Re: full license inventory of third-party dependencies

[Steve Blackmon <sb...@apache.org>]

 Here is a link to the third-party audit report from Jenkins.

https://builds.apache.org/job/streams-project-site/site/aggregate-third-party-report.html

I’ve begun looking into excluding / eliminating the 5 cat-x transitive
dependencies.

On Mar 31, 2018 at 4:08 PM, Steve Blackmon <sb...@apache.org> wrote:


I've opened a pull request that adds license-maven-plugin including a
maven site report.

https://github.com/apache/streams/pull/429

Once this merges (+1 please?) a new page will appear on the website
with a full transitive dependency inventory - and it should say there
are just over 550 dependencies, none of which have unidentified
licenses.

Also used the CLI tool license:aggregate-add-third-party from the
plugin to produce some files which I then edited into the attached
draft NOTICE file.

This process identified 5 dependencies, none important, that are
category X. They should be straightforward to exclude / remove. I'd
appreciate the PMC's feedback on the attached file, whether the format
is acceptable, any other critical content that may be missing, and
whether any dependencies may be problematic in addition to the five
already identified.

Per my understanding, with this accounting done, we need to provide
gather the license links and text into the NOTICE file, and once that
done we're permitted to perform a release that includes a binary based
on the new 'streams-dist' module.

Steve Blackmon
sblackmon@apache.org