You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Vladimir Sitnikov (Jira)" <ji...@apache.org> on 2019/10/13 14:45:00 UTC
[jira] [Commented] (MNG-6771) Please fix license issues on binary
distribution
[ https://issues.apache.org/jira/browse/MNG-6771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16950337#comment-16950337 ]
Vladimir Sitnikov commented on MNG-6771:
----------------------------------------
{quote}Official Apache releases are source releases only:{quote}
I'm afraid you are not quite right here.
Binary artifacts are the part of the release.
PMC do vote for releasing the binary artifacts, and Apache defines the release as anything that is shared outside of the development community.
That is license clearance for binary artifacts is extremely important.
I haven't seen a page that says the release might include improperly licensed binaries.
> Please fix license issues on binary distribution
> ------------------------------------------------
>
> Key: MNG-6771
> URL: https://issues.apache.org/jira/browse/MNG-6771
> Project: Maven
> Issue Type: Bug
> Components: General
> Affects Versions: 3.6.2
> Reporter: Vladimir Sitnikov
> Priority: Major
> Labels: licenses
>
> Please feel free to adjust the priority, however [http://www.apache.org/legal/release-policy.html#licensing] says that license clearance is a must, thus I report this as a Blocker.
> {quote}Every ASF release MUST comply with ASF licensing policy. This requirement is of utmost importance
> {quote}
> I downloaded apache-maven-3.6.2-bin.zip, and I see the following issues with it (note: there might be more):
> h2. 1) jcl-over-slf4j:1.7.25
> in apache-maven-3.6.2/LICENSE:
> {quote} - JCL 1.2 implemented over SLF4J ([http://www.slf4j.org|http://www.slf4j.org/]) org.slf4j:jcl-over-slf4j:jar:1.7.25
> License: MIT License (MIT) [http://www.opensource.org/licenses/mit-license.php] (lib/jcl-over-slf4j.license){quote}
> The license for the artifact is most likely Apache 2.0 rather than MIT: [https://github.com/qos-ch/slf4j/tree/master/jcl-over-slf4j]
> h2. 2) slf4j-api:1.7.25
> in apache-maven-3.6.2/LICENSE:
> {quote} - SLF4J API Module ([http://www.slf4j.org|http://www.slf4j.org/]) org.slf4j:slf4j-api:jar:1.7.25
> License: MIT License (MIT) [http://www.opensource.org/licenses/mit-license.php] (lib/slf4j-api.license){quote}
> Maven does not comply with SLF4j license.
> Here's license for SLF4j: [https://www.slf4j.org/license.html]
> It requires to include slf4j copyright notice, however, Maven fails to do that
> h2. 3) MIT license
> [http://www.opensource.org/licenses/mit-license.php] must not be used as it almost never points to a true license. It is extremely unlucky that someone would copyright their work as "Copyright (c) <year> <copyright holders>"
> h2. 4) org.eclipse.sisu.inject:0.3.3
> in apache-maven-3.6.2/LICENSE:
> {quote} - org.eclipse.sisu.inject ([http://www.eclipse.org/sisu/org.eclipse.sisu.inject/]) org.eclipse.sisu:org.eclipse.sisu.inject:eclipse-plugin:0.3.3
> License: Eclipse Public License, Version 1.0 (EPL-1.0) [http://www.eclipse.org/legal/epl-v10.html] (lib/org.eclipse.sisu.inject.license){quote}
> The link to eclipse.org/sisu responds with 404.
> sisu might have their own copyright notices that should be retained, however Maven re-distributes none of them (org.eclipse.sisu.inject.site-0.3.3.zip has notice.html file which is not present in Maven re-distribution)
> h2. 5) ASM in org.eclipse.sisu.inject-0.3.3.jar
> lib/org.eclipse.sisu.inject-0.3.3.jar bundles ASM. ASM is MIT licensed, thus every re-distribution MUST retain ASM copyright notice.
> Maven re-distributes ASM and fails to comply with ASM license.
> h2. 6) jsoup in wagon-http-3.3.3-shaded.jar
> lib/wagon-http-3.3.3-shaded.jar bundles jsoup ([https://jsoup.org/license]) which is MIT-licensed. Maven fails to comply with jsoup license.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)