license review

[Justin Mclean <ju...@classsoftware.com>]

Hi,

Apologies if any of this has come up on the list before and again for being a bit late to the party.

I just tool al look at the source code in the pro to check the licensing. If you not aware of it Apache Rat is a tool that checks headers and source releases for license issues [1] So I ran rat and a few other tools (grep basically) over the current code base and here's what I found.

The following files are missing Apache headers:
./samples/scenarios/src/main/java/quarks/samples/scenarios/iotf/IotfFullScenario.java
./console/servlets/webapp_content/js/ext/sankey_quarks.js (may not be Apache licensed)
./console/servlets/webapp_content/js/graph.js
./console/servlets/webapp_content/js/index.js
./console/servlets/webapp_content/js/metrics.js

Currently we have several jars checked into version control that’s rather unusual. Jars can’t be included in a source release, are are usually included at build time, and are usually not stored in version control.

I can see the following 3rd party code in the repo:
- D3 Legend MIT licensed
- D3 BSD licensed
- JQuery UI MIT licensed
- Sankey [2] may be based on this [3] whose license is BSD but is missing a header
- Apache Commons Math. This has a notice file that would effect our notice file if bundled [4]
- Google Gson Apache licensed missing NOTICE file
- Metrics Apache license with NOTICE file [5]
- slf4j MIT licensed

Is there anything I’ve missed?

Depending on how this code is used i.e. bundled or brought in at run time it’s going to change the contents of our LICENSE and NOTICE files.

I didn’t look at the jars in detail. I can see mostly Apache with a Scala BSD and there also some EPL and MPL licensed code in that that may need to be handled carefully [6]

Thanks,
Justin

1. http://creadur.apache.org/rat/
2. ./console/servlets/webapp_content/js/ext/sankey_quarks.js
3. https://github.com/d3/d3-plugins/blob/master/sankey/sankey.js
4. https://github.com/apache/commons-math/blob/master/NOTICE.txt
5. https://github.com/dropwizard/metrics/blob/3.1-maintenance/NOTICE
6. http://www.apache.org/legal/resolved.html#category-b

Re: license review

[Kathy Saunders <os...@gmail.com>]

On Fri, Apr 8, 2016 at 12:13 AM, Justin Mclean <ju...@classsoftware.com>
wrote:

>
> > My plan was to research 3rd party jar files one at a time
> > and create pull requests for the Quarks NOTICE If needed.
>
> I would hold off on that. An Apache releases source code, so a source
> release can’t include jars. You may also optionally make a connivence
> binary release and that may end up having a different LICENSE/NOTICE  to
> the source release (as it contents are different). I would try (but it’s
> only a suggestion) to try and produce a source release first.
>

OK, I'm fine holding off on the license work until we make a source release
and sort out the jar file issue.


>
> > I guess a good question is whether we should remove the jar files
> > completely and set up Maven or something like it instead.
>
> IMO they can’t stay in version control and it something that would need to
> be fixed before graduation. Happy to hear other options.
>

OK, sounds like we need to work on a solution for this.  Thank you for the
advice.


> > How do projects usually handle binary releases?
>
> Exactly the same rules apply [1] and that's dependant on it’s content.
> Note this means that you will need to look inside each of the jars and see
> what they contain. I can help with that as I’ve made and reviewed probably
> 50? or so releases.
>
> Great!  Your help will be much appreciated when the time comes.



On Fri, Apr 8, 2016 at 12:32 AM, Justin Mclean <ju...@classsoftware.com>
wrote:

> Hi,
>
> I also think the current license file could be a little shorter. [1]. What
> do you think?
>
> Thanks,
> Justin
>
> 1.  https://issues.apache.org/jira/browse/QUARKS-135


I'm fine with that change.  To be honest, I copied that notice from an
older Apache project and ran it by the IBM lawyers.  I'm happy to keep it
simple.  I will make that change unless anyone else objects.

Thank you for the education on licensing!  Very helpful.

Kathy

Re: license review

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> The first one I was looking at is Metrics under
> ext/metrics-3.1.2, which is an Apache license but has Notices that I think
> we would need to add to our NOTICE file.

Yep I mentioned that above.

> My plan was to research 3rd party jar files one at a time
> and create pull requests for the Quarks NOTICE If needed.

I would hold off on that. An Apache releases source code, so a source release can’t include jars. You may also optionally make a connivence binary release and that may end up having a different LICENSE/NOTICE  to the source release (as it contents are different). I would try (but it’s only a suggestion) to try and produce a source release first.

> I guess a good question is whether we should remove the jar files
> completely and set up Maven or something like it instead.

IMO they can’t stay in version control and it something that would need to be fixed before graduation. Happy to hear other options.

> How do projects usually handle binary releases?

Exactly the same rules apply [1] and that's dependant on it’s content. Note this means that you will need to look inside each of the jars and see what they contain. I can help with that as I’ve made and reviewed probably 50? or so releases.

Thanks,
Justin

1. http://www.apache.org/dev/licensing-howto.html#binary

Re: license review

[Justin Mclean <ju...@classsoftware.com>]

Hi,

I also think the current license file could be a little shorter. [1]. What do you think?

Thanks,
Justin

1.  https://issues.apache.org/jira/browse/QUARKS-135

Re: license review

[Kathy Saunders <os...@gmail.com>]

>
> 2016. 4. 8. 오전 9:25에 "Justin Mclean" <ju...@classsoftware.com>님이 작성:
>
> >
> > Currently we have several jars checked into version control that’s rather
> > unusual. Jars can’t be included in a source release, are are usually
> > included at build time, and are usually not stored in version control.
> >
> > I can see the following 3rd party code in the repo:
> > - D3 Legend MIT licensed
> > - D3 BSD licensed
> > - JQuery UI MIT licensed
> > - Sankey [2] may be based on this [3] whose license is BSD but is missing
> > a header
> > - Apache Commons Math. This has a notice file that would effect our
> notice
> > file if bundled [4]
> > - Google Gson Apache licensed missing NOTICE file
> > - Metrics Apache license with NOTICE file [5]
> > - slf4j MIT licensed
> >
> > Is there anything I’ve missed?
> >
> > Depending on how this code is used i.e. bundled or brought in at run time
> > it’s going to change the contents of our LICENSE and NOTICE files.
> >
> > I didn’t look at the jars in detail. I can see mostly Apache with a Scala
> > BSD and there also some EPL and MPL licensed code in that that may need
> to
> > be handled carefully [6]
> >
> > Thanks,
> > Justin
>

Hi Justin,

I actually have been looking into the various 3rd party jar files in our
code base in order to work on the NOTICE file.  There are more than you
mentioned.  The first one I was looking at is Metrics under
ext/metrics-3.1.2, which is an Apache license but has Notices that I think
we would need to add to our NOTICE file.  I opened
https://issues.apache.org/jira/browse/QUARKS-132 and was going to make the
update to NOTICE. My plan was to research 3rd party jar files one at a time
and create pull requests for the Quarks NOTICE If needed.

I guess a good question is whether we should remove the jar files
completely and set up Maven or something like it instead.  Do others in the
community have an opinion on this topic?

If we do remove the jar files and use Maven, would we still need to have an
updated NOTICE file when we create a binary release?  Some of these jar
files will need to be included in a Quarks release. I did a quick search on
Maven and it looks like there are plugins that help manage license files.
How do projects usually handle binary releases?  I don't have any
experience with Maven, so don't know how this works.

Thank you very much for your guidance.

Kathy

Re: license review

[Cazen Lee <po...@gmail.com>]

Thank you for check, Justin

I will use Apache Rat when checking license issue, it looks very helpful.
I created a PR that include missing headers to repo you mentioned
immediatly. And I will make sure what license using in sankey_quarks.js

And hmm I think we can hegde JAR issue by using dependency management tool
like maven. But I cannot be sure due to lack of experience.

If I can be more help, please tell me
2016. 4. 8. 오전 9:25에 "Justin Mclean" <ju...@classsoftware.com>님이 작성:

> Hi,
>
> Apologies if any of this has come up on the list before and again for
> being a bit late to the party.
>
> I just tool al look at the source code in the pro to check the licensing.
> If you not aware of it Apache Rat is a tool that checks headers and source
> releases for license issues [1] So I ran rat and a few other tools (grep
> basically) over the current code base and here's what I found.
>
> The following files are missing Apache headers:
>
> ./samples/scenarios/src/main/java/quarks/samples/scenarios/iotf/IotfFullScenario.java
> ./console/servlets/webapp_content/js/ext/sankey_quarks.js (may not be
> Apache licensed)
> ./console/servlets/webapp_content/js/graph.js
> ./console/servlets/webapp_content/js/index.js
> ./console/servlets/webapp_content/js/metrics.js
>
> Currently we have several jars checked into version control that’s rather
> unusual. Jars can’t be included in a source release, are are usually
> included at build time, and are usually not stored in version control.
>
> I can see the following 3rd party code in the repo:
> - D3 Legend MIT licensed
> - D3 BSD licensed
> - JQuery UI MIT licensed
> - Sankey [2] may be based on this [3] whose license is BSD but is missing
> a header
> - Apache Commons Math. This has a notice file that would effect our notice
> file if bundled [4]
> - Google Gson Apache licensed missing NOTICE file
> - Metrics Apache license with NOTICE file [5]
> - slf4j MIT licensed
>
> Is there anything I’ve missed?
>
> Depending on how this code is used i.e. bundled or brought in at run time
> it’s going to change the contents of our LICENSE and NOTICE files.
>
> I didn’t look at the jars in detail. I can see mostly Apache with a Scala
> BSD and there also some EPL and MPL licensed code in that that may need to
> be handled carefully [6]
>
> Thanks,
> Justin
>
> 1. http://creadur.apache.org/rat/
> 2. ./console/servlets/webapp_content/js/ext/sankey_quarks.js
> 3. https://github.com/d3/d3-plugins/blob/master/sankey/sankey.js
> 4. https://github.com/apache/commons-math/blob/master/NOTICE.txt
> 5. https://github.com/dropwizard/metrics/blob/3.1-maintenance/NOTICE
> 6. http://www.apache.org/legal/resolved.html#category-b
>
>

Re: license review

[Dan Debrunner <dj...@debrunners.com>]

> On Friday, April 8, 2016 3:05 PM, Justin Mclean <ju...@classsoftware.com> wrote:

> > Hi,
> 
>>  Is that an ASF policy, is there a reference for it?
> 
> Yep [1] (last para), [2] and also see the release checklist [3]. Note 3.6 there 
> states "This package may not contain compiled components (such as 
> "jar" files) because compiled components are not open source, even if 
> they were built from open source.”

Thanks Justin, never knew that.

Dan.

Re: license review

[Justin Mclean <ju...@classsoftware.com>]

Hi,

> Is that an ASF policy, is there a reference for it?

Yep [1] (last para), [2] and also see the release checklist [3]. Note 3.6 there states "This package may not contain compiled components (such as "jar" files) because compiled components are not open source, even if they were built from open source.”

There are other references if you need them. You can have jars in a binary convenience package.

Thanks,
Justin

1. http://www.apache.org/dev/release.html#what
2. http://www.apache.org/dev/release.html#what-must-every-release-contain
3. http://incubator.apache.org/guides/release.html

Re: license review

[Dan Debrunner <dj...@debrunners.com>]

> On Thursday, April 7, 2016 5:25 PM, Justin Mclean <ju...@classsoftware.com> wrote:

> Jars can’t be included in a source release.

Is that an ASF policy, is there a reference for it?


Thanks for doing the checks,
Dan.