Hi guys,
While this candidate definitely is improved a lot on the NOTICE and LICENSE
requirements, I've again found quite a lot of missing NOTICEs and LICENSEs which
are required to be provided, leading me to again vote -1 on this release.
Looking at the binary distribution, I first with checking the bundled artifacts
under /lib and /standalone-server/lib and validate the provided root /NOTICE and
/LICENSE files against them.
As a first example, the bundled axis2 jars each have their own (embedded) NOTICE
file with 3rd party notices which should have been merged in the binary
distribution's own (root) NOTICE file, e.g. like the following fragments (from
axis2-adb-1.5.1.jar):
This product also includes WS-* schemas developed by International
Business Machines Corporation, Microsoft Corporation, BEA Systems,
TIBCO Software, SAP AG, Sonic Software, and VeriSign
This product also includes a WSDL developed by salesforce.com
- Copyright 1999-2006 salesforce.com, inc.
The bundled derby jars also come with an extensive embedded NOTICE file. Some
parts of that have been merged into the root NOTICE, but some not.
Maybe not everything in it is applicable, but I think there are at least some
required parts missing. As a reference I compared that with the bundled
jackrabbit-standalone-2.2.7.jar which itself also embeds Derby, and there you'll
see they at least have the following added section:
The JDBC apis for small devices and JDBC3 (under java/stubs/jsr169 and
java/stubs/jdbc3) were produced by trimming sources supplied by the
Apache Harmony project. The following notice covers the Harmony sources:
Portions of Harmony were originally developed by
Intel Corporation and are licensed to the Apache Software
Foundation under the "Software Grant and Corporate Contribution
License Agreement", informally known as the "Intel Harmony CLA".
And that jackrabbit-standalone-2.2.7.jar brings in quite some other (missing)
NOTICEs as well, like:
Based on source code originally developed by
Day Software (http://www.day.com/).
This product includes software from the following contributions:
Original BZip2 classes contributed by Keiron Liddle
<kei...@aftexsw.com>, Aftex Software to the Apache Ant project
Original Tar classes from contributors of the Apache Ant project
Original Zip classes from contributors of the Apache Ant project
Original CPIO classes contributed by Markus Kuss and the jRPM project
(jrpm.sourceforge.net)
Please remember: the ASL 2.0 license, section 4d) *legally* requires us to
retain (thus merge) *every* NOTICE of embedded 3rd party artifacts.
This is why keeping the NOTICE file as small as possible (but not smaller)
really is important for our downstream users. Which won't be easy with Airavata
because of its many, many 3rd party dependencies.
And there also are issues with the LICENSE file: like for example the
jackrabbit-standalone-2.2.7.jar its /META-INF/LICENSE file has many licenses
which should be merged into the root LICENSE file of the Airavata distribution
but currently are missing.
Without going through each and every bundled artifact, which might lead to a
very long list of issue, I can already conclude the requirements for the NOTICE
and LICENSE files still aren't met.
Regrettably, I don't have the time right now to do a full and thorough scan of
all the possible missing pieces.
Airavata is quite a big project on its 3rd party usages (which is cool), but
that also comes at the price of quite extensive due diligence work concerning
the LICENSE and NOTICE requirements. I've been trough a similar exercise for
Apache Rave and Apache Shindig last week (which together are many times smaller
on their 3rd party dependencies) and that alone already gook me many hours if
not days to complete.
I do think you're on the right track, but it just isn't completely done yet.
Besides the above serious issues, I have a few additional suggestions for
improvements (not truly blockers) I'd like to point out:
- Many/most NOTICE files shows to be concatenated: they contain many
duplications of sections like: "This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).", many times over.
You might want to clean that up, it should only be needed as the initial notice
at the top. And there are other type of fragments duplicated as well.
- NOTICE and LICENSE files under [...]/src/main/appended-resources are intended
to be *appended* to the default NOTICE and LICENSE files already provided by the
maven-remote-resources-plugin. Meaning: you shouldn't provide the default
(Airavata based) initial notice in the NOTICE file, nor should you need to
include the ASL 2.0 license in the LICENSE file. As it is now, these now are all
duplicated within the final artifacts.
I'd like to suggest to really check the final embedded NOTICE and LICENSE files
in all build artifacts, the above to issues should be easy to spot.
Kind regards,
Ate
On 02/06/2012 05:35 AM, Suresh Marru wrote:
Discussion thread for vote on airavata 0.2-incubating release candidate 3.
If you have any questions or feedback or to post results of validating the
release, please reply to this thread. Once you verify the release, please post
your vote to the VOTE thread.
For reference, the Apache release guide - http://www.apache.org/dev/release.html
Incubator specific release guidelines -
http://incubator.apache.org/guides/releasemanagement.html
Some tips to validate the release before you vote:
* Download the binary version and run the 5 minute or 10 minute tutorial as
described in README and website.
* Download the source files from compressed files and release tag and build
(which includes tests).
* Verify the distributon for the required LICENSE, NOTICE and DISCLAIMER files
* Verify if all the staged files are signed and the signature is verifiable.
* Verify if the signing key in the project's KEYS file is hosted on a public
server
Thanks for your time in validating the release and voting,
Suresh
