[jira] [Created] (WOOKIE-250) Improve license files

["Paul Sharples (Created) (JIRA)" <ji...@apache.org>]

Improve license files
---------------------

                 Key: WOOKIE-250
                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
             Project: Wookie
          Issue Type: Improvement
          Components: Project Administration
    Affects Versions: 0.9.1
         Environment: n/a
            Reporter: Paul Sharples
             Fix For: 0.9.1


Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1

* wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
Having these files in the war root means these will be accessible as web resources... While still pretty harmless in this case/release, its a bad practice and could actually pose a security issue as everyone can thereby find/read which runtime artifacts (including there version) are in use.
The expected/advised location for these files would be under /META-INF.

* NOTICE/LICENSE/RUNTIME_LICENSE files in general:
The current ASF policy is that these files only need/should attribute whatever is actually packaged (note: this equally concerns the svn tree, which in itself can and should be regarded as a "distribution"). Anything not "packaged" need (should) not be attributed. These files serve a legal purpose only, and anything not needed and/or redundant will only make it more difficult to maintain and validate and properly.
Dependencies not packaged/distributed, but for instance needed (only) for building is not required to be attributed in these files. If there are specific (buid/runtime) requirements users should be aware of then those should be mentioned and explained in additional README, BUILD_NOTES, etc. files, only.

* License attribution to other ASF projects packaged sources/artifacts:
>From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution that the distribution includes ASF produces software under the ASL 2.0 license already covers all legal requirements.
While mentioning each and every other ASF project source/artifact in the LICENSE files is not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.

For example, the LICENSE file does mention the
shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution, more about that below), but does not mention
shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution. However neither is really problematic as isn't needed
anyway
Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary distributions.
And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they *are* packaged in the binary distributions.

* RUNTIME_LICENSE file:
- The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary distributions, wookie war/standalone.
However, as a single file it covers both distributions while the war distribution does not package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
>From a legal POV, this is not "wrong", but AFAIK not ideal either.
To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on this but it might be considered to split these files up if causing not too much of a burden to maintain.
- More/most serious is the omission of the 3rd party license attributions for many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source", they are (thereby) packaged in the binary distributions and as such *should* be attributed in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in the LICENSE file which also is packaged in the binary distribution, legally everything probably is still OK, even if somewhat confusing.
- My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] [Commented] (WOOKIE-250) Improve license files

["Scott Wilson (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13125169#comment-13125169 ] 

Scott Wilson commented on WOOKIE-250:
-------------------------------------

OK, I'll get started on this now.
                
> Improve license files
> ---------------------
>
>                 Key: WOOKIE-250
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
>             Project: Wookie
>          Issue Type: Improvement
>          Components: Project Administration
>    Affects Versions: 0.9.1
>         Environment: n/a
>            Reporter: Paul Sharples
>            Assignee: Scott Wilson
>             Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
> Having these files in the war root means these will be accessible as web resources... While still pretty harmless in this case/release, its a bad practice and could actually pose a security issue as everyone can thereby find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute whatever is actually packaged (note: this equally concerns the svn tree, which in itself can and should be regarded as a "distribution"). Anything not "packaged" need (should) not be attributed. These files serve a legal purpose only, and anything not needed and/or redundant will only make it more difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for building is not required to be attributed in these files. If there are specific (buid/runtime) requirements users should be aware of then those should be mentioned and explained in additional README, BUILD_NOTES, etc. files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution that the distribution includes ASF produces software under the ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the LICENSE files is not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war distribution does not package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on this but it might be considered to split these files up if causing not too much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source", they are (thereby) packaged in the binary distributions and as such *should* be attributed in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in the LICENSE file which also is packaged in the binary distribution, legally everything probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] [Assigned] (WOOKIE-250) Improve license files

["Scott Wilson (Assigned) (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Scott Wilson reassigned WOOKIE-250:
-----------------------------------

    Assignee: Scott Wilson  (was: Paul Sharples)
    
> Improve license files
> ---------------------
>
>                 Key: WOOKIE-250
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
>             Project: Wookie
>          Issue Type: Improvement
>          Components: Project Administration
>    Affects Versions: 0.9.1
>         Environment: n/a
>            Reporter: Paul Sharples
>            Assignee: Scott Wilson
>             Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
> Having these files in the war root means these will be accessible as web resources... While still pretty harmless in this case/release, its a bad practice and could actually pose a security issue as everyone can thereby find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute whatever is actually packaged (note: this equally concerns the svn tree, which in itself can and should be regarded as a "distribution"). Anything not "packaged" need (should) not be attributed. These files serve a legal purpose only, and anything not needed and/or redundant will only make it more difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for building is not required to be attributed in these files. If there are specific (buid/runtime) requirements users should be aware of then those should be mentioned and explained in additional README, BUILD_NOTES, etc. files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution that the distribution includes ASF produces software under the ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the LICENSE files is not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war distribution does not package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on this but it might be considered to split these files up if causing not too much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source", they are (thereby) packaged in the binary distributions and as such *should* be attributed in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in the LICENSE file which also is packaged in the binary distribution, legally everything probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] [Commented] (WOOKIE-250) Improve license files

["Scott Wilson (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13125098#comment-13125098 ] 

Scott Wilson commented on WOOKIE-250:
-------------------------------------

Just had a quick look over what gets packaged in the releases:

Src version: 

- the various libraries used in widgets, connector and features such as JQuery, FlexiFrame etc
- source code for UrlEncodedQueryString.java

WAR version packages src plus:

activation-1.1.jar
ant-1.7.0.jar
ant-launcher-1.7.0.jar
commons-beanutils-1.7.0.jar
commons-beanutils-core-1.7.0.jar
commons-codec-1.5.jar
commons-collections-3.2.jar
commons-compress-1.0.jar
commons-configuration-1.4.jar
commons-digester-1.8.jar
commons-email-1.1.jar
commons-fileupload-1.2.1.jar
commons-httpclient-3.0.1.jar
commons-io-1.4.jar
commons-lang-2.4.jar
commons-logging-1.1.1.jar
commons-logging-api-1.0.4.jar
commons-pool-1.3.jar
dom4j-1.6.1.jar
dwr-2.0.5.jar
google-collections-1.0-rc2.jar
htmlcleaner-2.2.jar
icu4j-4.6.1.jar
jdom-1.1.jar
json-20080701.jar
junit-3.8.1.jar
log4j-1.2.14.jar
mail-1.4.jar
openjpa-all-2.0.0.jar
shindig-common-2.0.0.jar
slf4j-api-1.5.2.jar
slf4j-log4j12-1.5.2.jar
wookie-java-connector-0.9.1-incubating-SNAPSHOT.jar
wookie-parser-0.9.1-incubating-SNAPSHOT.jar
xml-apis-1.0.b2.jar

Standalone: Same as WAR plus:

ant-1.6.5.jar
commons-dbcp-1.2.2.jar
core-3.1.1.jar
derby-10.4.2.0.jar
geronimo-spec-jta-1.0.1B-rc4.jar
jetty-6.1.3.jar
jetty-naming-6.1.3.jar
jetty-plus-6.1.3.jar
jetty-util-6.1.3.jar
jsp-2.1-6.1.3.jar
jsp-api-2.1-6.1.3.jar
servlet-api-2.5-6.1.3.jar

======
If we remove the ASF project jars we just get:

WAR version packages src plus:

activation-1.1.jar
dom4j-1.6.1.jar
dwr-2.0.5.jar
google-collections-1.0-rc2.jar
htmlcleaner-2.2.jar
icu4j-4.6.1.jar
jdom-1.1.jar
json-20080701.jar
junit-3.8.1.jar
log4j-1.2.14.jar
mail-1.4.jar
slf4j-api-1.5.2.jar
slf4j-log4j12-1.5.2.jar
xml-apis-1.0.b2.jar

Standalone: Same as WAR plus:

core-3.1.1.jar
derby-10.4.2.0.jar
geronimo-spec-jta-1.0.1B-rc4.jar
jetty-6.1.3.jar
jetty-naming-6.1.3.jar
jetty-plus-6.1.3.jar
jetty-util-6.1.3.jar
jsp-2.1-6.1.3.jar
jsp-api-2.1-6.1.3.jar
servlet-api-2.5-6.1.3.jar

                
> Improve license files
> ---------------------
>
>                 Key: WOOKIE-250
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
>             Project: Wookie
>          Issue Type: Improvement
>          Components: Project Administration
>    Affects Versions: 0.9.1
>         Environment: n/a
>            Reporter: Paul Sharples
>            Assignee: Paul Sharples
>             Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
> Having these files in the war root means these will be accessible as web resources... While still pretty harmless in this case/release, its a bad practice and could actually pose a security issue as everyone can thereby find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute whatever is actually packaged (note: this equally concerns the svn tree, which in itself can and should be regarded as a "distribution"). Anything not "packaged" need (should) not be attributed. These files serve a legal purpose only, and anything not needed and/or redundant will only make it more difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for building is not required to be attributed in these files. If there are specific (buid/runtime) requirements users should be aware of then those should be mentioned and explained in additional README, BUILD_NOTES, etc. files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution that the distribution includes ASF produces software under the ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the LICENSE files is not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war distribution does not package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on this but it might be considered to split these files up if causing not too much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source", they are (thereby) packaged in the binary distributions and as such *should* be attributed in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in the LICENSE file which also is packaged in the binary distribution, legally everything probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] [Commented] (WOOKIE-250) Improve license files

["Ate Douma (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13125113#comment-13125113 ] 

Ate Douma commented on WOOKIE-250:
----------------------------------

In the list above without ASF project jars you can 'clean up' even more: log4j, derby and geronimo-spec are all ASF based artifacts
                
> Improve license files
> ---------------------
>
>                 Key: WOOKIE-250
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
>             Project: Wookie
>          Issue Type: Improvement
>          Components: Project Administration
>    Affects Versions: 0.9.1
>         Environment: n/a
>            Reporter: Paul Sharples
>            Assignee: Paul Sharples
>             Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
> Having these files in the war root means these will be accessible as web resources... While still pretty harmless in this case/release, its a bad practice and could actually pose a security issue as everyone can thereby find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute whatever is actually packaged (note: this equally concerns the svn tree, which in itself can and should be regarded as a "distribution"). Anything not "packaged" need (should) not be attributed. These files serve a legal purpose only, and anything not needed and/or redundant will only make it more difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for building is not required to be attributed in these files. If there are specific (buid/runtime) requirements users should be aware of then those should be mentioned and explained in additional README, BUILD_NOTES, etc. files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution that the distribution includes ASF produces software under the ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the LICENSE files is not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war distribution does not package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on this but it might be considered to split these files up if causing not too much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source", they are (thereby) packaged in the binary distributions and as such *should* be attributed in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in the LICENSE file which also is packaged in the binary distribution, legally everything probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] [Commented] (WOOKIE-250) Improve license files

["Scott Wilson (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13125373#comment-13125373 ] 

Scott Wilson commented on WOOKIE-250:
-------------------------------------

Thanks Ate. The only jar checked into svn and packaged with the source is dwr-2.0.5.jar as this is the only lib we can't get dynamically from a repository. 

Apart from that the only sources with licenses are some javascript libraries, CSS, images and so on, and a single class we reuse. 

I've removed references to all the other jars from the top level source LICENSE which makes it a lot slimmer.
                
> Improve license files
> ---------------------
>
>                 Key: WOOKIE-250
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
>             Project: Wookie
>          Issue Type: Improvement
>          Components: Project Administration
>    Affects Versions: 0.9.1
>         Environment: n/a
>            Reporter: Paul Sharples
>            Assignee: Scott Wilson
>             Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
> Having these files in the war root means these will be accessible as web resources... While still pretty harmless in this case/release, its a bad practice and could actually pose a security issue as everyone can thereby find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute whatever is actually packaged (note: this equally concerns the svn tree, which in itself can and should be regarded as a "distribution"). Anything not "packaged" need (should) not be attributed. These files serve a legal purpose only, and anything not needed and/or redundant will only make it more difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for building is not required to be attributed in these files. If there are specific (buid/runtime) requirements users should be aware of then those should be mentioned and explained in additional README, BUILD_NOTES, etc. files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution that the distribution includes ASF produces software under the ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the LICENSE files is not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war distribution does not package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on this but it might be considered to split these files up if causing not too much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source", they are (thereby) packaged in the binary distributions and as such *should* be attributed in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in the LICENSE file which also is packaged in the binary distribution, legally everything probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] [Commented] (WOOKIE-250) Improve license files

["Ate Douma (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13125131#comment-13125131 ] 

Ate Douma commented on WOOKIE-250:
----------------------------------

I see you list junit as being packaged in the WAR?
That should be unnecessary and only needed as (build time) test dependency.
                
> Improve license files
> ---------------------
>
>                 Key: WOOKIE-250
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
>             Project: Wookie
>          Issue Type: Improvement
>          Components: Project Administration
>    Affects Versions: 0.9.1
>         Environment: n/a
>            Reporter: Paul Sharples
>            Assignee: Paul Sharples
>             Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
> Having these files in the war root means these will be accessible as web resources... While still pretty harmless in this case/release, its a bad practice and could actually pose a security issue as everyone can thereby find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute whatever is actually packaged (note: this equally concerns the svn tree, which in itself can and should be regarded as a "distribution"). Anything not "packaged" need (should) not be attributed. These files serve a legal purpose only, and anything not needed and/or redundant will only make it more difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for building is not required to be attributed in these files. If there are specific (buid/runtime) requirements users should be aware of then those should be mentioned and explained in additional README, BUILD_NOTES, etc. files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution that the distribution includes ASF produces software under the ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the LICENSE files is not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war distribution does not package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on this but it might be considered to split these files up if causing not too much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source", they are (thereby) packaged in the binary distributions and as such *should* be attributed in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in the LICENSE file which also is packaged in the binary distribution, legally everything probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] [Commented] (WOOKIE-250) Improve license files

["Paul Sharples (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13125156#comment-13125156 ] 

Paul Sharples commented on WOOKIE-250:
--------------------------------------

Thats the way i read it 

"My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. "

...and merge LICENSE/NOTICE for each distro.
                
> Improve license files
> ---------------------
>
>                 Key: WOOKIE-250
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
>             Project: Wookie
>          Issue Type: Improvement
>          Components: Project Administration
>    Affects Versions: 0.9.1
>         Environment: n/a
>            Reporter: Paul Sharples
>            Assignee: Paul Sharples
>             Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
> Having these files in the war root means these will be accessible as web resources... While still pretty harmless in this case/release, its a bad practice and could actually pose a security issue as everyone can thereby find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute whatever is actually packaged (note: this equally concerns the svn tree, which in itself can and should be regarded as a "distribution"). Anything not "packaged" need (should) not be attributed. These files serve a legal purpose only, and anything not needed and/or redundant will only make it more difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for building is not required to be attributed in these files. If there are specific (buid/runtime) requirements users should be aware of then those should be mentioned and explained in additional README, BUILD_NOTES, etc. files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution that the distribution includes ASF produces software under the ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the LICENSE files is not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war distribution does not package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on this but it might be considered to split these files up if causing not too much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source", they are (thereby) packaged in the binary distributions and as such *should* be attributed in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in the LICENSE file which also is packaged in the binary distribution, legally everything probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] [Commented] (WOOKIE-250) Improve license files

["Scott Wilson (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13125316#comment-13125316 ] 

Scott Wilson commented on WOOKIE-250:
-------------------------------------

OK, I've merged and updated the LICENSE, NOTICE and RUNTIME_LICENSE files into one, and the release script puts the appopriate one with the releases.

I'm not sure about the source release - it doesn't package any jars at all in the download zip, but it does need all of them to build and run. So what should its LICENSE contain?
                
> Improve license files
> ---------------------
>
>                 Key: WOOKIE-250
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
>             Project: Wookie
>          Issue Type: Improvement
>          Components: Project Administration
>    Affects Versions: 0.9.1
>         Environment: n/a
>            Reporter: Paul Sharples
>            Assignee: Scott Wilson
>             Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
> Having these files in the war root means these will be accessible as web resources... While still pretty harmless in this case/release, its a bad practice and could actually pose a security issue as everyone can thereby find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute whatever is actually packaged (note: this equally concerns the svn tree, which in itself can and should be regarded as a "distribution"). Anything not "packaged" need (should) not be attributed. These files serve a legal purpose only, and anything not needed and/or redundant will only make it more difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for building is not required to be attributed in these files. If there are specific (buid/runtime) requirements users should be aware of then those should be mentioned and explained in additional README, BUILD_NOTES, etc. files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution that the distribution includes ASF produces software under the ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the LICENSE files is not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war distribution does not package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on this but it might be considered to split these files up if causing not too much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source", they are (thereby) packaged in the binary distributions and as such *should* be attributed in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in the LICENSE file which also is packaged in the binary distribution, legally everything probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] [Commented] (WOOKIE-250) Improve license files

["Scott Wilson (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13125152#comment-13125152 ] 

Scott Wilson commented on WOOKIE-250:
-------------------------------------

Just to be clear is the idea to replace:

LICENSE
NOTICE
RUNTIME_LICENSE(s)

... with a single LICENSE file which is customised for each release type?

And that the new LICENSE file follows the same format as the current RUNTIME_LICENSE?
                
> Improve license files
> ---------------------
>
>                 Key: WOOKIE-250
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
>             Project: Wookie
>          Issue Type: Improvement
>          Components: Project Administration
>    Affects Versions: 0.9.1
>         Environment: n/a
>            Reporter: Paul Sharples
>            Assignee: Paul Sharples
>             Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
> Having these files in the war root means these will be accessible as web resources... While still pretty harmless in this case/release, its a bad practice and could actually pose a security issue as everyone can thereby find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute whatever is actually packaged (note: this equally concerns the svn tree, which in itself can and should be regarded as a "distribution"). Anything not "packaged" need (should) not be attributed. These files serve a legal purpose only, and anything not needed and/or redundant will only make it more difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for building is not required to be attributed in these files. If there are specific (buid/runtime) requirements users should be aware of then those should be mentioned and explained in additional README, BUILD_NOTES, etc. files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution that the distribution includes ASF produces software under the ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the LICENSE files is not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war distribution does not package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on this but it might be considered to split these files up if causing not too much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source", they are (thereby) packaged in the binary distributions and as such *should* be attributed in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in the LICENSE file which also is packaged in the binary distribution, legally everything probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] [Commented] (WOOKIE-250) Improve license files

["Ate Douma (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13125327#comment-13125327 ] 

Ate Douma commented on WOOKIE-250:
----------------------------------

Cool, when I be able to free up some time (extremely difficult lately), I'll review them.

Concerning source releases LICENSE/NOTICE files: these should be the same as (must) be provided in the svn root folder and only need to cover what is 'packaged' therein.
So, it doesn't need to cover any jars, unless we have those checked into svn as well (and I think Wookie does, right?).
These LICENSE/NOTICE files only cover the 'sources' and basically and as a minimum only need to have standard ASL 2.0 license and project (Wookie) notice itself.
If however we have sources which were derived from (cloned/copied/etc.) outside the ASF *and* have their own LICENSE/NOTICE requirements, then those also need to be covered in our LICENSE/NOTICE files.
Examples could be donated and/or imported widget sources, javascript libraries, images, but also code fragments/snippets, etc.      
                
> Improve license files
> ---------------------
>
>                 Key: WOOKIE-250
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
>             Project: Wookie
>          Issue Type: Improvement
>          Components: Project Administration
>    Affects Versions: 0.9.1
>         Environment: n/a
>            Reporter: Paul Sharples
>            Assignee: Scott Wilson
>             Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
> Having these files in the war root means these will be accessible as web resources... While still pretty harmless in this case/release, its a bad practice and could actually pose a security issue as everyone can thereby find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute whatever is actually packaged (note: this equally concerns the svn tree, which in itself can and should be regarded as a "distribution"). Anything not "packaged" need (should) not be attributed. These files serve a legal purpose only, and anything not needed and/or redundant will only make it more difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for building is not required to be attributed in these files. If there are specific (buid/runtime) requirements users should be aware of then those should be mentioned and explained in additional README, BUILD_NOTES, etc. files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution that the distribution includes ASF produces software under the ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the LICENSE files is not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war distribution does not package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on this but it might be considered to split these files up if causing not too much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source", they are (thereby) packaged in the binary distributions and as such *should* be attributed in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in the LICENSE file which also is packaged in the binary distribution, legally everything probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] [Assigned] (WOOKIE-250) Improve license files

["Paul Sharples (Assigned) (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Paul Sharples reassigned WOOKIE-250:
------------------------------------

    Assignee: Paul Sharples
    
> Improve license files
> ---------------------
>
>                 Key: WOOKIE-250
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-250
>             Project: Wookie
>          Issue Type: Improvement
>          Components: Project Administration
>    Affects Versions: 0.9.1
>         Environment: n/a
>            Reporter: Paul Sharples
>            Assignee: Paul Sharples
>             Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed the 0.9.0 release on the wookie-dev list. Creating an issue for it here so its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root folder:
> Having these files in the war root means these will be accessible as web resources... While still pretty harmless in this case/release, its a bad practice and could actually pose a security issue as everyone can thereby find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute whatever is actually packaged (note: this equally concerns the svn tree, which in itself can and should be regarded as a "distribution"). Anything not "packaged" need (should) not be attributed. These files serve a legal purpose only, and anything not needed and/or redundant will only make it more difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for building is not required to be attributed in these files. If there are specific (buid/runtime) requirements users should be aware of then those should be mentioned and explained in additional README, BUILD_NOTES, etc. files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE attribution that the distribution includes ASF produces software under the ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the LICENSE files is not harmful in anyway, it is a lot of extra and unneeded effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but not packaged in the source distribution), they are not mentioned in the RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war distribution does not package several artifacts (and thus licenses) contained in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on this but it might be considered to split these files up if causing not too much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these are distributed as "source", they are (thereby) packaged in the binary distributions and as such *should* be attributed in the RUNTIME_LICENSE file. However, as these 3rd party licenses are properly mentioned in the LICENSE file which also is packaged in the binary distribution, legally everything probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a is single LICENSE file within a release artifact/distribution and thus maintain separate LICENSE files for source and binary distributions (optionally even two for the latter). And the same holds for the NOTICE file which currently also covers everything for both source and binary distributions. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira