You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ode.apache.org by Oliver Kopp <ko...@gmail.com> on 2017/10/18 10:49:14 UTC
Sources of dependencies
Hi,
We are going to use Apache ODE in a project with involvement of
industry partners. There, we are obliged to proof all (transitive)
dependencies ODE uses, in order to guarantee that all of them apply to
the Apache License Version 2.0. Unfortunately, we were not able to
(automatically) retrieve/find the source code for 15 of the 83
dependencies (from Maven Central) which are packaged into the final
ODE WAR distribution and therefore cannot check what licenses these
dependencies REALLY have:
1. annogen:annogen:jar:sources:0.1.0
2. org.apache.derby:derby:jar:sources:10.5.3.0_1
3. org.apache.derby:derbytools:jar:sources:10.5.3.0_1
4. tranql:tranql-connector:jar:sources:1.1
5. org.apache.geronimo.specs:geronimo-j2ee-connector_1.5_spec:jar:sources:1.0
6. org.apache.velocity:velocity:jar:sources:1.5
7. net.sourceforge.serp:serp:jar:sources:1.13.1
8. org.jibx:jibx-run:jar:sources:1.2.1
9. commons-primitives:commons-primitives:jar:sources:1.0
10. geronimo-spec:geronimo-spec-jms:jar:sources:1.1-rc4
11. org.apache.santuario:xmlsec:jar:sources:1.4.6
12. org.apache.xmlbeans:xmlbeans:jar:sources:2.6.0
13. org.opensaml:opensaml1:jar:sources:1.1
14. org.apache.axis2:axis2-transports:jar:sources:1.0-i6
15. stax:stax-api:jar:sources:1.0.1
The question is, if someone of the ODE team already has transitively
checked all related licenses of the used dependencies when open
sourcing Apache ODE so that we can rely on your checks?
Otherwise, would it be potentially possible that someone can provide
us the source code for all dependencies bundled within the WAR
distribution of Apache ODE so that we can check them?
Cheers,
Oliver
Re: Sources of dependencies
Posted by Oliver Kopp <ko...@gmail.com>.
Hi Sathwik,
Thank you for your answer.
> As of Apache ODE source code distribution, we don't ship any third-party
> dependent source along with it nor do we take their source and compile it
> ourself. We only use third-party library in it's binary form and it's
> binary license will be shipped with the ODE binary distribution.
Sure. We understand that Apache has a different OSS process than we have.
In Eclipse terms, as far as I understood, Apache is doing "Type A" (a
license certification for all dependencies). We aim for a Type B Due
Diligence, which additionally provides certification, provenance
check, and code scan for various sorts of anomalies. For that code
scan, we need the source of all dependencies. - For details on type A
and B Wayne has some words:
https://waynebeaton.wordpress.com/2017/01/12/license-certification-due-diligence/
Cheers,
Oliver
Re: Sources of dependencies
Posted by Sathwik B P <sa...@apache.org>.
Hi Oliver,
We make our best effort to list all the third-party licenses. In case
something is missing feel free to report them.
regards,
sathwik
On Wed, Oct 18, 2017 at 7:02 PM, Sathwik B P <sa...@apache.org> wrote:
> Hi Oliver,
>
> Apache project's source & binaries are under ASLV2.
>
> Third-party dependent binaries and their licenses will be included in the
> project distribution. If third-party binary license is not compatible with
> ASLV2, we don't ship that binary.
>
> As of Apache ODE source code distribution, we don't ship any third-party
> dependent source along with it nor do we take their source and compile it
> ourself. We only use third-party library in it's binary form and it's
> binary license will be shipped with the ODE binary distribution.
>
> The binary licenses are packaged under /lib directory of the war
> distribution in release 1.3.7 https://ode.apache.org/getting-ode.html
>
> You can also refer http://www.apache.org/legal/
>
> regards,
> sathwik
>
>
> On Wed, Oct 18, 2017 at 4:19 PM, Oliver Kopp <ko...@gmail.com> wrote:
>
>> Hi,
>>
>> We are going to use Apache ODE in a project with involvement of
>> industry partners. There, we are obliged to proof all (transitive)
>> dependencies ODE uses, in order to guarantee that all of them apply to
>> the Apache License Version 2.0. Unfortunately, we were not able to
>> (automatically) retrieve/find the source code for 15 of the 83
>> dependencies (from Maven Central) which are packaged into the final
>> ODE WAR distribution and therefore cannot check what licenses these
>> dependencies REALLY have:
>>
>>
>> 1. annogen:annogen:jar:sources:0.1.0
>>
>> 2. org.apache.derby:derby:jar:sources:10.5.3.0_1
>>
>> 3. org.apache.derby:derbytools:jar:sources:10.5.3.0_1
>>
>> 4. tranql:tranql-connector:jar:sources:1.1
>>
>> 5. org.apache.geronimo.specs:geronimo-j2ee-connector_1.5_spec:
>> jar:sources:1.0
>>
>> 6. org.apache.velocity:velocity:jar:sources:1.5
>>
>> 7. net.sourceforge.serp:serp:jar:sources:1.13.1
>>
>> 8. org.jibx:jibx-run:jar:sources:1.2.1
>>
>> 9. commons-primitives:commons-primitives:jar:sources:1.0
>>
>> 10. geronimo-spec:geronimo-spec-jms:jar:sources:1.1-rc4
>>
>> 11. org.apache.santuario:xmlsec:jar:sources:1.4.6
>>
>> 12. org.apache.xmlbeans:xmlbeans:jar:sources:2.6.0
>>
>> 13. org.opensaml:opensaml1:jar:sources:1.1
>>
>> 14. org.apache.axis2:axis2-transports:jar:sources:1.0-i6
>>
>> 15. stax:stax-api:jar:sources:1.0.1
>>
>>
>> The question is, if someone of the ODE team already has transitively
>> checked all related licenses of the used dependencies when open
>> sourcing Apache ODE so that we can rely on your checks?
>>
>> Otherwise, would it be potentially possible that someone can provide
>> us the source code for all dependencies bundled within the WAR
>> distribution of Apache ODE so that we can check them?
>>
>> Cheers,
>>
>> Oliver
>>
>
>
Re: Sources of dependencies
Posted by Sathwik B P <sa...@apache.org>.
Hi Oliver,
Apache project's source & binaries are under ASLV2.
Third-party dependent binaries and their licenses will be included in the
project distribution. If third-party binary license is not compatible with
ASLV2, we don't ship that binary.
As of Apache ODE source code distribution, we don't ship any third-party
dependent source along with it nor do we take their source and compile it
ourself. We only use third-party library in it's binary form and it's
binary license will be shipped with the ODE binary distribution.
The binary licenses are packaged under /lib directory of the war
distribution in release 1.3.7 https://ode.apache.org/getting-ode.html
You can also refer http://www.apache.org/legal/
regards,
sathwik
On Wed, Oct 18, 2017 at 4:19 PM, Oliver Kopp <ko...@gmail.com> wrote:
> Hi,
>
> We are going to use Apache ODE in a project with involvement of
> industry partners. There, we are obliged to proof all (transitive)
> dependencies ODE uses, in order to guarantee that all of them apply to
> the Apache License Version 2.0. Unfortunately, we were not able to
> (automatically) retrieve/find the source code for 15 of the 83
> dependencies (from Maven Central) which are packaged into the final
> ODE WAR distribution and therefore cannot check what licenses these
> dependencies REALLY have:
>
>
> 1. annogen:annogen:jar:sources:0.1.0
>
> 2. org.apache.derby:derby:jar:sources:10.5.3.0_1
>
> 3. org.apache.derby:derbytools:jar:sources:10.5.3.0_1
>
> 4. tranql:tranql-connector:jar:sources:1.1
>
> 5. org.apache.geronimo.specs:geronimo-j2ee-connector_1.5_
> spec:jar:sources:1.0
>
> 6. org.apache.velocity:velocity:jar:sources:1.5
>
> 7. net.sourceforge.serp:serp:jar:sources:1.13.1
>
> 8. org.jibx:jibx-run:jar:sources:1.2.1
>
> 9. commons-primitives:commons-primitives:jar:sources:1.0
>
> 10. geronimo-spec:geronimo-spec-jms:jar:sources:1.1-rc4
>
> 11. org.apache.santuario:xmlsec:jar:sources:1.4.6
>
> 12. org.apache.xmlbeans:xmlbeans:jar:sources:2.6.0
>
> 13. org.opensaml:opensaml1:jar:sources:1.1
>
> 14. org.apache.axis2:axis2-transports:jar:sources:1.0-i6
>
> 15. stax:stax-api:jar:sources:1.0.1
>
>
> The question is, if someone of the ODE team already has transitively
> checked all related licenses of the used dependencies when open
> sourcing Apache ODE so that we can rely on your checks?
>
> Otherwise, would it be potentially possible that someone can provide
> us the source code for all dependencies bundled within the WAR
> distribution of Apache ODE so that we can check them?
>
> Cheers,
>
> Oliver
>