You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by Kevan Miller <ke...@gmail.com> on 2007/07/11 18:24:30 UTC

Geronimo 2.0 License and Notice Files

I've taken a pass through a Jetty Java EE assembly to identify the  
license file and notice file requirements of the various artifacts  
that we include in our binary distribution. I still need to gather  
the information for a Tomcat / Axis2 assembly.

The results can be viewed here -- http://spreadsheets.google.com/ccc? 
key=p7Ih4BV4hgEalSc8kSRtxBQ&hl=en_US

If some people could review, that would be great.

Next steps and pseudo-random license trivia:

Many jar archives included by Geronimo do not include LICENSE or  
NOTICE files. In most cases, I've tracked down the appropriate  
LICENSE information for the resource, and included a url for the  
LICENSE file. I haven't always done this. So, some work still  
remains. Most/all of this remaining work involves Apache projects.  
So, I don't invision a big problem. In some of the cases, the work is  
not chasing down the license information, but insuring that  
appropriate LICENSE/NOTICE files are generated in the original jar  
archive (e.g. OpenEJB).

We currently include all of our LICENSE information in a single root  
LICENSE.txt file. Some Apache projects include a licenses/ directory,  
instead. This directory includes all of the non-ASL licenses for the  
project. Although it's probably a bit more work, I personally prefer  
a single file. However, this is a debatable point. If others have an  
opinion, they are welcome to voice it.

The root LICENSE.txt and NOTICE.txt files (by "root" I mean the  
license/notice file in the bottom level directory of our source and  
binary distributions) contain the license info for the entire assembly.

License/notice files in individual jar files (e.g. geronimo- 
activation-2.0-SNAPSHOT.jar) apply only to the resources contained  
within that specific jar file. In nearly all cases, this means that  
LICENSE.txt only contains the Apache License 2.0. The only exception  
which I'm aware of is geronimo-util-2.0-SNAPSHOT.jar. The LICENSE.txt  
file in this jar contains both AL2 and the Bouncy Castle license,  
since geronimo-util contains the asn1 encoding that we obtained from  
Bouncy Castle.

We don't currently have different license/notice files that are  
specific to our Jetty/Tomcat CXF/Axis distributions. Nor do we  
attempt to generate license/notice files specific to our minimal  
assemblies. So current course and speed, our root license/notice  
files will be a superset of all of our various assemblies. This seems  
fine, to me. If anyone sees a problem with this, speak now...

Once all of the data in the google spreadsheet is complete, and we've  
had a chance to review. I'll plan on generating new LICENSE.txt,  
NOTICE.txt, and DISCLAIMER.txt files for our 2.0 release. I'd guess  
this will be towards the end of the week/over the weekend. If anyone  
else is interested in grabbing a shovel and pitching in, let me know...

--kevan

Re: Geronimo 2.0 License and Notice Files

Posted by Kevan Miller <ke...@gmail.com>.

On Jul 11, 2007, at 10:08 PM, Matt Hogstrom wrote:

>
> On Jul 11, 2007, at 12:24 PM, Kevan Miller wrote:
>
>> If some people could review, that would be great.
>>
>
> on the Active-IO question there is some coding work to be done.   
> http://issues.apache.org/jira/browse/GERONIMO-2944

Ya. I've started looking into this...

>
> All of the OpenEJB mods should be AL 2.0 but it sounds like there  
> is some work to do in OEJB.  I'll ping the list.

Yes. Would certainly be fixed before OpenEJB could be released. I'm  
planning on fixing when I have a few minutes...

>
>> Next steps and pseudo-random license trivia:
>>
>> Many jar archives included by Geronimo do not include LICENSE or  
>> NOTICE files. In most cases, I've tracked down the appropriate  
>> LICENSE information for the resource, and included a url for the  
>> LICENSE file. I haven't always done this. So, some work still  
>> remains. Most/all of this remaining work involves Apache projects.  
>> So, I don't invision a big problem. In some of the cases, the work  
>> is not chasing down the license information, but insuring that  
>> appropriate LICENSE/NOTICE files are generated in the original jar  
>> archive (e.g. OpenEJB).
>>
>
> For the rather long list of jars that don't have any embedded files  
> is there a recommendation ?  Unlikely we'll get them fixed.

We don't need to insure that all jar files contain license/notice  
information. That's not our job -- it's the responsibility of the  
individual projects. One exception might be any jar files which we  
are generating (e.g. Tomcat).

Apache's current policy is that all released artifacts need to  
include LICENSE/NOTICE files. Jar files used to be bundled in a  
binary distribution. The binary distribution would contain any  
LICENSE/NOTICE files, but lots of times the jar files did not. Now-a- 
days, jar files should be treated as separately "released" artifacts  
-- they're placed individually in maven repos, etc. So, most projects  
put LICENSE/NOTICE information into jar files, also.

Since we embed so many projects, I must say that this practice is  
great. To gather license/notice information, we just need to crack  
open the jars and aggregate the license/notice information. For jars  
that don't self-document their license, we need to obtain the license/ 
notice information for the jars we're using. I think that I've done  
this for all non-apache jar files. We need to do the same research  
for the apache jars.

I'll take this opportunity to point out what I think is good practice  
-- jar files should contain license/notice information specific to  
the jar file (i.e. they should not re-use the project-wide license/ 
notice files). Worst case is those projects (myfaces is an example)  
who have something like the following in their NOTICE file:

------------------------------------------------------------------------
See the file LICENSE.txt
See licenses for accompanying products in the "/licenses" subdirectory.
------------------------------------------------------------------------

where there is no "/licenses" subdirectory in the jar. So, we're  
still forced to download source or the entire binary to obtain the  
necessary information...


>
>> We currently include all of our LICENSE information in a single  
>> root LICENSE.txt file. Some Apache projects include a licenses/  
>> directory, instead. This directory includes all of the non-ASL  
>> licenses for the project. Although it's probably a bit more work,  
>> I personally prefer a single file. However, this is a debatable  
>> point. If others have an opinion, they are welcome to voice it.
>>
>
> One file would be my preference.
>
>> The root LICENSE.txt and NOTICE.txt files (by "root" I mean the  
>> license/notice file in the bottom level directory of our source  
>> and binary distributions) contain the license info for the entire  
>> assembly.
>>
>> We don't currently have different license/notice files that are  
>> specific to our Jetty/Tomcat CXF/Axis distributions. Nor do we  
>> attempt to generate license/notice files specific to our minimal  
>> assemblies. So current course and speed, our root license/notice  
>> files will be a superset of all of our various assemblies. This  
>> seems fine, to me. If anyone sees a problem with this, speak now...
>>
>
> Perhaps a comment that this assembly includes some or all of ....

That sounds like a good approach...

--kevan


>
>> Once all of the data in the google spreadsheet is complete, and  
>> we've had a chance to review. I'll plan on generating new  
>> LICENSE.txt, NOTICE.txt, and DISCLAIMER.txt files for our 2.0  
>> release. I'd guess this will be towards the end of the week/over  
>> the weekend. If anyone else is interested in grabbing a shovel and  
>> pitching in, let me know...
>>
>> --kevan
>>
>>
>>
>

Re: Geronimo 2.0 License and Notice Files

Posted by Matt Hogstrom <ma...@hogstrom.org>.

On Jul 11, 2007, at 12:24 PM, Kevan Miller wrote:

> If some people could review, that would be great.
>

on the Active-IO question there is some coding work to be done.   
http://issues.apache.org/jira/browse/GERONIMO-2944

All of the OpenEJB mods should be AL 2.0 but it sounds like there is  
some work to do in OEJB.  I'll ping the list.

> Next steps and pseudo-random license trivia:
>
> Many jar archives included by Geronimo do not include LICENSE or  
> NOTICE files. In most cases, I've tracked down the appropriate  
> LICENSE information for the resource, and included a url for the  
> LICENSE file. I haven't always done this. So, some work still  
> remains. Most/all of this remaining work involves Apache projects.  
> So, I don't invision a big problem. In some of the cases, the work  
> is not chasing down the license information, but insuring that  
> appropriate LICENSE/NOTICE files are generated in the original jar  
> archive (e.g. OpenEJB).
>

For the rather long list of jars that don't have any embedded files  
is there a recommendation ?  Unlikely we'll get them fixed.

> We currently include all of our LICENSE information in a single  
> root LICENSE.txt file. Some Apache projects include a licenses/  
> directory, instead. This directory includes all of the non-ASL  
> licenses for the project. Although it's probably a bit more work, I  
> personally prefer a single file. However, this is a debatable  
> point. If others have an opinion, they are welcome to voice it.
>

One file would be my preference.

> The root LICENSE.txt and NOTICE.txt files (by "root" I mean the  
> license/notice file in the bottom level directory of our source and  
> binary distributions) contain the license info for the entire  
> assembly.
>
> We don't currently have different license/notice files that are  
> specific to our Jetty/Tomcat CXF/Axis distributions. Nor do we  
> attempt to generate license/notice files specific to our minimal  
> assemblies. So current course and speed, our root license/notice  
> files will be a superset of all of our various assemblies. This  
> seems fine, to me. If anyone sees a problem with this, speak now...
>

Perhaps a comment that this assembly includes some or all of ....

> Once all of the data in the google spreadsheet is complete, and  
> we've had a chance to review. I'll plan on generating new  
> LICENSE.txt, NOTICE.txt, and DISCLAIMER.txt files for our 2.0  
> release. I'd guess this will be towards the end of the week/over  
> the weekend. If anyone else is interested in grabbing a shovel and  
> pitching in, let me know...
>
> --kevan
>
>
>