[MENTOR] Re: Issues with LICENSE/NOTICE files

[larry mccay <la...@gmail.com>]

Here is a proposal for the NOTICE and RELEASE file changes going forward:

For release 0.3.1:

NOTICES file will be positioned at the top of the source tree. It will have
any references that aren't included as source removed - making it mostly
empty.
LICENSE file will also be position at the top of the source tree. For 0.3.1
we will include references to the licenses of all external project
dependencies and call them out as binary dependencies.

Both of these files will be copied into the release artifacts during
assembly.

Next release (trunk):

NOTICES file will be positioned at the top of the source tree. It will have
any references that aren't included as source removed - making it mostly
empty.
LICENSE file will remove direct references to external project licenses and
replace them with a pointer to a licenses directory that will contain all
of the license files for the binary dependencies.

Both files will continue to be copied into the release artifacts at
assembly time but in addition we will also copy the license directory as
well.

Looking for feedback on this from our mentors and sebb - who has initiated
the need for these changes.


On Thu, Dec 5, 2013 at 9:54 AM, larry mccay <la...@gmail.com> wrote:

> There is a current thread on general called Release Verification Checklist
> that is relevant here.
>
>
>
> On Thu, Dec 5, 2013 at 9:32 AM, Kevin Minder <kevin.minder@hortonworks.com
> > wrote:
>
>> Hi Everyone,
>> Here is what I think we should do to resolve this.  I have both a short
>> term and long term goal in mind.
>>
>> Short term we need to review and enhance this.
>> https://cwiki.apache.org/confluence/display/KNOX/Dependencies
>> We need to review it to make sure it is still correct for 0.3.1.
>> We need to enhance it to capture exactly what should be in the LICENSE
>> and NOTICE files for each of these dependencies.
>> I think we should enlist sebb (Sebastian Bazley?) while we have his
>> attention in this effort.
>>
>> Long term I think we should propose some form of the result for this to
>> be maintained by Apache.  It is very inefficient that each projects needs
>> to independently rediscover the right answer for this.  There should just
>> be a list.  If you use this JAR you need "this" in LICENSE and "that" in
>> NOTICE.
>>
>> Kevin.
>>
>> --
>> CONFIDENTIALITY NOTICE
>> NOTICE: This message is intended for the use of the individual or entity
>> to which it is addressed and may contain information that is confidential,
>> privileged and exempt from disclosure under applicable law. If the reader
>> of this message is not the intended recipient, you are hereby notified that
>> any printing, copying, dissemination, distribution, disclosure or
>> forwarding of this communication is strictly prohibited. If you have
>> received this communication in error, please contact the sender immediately
>> and delete it from your system. Thank You.
>>
>
>

Re: [MENTOR] Re: Issues with LICENSE/NOTICE files

[Kevin Minder <ke...@hortonworks.com>]

Attached is a patch that changes how the release binary artifact is 
generated so that it copies the uppercase text files from the source 
root into the binary archive root at assembly time.  This needs to be 
combined with the work to combine the gateway-release/home text files 
into the ones in the source root.

On 12/5/13 12:15 PM, larry mccay wrote:
> Here is a proposal for the NOTICE and RELEASE file changes going forward:
>
> For release 0.3.1:
>
> NOTICES file will be positioned at the top of the source tree. It will have
> any references that aren't included as source removed - making it mostly
> empty.
> LICENSE file will also be position at the top of the source tree. For 0.3.1
> we will include references to the licenses of all external project
> dependencies and call them out as binary dependencies.
>
> Both of these files will be copied into the release artifacts during
> assembly.
>
> Next release (trunk):
>
> NOTICES file will be positioned at the top of the source tree. It will have
> any references that aren't included as source removed - making it mostly
> empty.
> LICENSE file will remove direct references to external project licenses and
> replace them with a pointer to a licenses directory that will contain all
> of the license files for the binary dependencies.
>
> Both files will continue to be copied into the release artifacts at
> assembly time but in addition we will also copy the license directory as
> well.
>
> Looking for feedback on this from our mentors and sebb - who has initiated
> the need for these changes.
>
>
> On Thu, Dec 5, 2013 at 9:54 AM, larry mccay <la...@gmail.com> wrote:
>
>> There is a current thread on general called Release Verification Checklist
>> that is relevant here.
>>
>>
>>
>> On Thu, Dec 5, 2013 at 9:32 AM, Kevin Minder <kevin.minder@hortonworks.com
>>> wrote:
>>> Hi Everyone,
>>> Here is what I think we should do to resolve this.  I have both a short
>>> term and long term goal in mind.
>>>
>>> Short term we need to review and enhance this.
>>> https://cwiki.apache.org/confluence/display/KNOX/Dependencies
>>> We need to review it to make sure it is still correct for 0.3.1.
>>> We need to enhance it to capture exactly what should be in the LICENSE
>>> and NOTICE files for each of these dependencies.
>>> I think we should enlist sebb (Sebastian Bazley?) while we have his
>>> attention in this effort.
>>>
>>> Long term I think we should propose some form of the result for this to
>>> be maintained by Apache.  It is very inefficient that each projects needs
>>> to independently rediscover the right answer for this.  There should just
>>> be a list.  If you use this JAR you need "this" in LICENSE and "that" in
>>> NOTICE.
>>>
>>> Kevin.
>>>
>>> --
>>> CONFIDENTIALITY NOTICE
>>> NOTICE: This message is intended for the use of the individual or entity
>>> to which it is addressed and may contain information that is confidential,
>>> privileged and exempt from disclosure under applicable law. If the reader
>>> of this message is not the intended recipient, you are hereby notified that
>>> any printing, copying, dissemination, distribution, disclosure or
>>> forwarding of this communication is strictly prohibited. If you have
>>> received this communication in error, please contact the sender immediately
>>> and delete it from your system. Thank You.
>>>
>>


-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Re: [MENTOR] Re: Issues with LICENSE/NOTICE files

[larry mccay <la...@gmail.com>]

Okay - to circle back on sebb's questions:

1. "It is not just source that is important; binary files in the source
distribution (e.g. images) can potentially require an entry in the
NOTICE file.

Also not all 3rd party additions needs an entry in the NOTICE file.
But they must have an entry in the LICENSE file."

The only questionable thing is the hadoop-examples.jar file. If we have to,
we can add that to the NOTICE file.
I believe that we will try and remove it from the source distribution in
the next release and forward.

2. "Do you mean that you wish to use the same LICENSE file for both source
and binary archives?
I'm not sure that is specifically disallowed, but AFAIK it is not
recommended.
But I guess so long as it is clear which section of the file only
applies to the binary archive that would be OK for the next release."

We spent some time looking at what others are doing here and decided that
it probably made sense to look at a project that sebb is involved with.
JMeter has the following at the bottom of the LICENSE file:

Binary distributions additionally contain software included under
various licenses.

For details, please see the files under: licenses/bin

It then obviously has a license directory with bin and src subdirectories
that contain the license files for the respective distribution.
Would you recommend that we consider a different project as an example?

thanks!

On Thu, Dec 5, 2013 at 12:44 PM, larry mccay <lm...@apache.org> wrote:

> Thanks, sebb - we really appreciate your insight here!
>
> Considering this feedback now - will update in a bit.
>
> ---------- Forwarded message ----------
> From: sebb <se...@gmail.com>
> Date: Thu, Dec 5, 2013 at 12:31 PM
> Subject: Re: [MENTOR] Re: Issues with LICENSE/NOTICE files
> To: larry mccay <la...@gmail.com>
> Cc: "dev@knox.incubator.apache.org" <de...@knox.incubator.apache.org>
>
>
> On 5 December 2013 17:15, larry mccay <la...@gmail.com> wrote:
> > Here is a proposal for the NOTICE and RELEASE file changes going forward:
> >
> > For release 0.3.1:
> >
> > NOTICES file will be positioned at the top of the source tree.
>
> It is NOTICE not NOTICES, but yes it should be at top of source tree.
> [This is so the user can easily find it]
>
> > It will have
> > any references that aren't included as source removed - making it mostly
> > empty.
>
> It is not just source that is important; binary files in the source
> distribution (e.g. images) can potentially require an entry in the
> NOTICE file.
>
> Also not all 3rd party additions needs an entry in the NOTICE file.
> But they must have an entry in the LICENSE file.
>
> > LICENSE file will also be position at the top of the source tree. For
> 0.3.1
> > we will include references to the licenses of all external project
> > dependencies and call them out as binary dependencies.
>
> Do you mean that you wish to use the same LICENSE file for both source
> and binary archives?
> I'm not sure that is specifically disallowed, but AFAIK it is not
> recommended.
> But I guess so long as it is clear which section of the file only
> applies to the binary archive that would be OK for the next release.
>
> > Both of these files will be copied into the release artifacts during
> > assembly.
>
> Are you *sure* that the binary archive does not include any
> dependencies that require a mention in the NOTICE file?
>
> > Next release (trunk):
> >
> > NOTICES file will be positioned at the top of the source tree. It will
> have
> > any references that aren't included as source removed - making it mostly
> > empty.
> > LICENSE file will remove direct references to external project licenses
> and
> > replace them with a pointer to a licenses directory that will contain
> all of
> > the license files for the binary dependencies.
> >
> > Both files will continue to be copied into the release artifacts at
> assembly
> > time but in addition we will also copy the license directory as well.
>
> Again, it may be that a different NOTICE file is needed for the binary
> distribution.
>
> > Looking for feedback on this from our mentors and sebb - who has
> initiated
> > the need for these changes.
>
> >
> > On Thu, Dec 5, 2013 at 9:54 AM, larry mccay <la...@gmail.com>
> wrote:
> >>
> >> There is a current thread on general called Release Verification
> Checklist
> >> that is relevant here.
> >>
> >>
> >>
> >> On Thu, Dec 5, 2013 at 9:32 AM, Kevin Minder
> >> <ke...@hortonworks.com> wrote:
> >>>
> >>> Hi Everyone,
> >>> Here is what I think we should do to resolve this.  I have both a short
> >>> term and long term goal in mind.
> >>>
> >>> Short term we need to review and enhance this.
> >>> https://cwiki.apache.org/confluence/display/KNOX/Dependencies
> >>> We need to review it to make sure it is still correct for 0.3.1.
> >>> We need to enhance it to capture exactly what should be in the LICENSE
> >>> and NOTICE files for each of these dependencies.
> >>> I think we should enlist sebb (Sebastian Bazley?) while we have his
> >>> attention in this effort.
> >>>
> >>> Long term I think we should propose some form of the result for this to
> >>> be maintained by Apache.  It is very inefficient that each projects
> needs to
> >>> independently rediscover the right answer for this.  There should just
> be a
> >>> list.  If you use this JAR you need "this" in LICENSE and "that" in
> NOTICE.
> >>>
> >>> Kevin.
> >>>
> >>> --
> >>> CONFIDENTIALITY NOTICE
> >>> NOTICE: This message is intended for the use of the individual or
> entity
> >>> to which it is addressed and may contain information that is
> confidential,
> >>> privileged and exempt from disclosure under applicable law. If the
> reader of
> >>> this message is not the intended recipient, you are hereby notified
> that any
> >>> printing, copying, dissemination, distribution, disclosure or
> forwarding of
> >>> this communication is strictly prohibited. If you have received this
> >>> communication in error, please contact the sender immediately and
> delete it
> >>> from your system. Thank You.
> >>
> >>
> >
>
>

Fwd: [MENTOR] Re: Issues with LICENSE/NOTICE files

[larry mccay <lm...@apache.org>]

Thanks, sebb - we really appreciate your insight here!

Considering this feedback now - will update in a bit.

---------- Forwarded message ----------
From: sebb <se...@gmail.com>
Date: Thu, Dec 5, 2013 at 12:31 PM
Subject: Re: [MENTOR] Re: Issues with LICENSE/NOTICE files
To: larry mccay <la...@gmail.com>
Cc: "dev@knox.incubator.apache.org" <de...@knox.incubator.apache.org>


On 5 December 2013 17:15, larry mccay <la...@gmail.com> wrote:
> Here is a proposal for the NOTICE and RELEASE file changes going forward:
>
> For release 0.3.1:
>
> NOTICES file will be positioned at the top of the source tree.

It is NOTICE not NOTICES, but yes it should be at top of source tree.
[This is so the user can easily find it]

> It will have
> any references that aren't included as source removed - making it mostly
> empty.

It is not just source that is important; binary files in the source
distribution (e.g. images) can potentially require an entry in the
NOTICE file.

Also not all 3rd party additions needs an entry in the NOTICE file.
But they must have an entry in the LICENSE file.

> LICENSE file will also be position at the top of the source tree. For
0.3.1
> we will include references to the licenses of all external project
> dependencies and call them out as binary dependencies.

Do you mean that you wish to use the same LICENSE file for both source
and binary archives?
I'm not sure that is specifically disallowed, but AFAIK it is not
recommended.
But I guess so long as it is clear which section of the file only
applies to the binary archive that would be OK for the next release.

> Both of these files will be copied into the release artifacts during
> assembly.

Are you *sure* that the binary archive does not include any
dependencies that require a mention in the NOTICE file?

> Next release (trunk):
>
> NOTICES file will be positioned at the top of the source tree. It will
have
> any references that aren't included as source removed - making it mostly
> empty.
> LICENSE file will remove direct references to external project licenses
and
> replace them with a pointer to a licenses directory that will contain all
of
> the license files for the binary dependencies.
>
> Both files will continue to be copied into the release artifacts at
assembly
> time but in addition we will also copy the license directory as well.

Again, it may be that a different NOTICE file is needed for the binary
distribution.

> Looking for feedback on this from our mentors and sebb - who has initiated
> the need for these changes.

>
> On Thu, Dec 5, 2013 at 9:54 AM, larry mccay <la...@gmail.com> wrote:
>>
>> There is a current thread on general called Release Verification
Checklist
>> that is relevant here.
>>
>>
>>
>> On Thu, Dec 5, 2013 at 9:32 AM, Kevin Minder
>> <ke...@hortonworks.com> wrote:
>>>
>>> Hi Everyone,
>>> Here is what I think we should do to resolve this.  I have both a short
>>> term and long term goal in mind.
>>>
>>> Short term we need to review and enhance this.
>>> https://cwiki.apache.org/confluence/display/KNOX/Dependencies
>>> We need to review it to make sure it is still correct for 0.3.1.
>>> We need to enhance it to capture exactly what should be in the LICENSE
>>> and NOTICE files for each of these dependencies.
>>> I think we should enlist sebb (Sebastian Bazley?) while we have his
>>> attention in this effort.
>>>
>>> Long term I think we should propose some form of the result for this to
>>> be maintained by Apache.  It is very inefficient that each projects
needs to
>>> independently rediscover the right answer for this.  There should just
be a
>>> list.  If you use this JAR you need "this" in LICENSE and "that" in
NOTICE.
>>>
>>> Kevin.
>>>
>>> --
>>> CONFIDENTIALITY NOTICE
>>> NOTICE: This message is intended for the use of the individual or entity
>>> to which it is addressed and may contain information that is
confidential,
>>> privileged and exempt from disclosure under applicable law. If the
reader of
>>> this message is not the intended recipient, you are hereby notified
that any
>>> printing, copying, dissemination, distribution, disclosure or
forwarding of
>>> this communication is strictly prohibited. If you have received this
>>> communication in error, please contact the sender immediately and
delete it
>>> from your system. Thank You.
>>
>>
>