You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@poi.apache.org by PJ Fanning <fa...@yahoo.com.INVALID> on 2023/02/09 01:17:14 UTC
xmlbeans bin artifact
Hi everyone,
I must admit that the correctness of the LICENSE/NOTICE files in our releases has never been my highest priority. My assumption was that the files were already up to date.
In the last few months, I've been involved with getting Apache Pekko ramped up as an Incubator podling and a lot of the requirements coming our way relate to getting the licenses correct.
From what I've seen there, I'm starting to wonder if we might need to look again at the licenses/notices in some of the POI and XMLBeans artifacts.
I've just downloaded xmlbeans-bin-5.1.1-20220819.zip and its NOTICE lists a few dependencies but not everything. The LICENSE makes no mention of other jars. There are over 10 non-XMLBeans jars shipped in this zip. Most are Apache licensed and there is an argument not to list them but one example of a non-Apache licensed jar is slf4j-api (MIT licensed).
Does anyone have any expertise or confidence that they understand the LICENSE/NOTICE requirements well enough to review what we have in XMLBeans and POI?
A lot of other ASF projects have LICENSE-binary (spark example [1]) and NOTICE-binary files that list long lists of transitive dependencies and their licenses. Should we follow suit?
Regards,
PJ
[1] https://github.com/apache/spark/blob/master/LICENSE-binary
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
Re: xmlbeans bin artifact
Posted by Dominik Stadler <do...@gmx.at>.
Hi,
I did take a quick look at artifact xmlbeans-bin-5.1.2-SNAPSHOT-20230225.tgz
<https://ci-builds.apache.org/job/POI/job/POI-XMLBeans-DSL-1.8/lastSuccessfulBuild/artifact/build/distributions/xmlbeans-bin-5.1.2-SNAPSHOT-20230225.tgz>
In the binary-packge, the existing NOTICE/LICENSE are enhanced with more
content and look good from a lay-man's point of view. If you would like a
review from a legal/licensing standpoint, maybe
https://www.apache.org/legal/ can give some more information and
legal-discuss@
<https://www.apache.org/foundation/mailinglists.html#foundation-legal> may
be the place to ask specific questions.
Regards... Dominik.
On Fri, Feb 24, 2023 at 12:28 AM PJ Fanning <fa...@yahoo.com.invalid>
wrote:
> I've updated xmlbeans to have LICENSE-binary.txt and NOTICE-binary.txt
> that better describe what appears in the bin distributions, including the
> 3rd party jars we include in the zip/tgz files.
>
> I'd appreciate if POI contributors could review the changes.
> https://ci-builds.apache.org/job/POI/job/POI-XMLBeans-DSL-1.8/ has the
> latest build.
>
>
>
>
> On Thursday 9 February 2023 at 02:17:28 GMT+1, PJ Fanning
> <fa...@yahoo.com.invalid> wrote:
>
>
>
>
>
> Hi everyone,
> I must admit that the correctness of the LICENSE/NOTICE files in our
> releases has never been my highest priority. My assumption was that the
> files were already up to date.
>
> In the last few months, I've been involved with getting Apache Pekko
> ramped up as an Incubator podling and a lot of the requirements coming our
> way relate to getting the licenses correct.
> From what I've seen there, I'm starting to wonder if we might need to look
> again at the licenses/notices in some of the POI and XMLBeans artifacts.
>
> I've just downloaded xmlbeans-bin-5.1.1-20220819.zip and its NOTICE lists
> a few dependencies but not everything. The LICENSE makes no mention of
> other jars. There are over 10 non-XMLBeans jars shipped in this zip. Most
> are Apache licensed and there is an argument not to list them but one
> example of a non-Apache licensed jar is slf4j-api (MIT licensed).
>
> Does anyone have any expertise or confidence that they understand the
> LICENSE/NOTICE requirements well enough to review what we have in XMLBeans
> and POI?
>
> A lot of other ASF projects have LICENSE-binary (spark example [1]) and
> NOTICE-binary files that list long lists of transitive dependencies and
> their licenses. Should we follow suit?
>
> Regards,
> PJ
>
> [1] https://github.com/apache/spark/blob/master/LICENSE-binary
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
> For additional commands, e-mail: dev-help@poi.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
> For additional commands, e-mail: dev-help@poi.apache.org
>
>
Re: xmlbeans bin artifact
Posted by PJ Fanning <fa...@yahoo.com.INVALID>.
I've updated xmlbeans to have LICENSE-binary.txt and NOTICE-binary.txt that better describe what appears in the bin distributions, including the 3rd party jars we include in the zip/tgz files.
I'd appreciate if POI contributors could review the changes. https://ci-builds.apache.org/job/POI/job/POI-XMLBeans-DSL-1.8/ has the latest build.
On Thursday 9 February 2023 at 02:17:28 GMT+1, PJ Fanning <fa...@yahoo.com.invalid> wrote:
Hi everyone,
I must admit that the correctness of the LICENSE/NOTICE files in our releases has never been my highest priority. My assumption was that the files were already up to date.
In the last few months, I've been involved with getting Apache Pekko ramped up as an Incubator podling and a lot of the requirements coming our way relate to getting the licenses correct.
From what I've seen there, I'm starting to wonder if we might need to look again at the licenses/notices in some of the POI and XMLBeans artifacts.
I've just downloaded xmlbeans-bin-5.1.1-20220819.zip and its NOTICE lists a few dependencies but not everything. The LICENSE makes no mention of other jars. There are over 10 non-XMLBeans jars shipped in this zip. Most are Apache licensed and there is an argument not to list them but one example of a non-Apache licensed jar is slf4j-api (MIT licensed).
Does anyone have any expertise or confidence that they understand the LICENSE/NOTICE requirements well enough to review what we have in XMLBeans and POI?
A lot of other ASF projects have LICENSE-binary (spark example [1]) and NOTICE-binary files that list long lists of transitive dependencies and their licenses. Should we follow suit?
Regards,
PJ
[1] https://github.com/apache/spark/blob/master/LICENSE-binary
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org