Re: Make the release "legally" ASF compliant

[Florian Müller <mu...@gotux.de>]

Hi,

The JARs contain a DEPENDENCIES file in the META-INF directory. It lists 
all dependencies with project and license links. Is this sufficient?

The WARs contain LICENSE and NOTICE files in the META-INF directory but 
no DEPENDENCIES file. That might be an issue.


- Florian



Am 26.06.10 06:02, schrieb Gabriele Columbro:
> Hey Jeremias,
> thanks for the extremely detailed feedback, it was really appreciated :)
>
> See below few more details:
>
> On Jun 25, 2010, at 6:17 PM, Jeremias Maerki wrote:
>
>> Some observations (non-blockers for a first release, I guess):
>>
>> - Gabriele, you may want to publish your PGP key on a key server and see
>> to it that you can soon meet some fellow Apache committers so you can
>> get your code signing key cross-signed.
>
> I published my key on the PGP MIT server
> (http://pgp.mit.edu:11371/pks/lookup?search=Columbro+code+signing&op=vindex)
> and will be glad to enter the ASF web of trust at the first gathering
> (maybe ACUS 2010).
>
>>
>> - the WARs all contain no LICENSE and NOTICE files.
>
> This is taken care of automatically for JARs by the (inherited)
> maven-remote-resources-plugin. Checking if there's an option to do the
> same for WARs.
>
>>
>> - maybe problematic: I cannot find a list of dependencies including
>> their applicable license (a long-standing issue I have with Maven).
>> JAX-WS-RI is CDDL/GPLv2 and therefore Category B according to [1]. IMO,
>> the necessary labeling requirements are not met, yet. The same seems to
>> apply to mimepull and saaj. I think the best way is to create a
>> README.txt which contains a manually maintained list and to include that
>> README.txt in all dist ZIPs and WARs (i.e. the files that include the
>> third-parties), maybe even all JARs because they have these dependencies.
>> That would make it very easy for people to verify the dependencies
>> against their own license policies.
>
> I created an issue https://issues.apache.org/jira/browse/CMIS-224 in
> order to track this task. I set 0.2.0 as fix version, but do you believe
> that this should be fixed also in 0.1.0 ?
>
> @devs: anyone who can help creating this text file per package? I can
> then easily include it in the build.
>
> Thanks again for the expert feedback!
>
> Ciao,
> Gab
>

RE: Make the release "legally" ASF compliant

[Florian Müller <fm...@opentext.com>]

Hi,

I've added the missing license information to the best of my knowledge and belief. It is the result of my research but I'm not a lawyer.
Could someone verify /src/main/appended-resources/supplemental-models.xml ?


- Florian



-----Original Message-----
From: Jeremias Maerki [mailto:dev@jeremias-maerki.ch] 
Sent: Montag, 28. Juni 2010 10:04
To: chemistry-dev@incubator.apache.org
Subject: Re: Make the release "legally" ASF compliant

On 26.06.2010 19:04:17 Florian Müller wrote:
> Hi,
> 
> The JARs contain a DEPENDENCIES file in the META-INF directory. It lists 
> all dependencies with project and license links. Is this sufficient?

Hmm, I missed the DEPENDENCIES file. My bad. But it is incomplete. Maven
didn't recognize the licenses for some of the dependencies. If that
listing were complete, it would be sufficient, sure.

> The WARs contain LICENSE and NOTICE files in the META-INF directory but 
> no DEPENDENCIES file. That might be an issue.

At least the following WARs don't have a LICENSE and NOTICE file:
- chemistry-opencmis-server-bindings-0.1.0-incubating.war
- chemistry-opencmis-server-inmemory-0.1.0-incubating.war
- chemistry-opencmis-server-fileshare-0.1.0-incubating.war
- chemistry-opencmis-test-browser-app-0.1.0-incubating.war

> 
> - Florian
> 
> 
> 
> Am 26.06.10 06:02, schrieb Gabriele Columbro:
> > Hey Jeremias,
> > thanks for the extremely detailed feedback, it was really appreciated :)
> >
> > See below few more details:
> >
> > On Jun 25, 2010, at 6:17 PM, Jeremias Maerki wrote:
> >
> >> Some observations (non-blockers for a first release, I guess):
> >>
> >> - Gabriele, you may want to publish your PGP key on a key server and see
> >> to it that you can soon meet some fellow Apache committers so you can
> >> get your code signing key cross-signed.
> >
> > I published my key on the PGP MIT server
> > (http://pgp.mit.edu:11371/pks/lookup?search=Columbro+code+signing&op=vindex)
> > and will be glad to enter the ASF web of trust at the first gathering
> > (maybe ACUS 2010).
> >
> >>
> >> - the WARs all contain no LICENSE and NOTICE files.
> >
> > This is taken care of automatically for JARs by the (inherited)
> > maven-remote-resources-plugin. Checking if there's an option to do the
> > same for WARs.
> >
> >>
> >> - maybe problematic: I cannot find a list of dependencies including
> >> their applicable license (a long-standing issue I have with Maven).
> >> JAX-WS-RI is CDDL/GPLv2 and therefore Category B according to [1]. IMO,
> >> the necessary labeling requirements are not met, yet. The same seems to
> >> apply to mimepull and saaj. I think the best way is to create a
> >> README.txt which contains a manually maintained list and to include that
> >> README.txt in all dist ZIPs and WARs (i.e. the files that include the
> >> third-parties), maybe even all JARs because they have these dependencies.
> >> That would make it very easy for people to verify the dependencies
> >> against their own license policies.
> >
> > I created an issue https://issues.apache.org/jira/browse/CMIS-224 in
> > order to track this task. I set 0.2.0 as fix version, but do you believe
> > that this should be fixed also in 0.1.0 ?
> >
> > @devs: anyone who can help creating this text file per package? I can
> > then easily include it in the build.
> >
> > Thanks again for the expert feedback!
> >
> > Ciao,
> > Gab
> >




Jeremias Maerki

Re: Make the release "legally" ASF compliant

[Jeremias Maerki <de...@jeremias-maerki.ch>]

On 26.06.2010 19:04:17 Florian Müller wrote:
> Hi,
> 
> The JARs contain a DEPENDENCIES file in the META-INF directory. It lists 
> all dependencies with project and license links. Is this sufficient?

Hmm, I missed the DEPENDENCIES file. My bad. But it is incomplete. Maven
didn't recognize the licenses for some of the dependencies. If that
listing were complete, it would be sufficient, sure.

> The WARs contain LICENSE and NOTICE files in the META-INF directory but 
> no DEPENDENCIES file. That might be an issue.

At least the following WARs don't have a LICENSE and NOTICE file:
- chemistry-opencmis-server-bindings-0.1.0-incubating.war
- chemistry-opencmis-server-inmemory-0.1.0-incubating.war
- chemistry-opencmis-server-fileshare-0.1.0-incubating.war
- chemistry-opencmis-test-browser-app-0.1.0-incubating.war

> 
> - Florian
> 
> 
> 
> Am 26.06.10 06:02, schrieb Gabriele Columbro:
> > Hey Jeremias,
> > thanks for the extremely detailed feedback, it was really appreciated :)
> >
> > See below few more details:
> >
> > On Jun 25, 2010, at 6:17 PM, Jeremias Maerki wrote:
> >
> >> Some observations (non-blockers for a first release, I guess):
> >>
> >> - Gabriele, you may want to publish your PGP key on a key server and see
> >> to it that you can soon meet some fellow Apache committers so you can
> >> get your code signing key cross-signed.
> >
> > I published my key on the PGP MIT server
> > (http://pgp.mit.edu:11371/pks/lookup?search=Columbro+code+signing&op=vindex)
> > and will be glad to enter the ASF web of trust at the first gathering
> > (maybe ACUS 2010).
> >
> >>
> >> - the WARs all contain no LICENSE and NOTICE files.
> >
> > This is taken care of automatically for JARs by the (inherited)
> > maven-remote-resources-plugin. Checking if there's an option to do the
> > same for WARs.
> >
> >>
> >> - maybe problematic: I cannot find a list of dependencies including
> >> their applicable license (a long-standing issue I have with Maven).
> >> JAX-WS-RI is CDDL/GPLv2 and therefore Category B according to [1]. IMO,
> >> the necessary labeling requirements are not met, yet. The same seems to
> >> apply to mimepull and saaj. I think the best way is to create a
> >> README.txt which contains a manually maintained list and to include that
> >> README.txt in all dist ZIPs and WARs (i.e. the files that include the
> >> third-parties), maybe even all JARs because they have these dependencies.
> >> That would make it very easy for people to verify the dependencies
> >> against their own license policies.
> >
> > I created an issue https://issues.apache.org/jira/browse/CMIS-224 in
> > order to track this task. I set 0.2.0 as fix version, but do you believe
> > that this should be fixed also in 0.1.0 ?
> >
> > @devs: anyone who can help creating this text file per package? I can
> > then easily include it in the build.
> >
> > Thanks again for the expert feedback!
> >
> > Ciao,
> > Gab
> >




Jeremias Maerki