I have a question regarding N&L.
I see that sshd is using the net.i2p.crypto package, and I'm not sure which license applies : https://geti2p.net/en/get-involved/develop/licenses In any case, there is no mention of it in N&L files (in assembly) It may not be necessary, but I'd like a double check. Same thing for jgit, which is used, and require their LICENSE file to be added (http://git.eclipse.org/c/gerrit/jgit/jgit.git/tree/LICENSE) FTR, here are the relevant dependencies (and their transitive dependencies, which must also be taken into account ) : $ mvn depenceny:tree ... [INFO] ------------------------------------------------------------------------ [INFO] Building Apache Mina SSHD :: Core 1.5.0 [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ sshd-core --- [INFO] org.apache.sshd:sshd-core:jar:1.5.0 [INFO] +- org.slf4j:slf4j-api:jar:1.7.24:compile OK [INFO] +- org.apache.mina:mina-core:jar:2.0.16:compile OK [INFO] +- tomcat:tomcat-apr:jar:5.5.23:compile OK [INFO] +- org.bouncycastle:bcpg-jdk15on:jar:1.56:compile OK [INFO] | \- org.bouncycastle:bcprov-jdk15on:jar:1.56:compile OK [INFO] +- org.bouncycastle:bcpkix-jdk15on:jar:1.56:compile OK [INFO] +- net.i2p.crypto:eddsa:jar:0.2.0:compile To be checked ... [INFO] ------------------------------------------------------------------------ [INFO] Building Apache Mina SSHD :: Git 1.5.0 [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ sshd-git --- [INFO] org.apache.sshd:sshd-git:jar:1.5.0 OK [INFO] +- org.apache.sshd:sshd-core:jar:1.5.0:compile OK [INFO] | \- org.slf4j:slf4j-api:jar:1.7.24:compile OK [INFO] +- org.eclipse.jgit:org.eclipse.jgit:jar:4.6.0.201612231935-r:compile To be checked [INFO] | +- com.googlecode.javaewah:JavaEWAH:jar:1.1.6:compile To be checked [INFO] | \- org.apache.httpcomponents:httpclient:jar:4.4.1:compile OK [INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.1:compile OK [INFO] | \- commons-codec:commons-codec:jar:1.9:compile OK [INFO] +- org.eclipse.jgit:org.eclipse.jgit.pgm:jar:4.6.0.201612231935-r:compile To be checked [INFO] | +- args4j:args4j:jar:2.0.15:compile To be checked [INFO] | +- org.apache.commons:commons-compress:jar:1.6:compile OK [INFO] | | \- org.tukaani:xz:jar:1.4:compile To be checked [INFO] | +- org.eclipse.jgit:org.eclipse.jgit.archive:jar:4.6.0.201612231935-r:compile To be checked [INFO] | | \- org.osgi:org.osgi.core:jar:4.3.1:compile To be checked [INFO] | +- org.eclipse.jgit:org.eclipse.jgit.ui:jar:4.6.0.201612231935-r:compile To be checked [INFO] | +- org.eclipse.jgit:org.eclipse.jgit.http.apache:jar:4.6.0.201612231935-r:compile To be checked [INFO] | +- log4j:log4j:jar:1.2.17:compile OK [INFO] | +- org.eclipse.jetty:jetty-servlet:jar:9.2.13.v20150730:compile To be checked [INFO] | | \- org.eclipse.jetty:jetty-security:jar:9.2.13.v20150730:compile To be checked [INFO] | | \- org.eclipse.jetty:jetty-server:jar:9.2.13.v20150730:compile To be checked [INFO] | | +- javax.servlet:javax.servlet-api:jar:3.1.0:compile To be checked [INFO] | | +- org.eclipse.jetty:jetty-http:jar:9.2.13.v20150730:compile To be checked [INFO] | | | \- org.eclipse.jetty:jetty-util:jar:9.2.13.v20150730:compile To be checked [INFO] | | \- org.eclipse.jetty:jetty-io:jar:9.2.13.v20150730:compile To be checked [INFO] | +- org.eclipse.jgit:org.eclipse.jgit.lfs:jar:4.6.0.201612231935-r:compile To be checked [INFO] | \- org.eclipse.jgit:org.eclipse.jgit.lfs.server:jar:4.6.0.201612231935-r:compile To be checked All in all, its just about updating the assembly N&L file in assembly/src/main/distribution. Atm, I will cast a -1. Side note : sorry if I haven't expressed such a concern for any previous distribution, I'm just trying to catch up with those complex requirements, and I have spent a huge amount of time last week reading the ASF doco about N&L. -- Emmanuel Lecharny Symas.com directory.apache.org