Maven Reporting API
>> (http://maven.apache.org/maven-reporting/maven-reporting-api),
>> developed by Apache Software Foundation (http://www.apache.org/)
>> This product includes/uses software, Maven Repository Metadata Model
>> (http://maven.apache.org/maven-repository-metadata),
>> developed by Apache Software Foundation (http://www.apache.org/)
>> This product includes/uses software, Maven Plugin Registry Model
>> (http://maven.apache.org/maven-plugin-registry),
>> developed by Apache Software Foundation (http://www.apache.org/)
>> This product includes/uses software, JTidy
>> (http://jtidy.sourceforge.net),
>> developed by JTidy (http://jtidy.sf.net)
>> This product includes/uses software, Portlet API
>> (http://www.jcp.org/en/jsr/detail?id=168)
>>
>>
>> Elliot
>>
>>
>> Elliot Metsger wrote:
>>> So I got pinged again by the repository folks, this time Daniel Kulp.
>>>
>>> None of our maven artifacts have a LICENSE or NOTICE file in them, and
>>> apparently this is also required per
>>> http://www.apache.org/legal/src-headers.html:
>>>
>>>> Does the policy apply to binary/object files, such as executables or
>>>> JAR files?
>>>>
>>>> Yes. Even if there are no source files within the release, the
>>>> LICENSE file and NOTICE file are still both required within every ASF
>>>> distribution -- whether the unit of distribution is a .jar, .msi,
>>>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>>>> distributions. For example, Windows .exe files must not be used as a
>>>> unit of distribution unless they are installers and include the
>>>> LICENSE and NOTICE files in their installation.
>>>
>>> This is in Jira as PLUTO-349.
>>>
>>> I'm not sure where this leaves us with our existing releases.
>>>
>>> Elliot
>
Re: LICENSE and NOTICE in META-INF
Posted by Elliot Metsger <em...@jhu.edu>.
Here are all the "bad" entries. They include 3rd party jars.
We can hack the plugin to map a groupId to the missing project info if
people think we need to do so.
esm:~/src/pluto-1.1.x$ find . -name NOTICE|xargs cat | grep Unnamed |sort -u
This product includes/uses software, Unnamed -
avalon-framework:avalon-framework:jar:4.1.3
This product includes/uses software, Unnamed -
commons-beanutils:commons-beanutils:jar:1.7.0
This product includes/uses software, Unnamed -
commons-logging:commons-logging-api:pom:1.1
This product includes/uses software, Unnamed -
commons-logging:commons-logging:jar:1.0
This product includes/uses software, Unnamed - javax.servlet:jstl:jar:1.0.6
This product includes/uses software, Unnamed -
javax.servlet:servlet-api:jar:2.3
This product includes/uses software, Unnamed - junit:junit:jar:3.7
This product includes/uses software, Unnamed - log4j:log4j:jar:1.2.12
This product includes/uses software, Unnamed - logkit:logkit:jar:1.0.1
This product includes/uses software, Unnamed - taglibs:standard:jar:1.0.6
This product includes/uses software, Unnamed - xerces:xercesImpl:jar:2.6.2
This product includes/uses software, Unnamed -
xerces:xmlParserAPIs:jar:2.6.2
This product includes/uses software, Unnamed -
xml-apis:xml-apis:jar:1.0.b2 (http://xml.apache.org/commons/#external)
Elliot Metsger wrote:
> Ok what do people think? Using the latest apache resources jar we still
> have some "bad" entries in our NOTICE files. Here are four examples of
> "bad" entries:
>
> This product includes/uses software, Unnamed -
> javax.servlet:servlet-api:jar:2.3
> This product includes/uses software, Unnamed -
> xerces:xmlParserAPIs:jar:2.6.2
> This product includes/uses software, Unnamed -
> commons-logging:commons-logging-api:pom:1.1
> This product includes/uses software, Unnamed -
> xml-apis:xml-apis:jar:1.0.b2 (http://xml.apache.org/commons/#external)
>
> I'm inclined to say that the "bad" entries are good enough, and satisfy
> the requirements of the NOTICE file. What do people think?
>
> Just to contrast, here are "good" entries:
> This product includes/uses software, Plexus Common Utilities,
> developed by Codehaus (http://www.codehaus.org/)
> This product includes/uses software, Maven Reporting API
> (http://maven.apache.org/maven-reporting/maven-reporting-api),
> developed by Apache Software Foundation (http://www.apache.org/)
> This product includes/uses software, Maven Repository Metadata Model
> (http://maven.apache.org/maven-repository-metadata),
> developed by Apache Software Foundation (http://www.apache.org/)
> This product includes/uses software, Maven Plugin Registry Model
> (http://maven.apache.org/maven-plugin-registry),
> developed by Apache Software Foundation (http://www.apache.org/)
> This product includes/uses software, JTidy (http://jtidy.sourceforge.net),
> developed by JTidy (http://jtidy.sf.net)
> This product includes/uses software, Portlet API
> (http://www.jcp.org/en/jsr/detail?id=168)
>
>
> Elliot
>
>
> Elliot Metsger wrote:
>> So I got pinged again by the repository folks, this time Daniel Kulp.
>>
>> None of our maven artifacts have a LICENSE or NOTICE file in them, and
>> apparently this is also required per
>> http://www.apache.org/legal/src-headers.html:
>>
>>> Does the policy apply to binary/object files, such as executables or
>>> JAR files?
>>>
>>> Yes. Even if there are no source files within the release, the
>>> LICENSE file and NOTICE file are still both required within every ASF
>>> distribution -- whether the unit of distribution is a .jar, .msi,
>>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>>> distributions. For example, Windows .exe files must not be used as a
>>> unit of distribution unless they are installers and include the
>>> LICENSE and NOTICE files in their installation.
>>
>> This is in Jira as PLUTO-349.
>>
>> I'm not sure where this leaves us with our existing releases.
>>
>> Elliot
Re: LICENSE and NOTICE in META-INF
Posted by Elliot Metsger <em...@jhu.edu>.
Ok what do people think? Using the latest apache resources jar we still
have some "bad" entries in our NOTICE files. Here are four examples of
"bad" entries:
This product includes/uses software, Unnamed -
javax.servlet:servlet-api:jar:2.3
This product includes/uses software, Unnamed -
xerces:xmlParserAPIs:jar:2.6.2
This product includes/uses software, Unnamed -
commons-logging:commons-logging-api:pom:1.1
This product includes/uses software, Unnamed -
xml-apis:xml-apis:jar:1.0.b2 (http://xml.apache.org/commons/#external)
I'm inclined to say that the "bad" entries are good enough, and satisfy
the requirements of the NOTICE file. What do people think?
Just to contrast, here are "good" entries:
This product includes/uses software, Plexus Common Utilities,
developed by Codehaus (http://www.codehaus.org/)
This product includes/uses software, Maven Reporting API
(http://maven.apache.org/maven-reporting/maven-reporting-api),
developed by Apache Software Foundation (http://www.apache.org/)
This product includes/uses software, Maven Repository Metadata Model
(http://maven.apache.org/maven-repository-metadata),
developed by Apache Software Foundation (http://www.apache.org/)
This product includes/uses software, Maven Plugin Registry Model
(http://maven.apache.org/maven-plugin-registry),
developed by Apache Software Foundation (http://www.apache.org/)
This product includes/uses software, JTidy (http://jtidy.sourceforge.net),
developed by JTidy (http://jtidy.sf.net)
This product includes/uses software, Portlet API
(http://www.jcp.org/en/jsr/detail?id=168)
Elliot
Elliot Metsger wrote:
> So I got pinged again by the repository folks, this time Daniel Kulp.
>
> None of our maven artifacts have a LICENSE or NOTICE file in them, and
> apparently this is also required per
> http://www.apache.org/legal/src-headers.html:
>
>> Does the policy apply to binary/object files, such as executables or
>> JAR files?
>>
>> Yes. Even if there are no source files within the release, the
>> LICENSE file and NOTICE file are still both required within every ASF
>> distribution -- whether the unit of distribution is a .jar, .msi,
>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>> distributions. For example, Windows .exe files must not be used as a
>> unit of distribution unless they are installers and include the
>> LICENSE and NOTICE files in their installation.
>
> This is in Jira as PLUTO-349.
>
> I'm not sure where this leaves us with our existing releases.
>
> Elliot
Re: LICENSE and NOTICE in META-INF
Posted by Carsten Ziegeler <cz...@apache.org>.
Elliot Metsger wrote:
>
> Carsten Ziegeler wrote:
>> David H. DeWolf wrpte:
>>> Everything is already mirrored, we should only need to update for the
>>> future. My understanding is that we can't modify releases that have
>>> already been published - and frankly, I REALLY don't want to go down
>>> that path.
>>>
>> Yepp, I think we should push a new release out as soon as possible.
>
> Should we forgo announcing and updating the Pluto website for the 1.1.2
> release? Obviously the damage is done with the distros and artifacts
> already published to the mirrors, but no need to exacerbate the situation.
>
> I think we should just wait until the corrected 1.1.3 release is out and
> then make the announcements.
>
I think we can continue with announcing 1.1.2 as it's better from a
technical and legal aspect as 1.1.1. It's not perfect wrt to the notice
file, but 1.1.1 isn't this either.
Carsten
--
Carsten Ziegeler
http://www.osoco.org/weblogs/rael/
Re: LICENSE and NOTICE in META-INF
Posted by Elliot Metsger <em...@jhu.edu>.
Carsten Ziegeler wrote:
> David H. DeWolf wrpte:
>> Everything is already mirrored, we should only need to update for the
>> future. My understanding is that we can't modify releases that have
>> already been published - and frankly, I REALLY don't want to go down
>> that path.
>>
> Yepp, I think we should push a new release out as soon as possible.
Should we forgo announcing and updating the Pluto website for the 1.1.2
release? Obviously the damage is done with the distros and artifacts
already published to the mirrors, but no need to exacerbate the situation.
I think we should just wait until the corrected 1.1.3 release is out and
then make the announcements.
Elliot
>
> Carsten
>
>> Elliot Metsger wrote:
>>> So I got pinged again by the repository folks, this time Daniel Kulp.
>>>
>>> None of our maven artifacts have a LICENSE or NOTICE file in them, and
>>> apparently this is also required per
>>> http://www.apache.org/legal/src-headers.html:
>>>
>>>> Does the policy apply to binary/object files, such as executables or
>>>> JAR files?
>>>>
>>>> Yes. Even if there are no source files within the release, the
>>>> LICENSE file and NOTICE file are still both required within every ASF
>>>> distribution -- whether the unit of distribution is a .jar, .msi,
>>>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>>>> distributions. For example, Windows .exe files must not be used as a
>>>> unit of distribution unless they are installers and include the
>>>> LICENSE and NOTICE files in their installation.
>>> This is in Jira as PLUTO-349.
>>>
>>> I'm not sure where this leaves us with our existing releases.
>>>
>>> Elliot
>>>
>
>
Re: LICENSE and NOTICE in META-INF
Posted by Carsten Ziegeler <cz...@apache.org>.
David H. DeWolf wrpte:
> Everything is already mirrored, we should only need to update for the
> future. My understanding is that we can't modify releases that have
> already been published - and frankly, I REALLY don't want to go down
> that path.
>
Yepp, I think we should push a new release out as soon as possible.
Carsten
> Elliot Metsger wrote:
>> So I got pinged again by the repository folks, this time Daniel Kulp.
>>
>> None of our maven artifacts have a LICENSE or NOTICE file in them, and
>> apparently this is also required per
>> http://www.apache.org/legal/src-headers.html:
>>
>>> Does the policy apply to binary/object files, such as executables or
>>> JAR files?
>>>
>>> Yes. Even if there are no source files within the release, the
>>> LICENSE file and NOTICE file are still both required within every ASF
>>> distribution -- whether the unit of distribution is a .jar, .msi,
>>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>>> distributions. For example, Windows .exe files must not be used as a
>>> unit of distribution unless they are installers and include the
>>> LICENSE and NOTICE files in their installation.
>> This is in Jira as PLUTO-349.
>>
>> I'm not sure where this leaves us with our existing releases.
>>
>> Elliot
>>
>
--
Carsten Ziegeler
http://www.osoco.org/weblogs/rael/
Re: LICENSE and NOTICE in META-INF
Posted by Elliot Metsger <em...@jhu.edu>.
Me neither. I don't want to touch what we've already released.
David H. DeWolf wrote:
> Everything is already mirrored, we should only need to update for the
> future. My understanding is that we can't modify releases that have
> already been published - and frankly, I REALLY don't want to go down
> that path.
>
> Elliot Metsger wrote:
>> So I got pinged again by the repository folks, this time Daniel Kulp.
>>
>> None of our maven artifacts have a LICENSE or NOTICE file in them, and
>> apparently this is also required per
>> http://www.apache.org/legal/src-headers.html:
>>
>>> Does the policy apply to binary/object files, such as executables or
>>> JAR files?
>>>
>>> Yes. Even if there are no source files within the release, the
>>> LICENSE file and NOTICE file are still both required within every ASF
>>> distribution -- whether the unit of distribution is a .jar, .msi,
>>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>>> distributions. For example, Windows .exe files must not be used as a
>>> unit of distribution unless they are installers and include the
>>> LICENSE and NOTICE files in their installation.
>>
>> This is in Jira as PLUTO-349.
>>
>> I'm not sure where this leaves us with our existing releases.
>>
>> Elliot
>>
Re: LICENSE and NOTICE in META-INF
Posted by "David H. DeWolf" <dd...@apache.org>.
Everything is already mirrored, we should only need to update for the
future. My understanding is that we can't modify releases that have
already been published - and frankly, I REALLY don't want to go down
that path.
Elliot Metsger wrote:
> So I got pinged again by the repository folks, this time Daniel Kulp.
>
> None of our maven artifacts have a LICENSE or NOTICE file in them, and
> apparently this is also required per
> http://www.apache.org/legal/src-headers.html:
>
>> Does the policy apply to binary/object files, such as executables or
>> JAR files?
>>
>> Yes. Even if there are no source files within the release, the
>> LICENSE file and NOTICE file are still both required within every ASF
>> distribution -- whether the unit of distribution is a .jar, .msi,
>> .tar/.?gz, .zip, .exe installer, or any other file format used for
>> distributions. For example, Windows .exe files must not be used as a
>> unit of distribution unless they are installers and include the
>> LICENSE and NOTICE files in their installation.
>
> This is in Jira as PLUTO-349.
>
> I'm not sure where this leaves us with our existing releases.
>
> Elliot
>