You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by "Justin Mclean (Jira)" <ji...@apache.org> on 2022/01/16 07:45:00 UTC

[jira] [Commented] (LEGAL-597) Questions about third-party LICENSE/NOTICE in the binary release

    [ https://issues.apache.org/jira/browse/LEGAL-597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17476745#comment-17476745 ] 

Justin Mclean commented on LEGAL-597:
-------------------------------------

You should use the LICENSE/NOTES of the version you include/depend upfront not the latest as these may be different.

There are tools that help, but sorry there is no tool to easily obtain the right information that I'm aware of. Things like software bill of materials and SPDX would help with this, but are not universally adopted.

> Questions about third-party LICENSE/NOTICE in the binary release
> ----------------------------------------------------------------
>
>                 Key: LEGAL-597
>                 URL: https://issues.apache.org/jira/browse/LEGAL-597
>             Project: Legal Discuss
>          Issue Type: Question
>            Reporter: Heping Wang
>            Priority: Major
>
> The list of NOTICE/LICENSE files for binary release files is as follows:
> {code:java}
> |-- LICENSE 
> |-- NOITCE   
> |-- licenses  //this directory include the full text of the licenses  in LICENSE
> |        |-- LICENSE-FastInfoset.txt
> |        |-- LICENSE-activation.txt
> |        |-- LICENSE-ant.txt
> |        |-- .....
> |--.....{code}
>    
> When doing the Incubator Release Checklist[1], there is a third-party dependent license item about the binary release, which confuses me:
>  
> 1. For dependent third-party jars, we should use the latest or the LICENSE/NOTICE file corresponding to the dependent jar package version. For example: the old version jersey-client-2.0.jar[1] and the latest version jersey-client-3.0.3.jar[2] have different licenses.
> 2. Is there any tool to easily obtain the corresponding LICENSE/NOTICE file, because once the project dependencies change, the corresponding LICENSE/NOTICE needs to be added or removed. One way I can think of is to get it from its jar package, but not all jar packages are released with a LICENSE/NOTICE file. However, relying on manual inspection is easy to miss.
> [1] https://cwiki.apache.org/confluence/display/INCUBATOR/Incubator+Release+Checklist
> [2] https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-client/2.0
> [3] https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-client/3.0.0



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org