Guys, how about getting legal-discuss involved, with some specific, pointed questions?
I'm sure Ate's review was thorough but it might be good for the legal-discuss committee to weigh in on "blockers" versus "would be nice, but can move on". We've found legal-discuss super effective and helpful in OODT-ville... Cheers, Chris On Feb 6, 2012, at 8:03 PM, Suresh Marru wrote: > Hi Ate, > > Thank you for taking time to do the review. I will retract the vote and work > on these blockers. > > Can you help us how to verify these ourselves? How do you check them, > manually or are there any tricks we can learn to validate before putting out > the vote? > > Thanks, > Suresh > > On Feb 6, 2012, at 9:28 PM, Ate Douma wrote: > >> Hi guys, >> >> While this candidate definitely is improved a lot on the NOTICE and LICENSE >> requirements, I've again found quite a lot of missing NOTICEs and LICENSEs >> which are required to be provided, leading me to again vote -1 on this >> release. >> >> Looking at the binary distribution, I first with checking the bundled >> artifacts under /lib and /standalone-server/lib and validate the provided >> root /NOTICE and /LICENSE files against them. >> >> As a first example, the bundled axis2 jars each have their own (embedded) >> NOTICE file with 3rd party notices which should have been merged in the >> binary distribution's own (root) NOTICE file, e.g. like the following >> fragments (from axis2-adb-1.5.1.jar): >> >> This product also includes WS-* schemas developed by International >> Business Machines Corporation, Microsoft Corporation, BEA Systems, >> TIBCO Software, SAP AG, Sonic Software, and VeriSign >> >> This product also includes a WSDL developed by salesforce.com >> - Copyright 1999-2006 salesforce.com, inc. >> >> The bundled derby jars also come with an extensive embedded NOTICE file. >> Some parts of that have been merged into the root NOTICE, but some not. >> Maybe not everything in it is applicable, but I think there are at least >> some required parts missing. As a reference I compared that with the bundled >> jackrabbit-standalone-2.2.7.jar which itself also embeds Derby, and there >> you'll see they at least have the following added section: >> >> The JDBC apis for small devices and JDBC3 (under java/stubs/jsr169 and >> java/stubs/jdbc3) were produced by trimming sources supplied by the >> Apache Harmony project. The following notice covers the Harmony sources: >> >> Portions of Harmony were originally developed by >> Intel Corporation and are licensed to the Apache Software >> Foundation under the "Software Grant and Corporate Contribution >> License Agreement", informally known as the "Intel Harmony CLA". >> >> And that jackrabbit-standalone-2.2.7.jar brings in quite some other >> (missing) NOTICEs as well, like: >> >> Based on source code originally developed by >> Day Software (http://www.day.com/). >> >> This product includes software from the following contributions: >> >> Original BZip2 classes contributed by Keiron Liddle >> <kei...@aftexsw.com>, Aftex Software to the Apache Ant project >> >> Original Tar classes from contributors of the Apache Ant project >> >> Original Zip classes from contributors of the Apache Ant project >> >> Original CPIO classes contributed by Markus Kuss and the jRPM project >> (jrpm.sourceforge.net) >> >> Please remember: the ASL 2.0 license, section 4d) *legally* requires us to >> retain (thus merge) *every* NOTICE of embedded 3rd party artifacts. >> This is why keeping the NOTICE file as small as possible (but not smaller) >> really is important for our downstream users. Which won't be easy with >> Airavata because of its many, many 3rd party dependencies. >> >> And there also are issues with the LICENSE file: like for example the >> jackrabbit-standalone-2.2.7.jar its /META-INF/LICENSE file has many licenses >> which should be merged into the root LICENSE file of the Airavata >> distribution but currently are missing. >> >> Without going through each and every bundled artifact, which might lead to a >> very long list of issue, I can already conclude the requirements for the >> NOTICE and LICENSE files still aren't met. >> >> Regrettably, I don't have the time right now to do a full and thorough scan >> of all the possible missing pieces. >> Airavata is quite a big project on its 3rd party usages (which is cool), but >> that also comes at the price of quite extensive due diligence work >> concerning the LICENSE and NOTICE requirements. I've been trough a similar >> exercise for Apache Rave and Apache Shindig last week (which together are >> many times smaller on their 3rd party dependencies) and that alone already >> gook me many hours if not days to complete. >> >> I do think you're on the right track, but it just isn't completely done yet. >> >> Besides the above serious issues, I have a few additional suggestions for >> improvements (not truly blockers) I'd like to point out: >> >> - Many/most NOTICE files shows to be concatenated: they contain many >> duplications of sections like: "This product includes software developed at >> The Apache Software Foundation (http://www.apache.org/).", many times over. >> You might want to clean that up, it should only be needed as the initial >> notice at the top. And there are other type of fragments duplicated as well. >> >> - NOTICE and LICENSE files under [...]/src/main/appended-resources are >> intended to be *appended* to the default NOTICE and LICENSE files already >> provided by the maven-remote-resources-plugin. Meaning: you shouldn't >> provide the default (Airavata based) initial notice in the NOTICE file, nor >> should you need to include the ASL 2.0 license in the LICENSE file. As it is >> now, these now are all duplicated within the final artifacts. >> >> I'd like to suggest to really check the final embedded NOTICE and LICENSE >> files in all build artifacts, the above to issues should be easy to spot. >> >> Kind regards, >> >> Ate >> >> >> On 02/06/2012 05:35 AM, Suresh Marru wrote: >>> Discussion thread for vote on airavata 0.2-incubating release candidate 3. >>> >>> If you have any questions or feedback or to post results of validating the >>> release, please reply to this thread. Once you verify the release, please >>> post >>> your vote to the VOTE thread. >>> >>> For reference, the Apache release guide - >>> http://www.apache.org/dev/release.html >>> Incubator specific release guidelines - >>> http://incubator.apache.org/guides/releasemanagement.html >>> >>> Some tips to validate the release before you vote: >>> >>> * Download the binary version and run the 5 minute or 10 minute tutorial as >>> described in README and website. >>> * Download the source files from compressed files and release tag and build >>> (which includes tests). >>> * Verify the distributon for the required LICENSE, NOTICE and DISCLAIMER >>> files >>> * Verify if all the staged files are signed and the signature is verifiable. >>> * Verify if the signing key in the project's KEYS file is hosted on a >>> public server >>> >>> Thanks for your time in validating the release and voting, >>> Suresh >> > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Chris Mattmann, Ph.D. Senior Computer Scientist NASA Jet Propulsion Laboratory Pasadena, CA 91109 USA Office: 171-266B, Mailstop: 171-246 Email: chris.a.mattm...@nasa.gov WWW: http://sunset.usc.edu/~mattmann/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Adjunct Assistant Professor, Computer Science Department University of Southern California, Los Angeles, CA 90089 USA ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
