Hi, I've added the missing license information to the best of my knowledge and belief. It is the result of my research but I'm not a lawyer. Could someone verify /src/main/appended-resources/supplemental-models.xml ?
- Florian -----Original Message----- From: Jeremias Maerki [mailto:d...@jeremias-maerki.ch] Sent: Montag, 28. Juni 2010 10:04 To: chemistry-dev@incubator.apache.org Subject: Re: Make the release "legally" ASF compliant On 26.06.2010 19:04:17 Florian Müller wrote: > Hi, > > The JARs contain a DEPENDENCIES file in the META-INF directory. It lists > all dependencies with project and license links. Is this sufficient? Hmm, I missed the DEPENDENCIES file. My bad. But it is incomplete. Maven didn't recognize the licenses for some of the dependencies. If that listing were complete, it would be sufficient, sure. > The WARs contain LICENSE and NOTICE files in the META-INF directory but > no DEPENDENCIES file. That might be an issue. At least the following WARs don't have a LICENSE and NOTICE file: - chemistry-opencmis-server-bindings-0.1.0-incubating.war - chemistry-opencmis-server-inmemory-0.1.0-incubating.war - chemistry-opencmis-server-fileshare-0.1.0-incubating.war - chemistry-opencmis-test-browser-app-0.1.0-incubating.war > > - Florian > > > > Am 26.06.10 06:02, schrieb Gabriele Columbro: > > Hey Jeremias, > > thanks for the extremely detailed feedback, it was really appreciated :) > > > > See below few more details: > > > > On Jun 25, 2010, at 6:17 PM, Jeremias Maerki wrote: > > > >> Some observations (non-blockers for a first release, I guess): > >> > >> - Gabriele, you may want to publish your PGP key on a key server and see > >> to it that you can soon meet some fellow Apache committers so you can > >> get your code signing key cross-signed. > > > > I published my key on the PGP MIT server > > (http://pgp.mit.edu:11371/pks/lookup?search=Columbro+code+signing&op=vindex) > > and will be glad to enter the ASF web of trust at the first gathering > > (maybe ACUS 2010). > > > >> > >> - the WARs all contain no LICENSE and NOTICE files. > > > > This is taken care of automatically for JARs by the (inherited) > > maven-remote-resources-plugin. Checking if there's an option to do the > > same for WARs. > > > >> > >> - maybe problematic: I cannot find a list of dependencies including > >> their applicable license (a long-standing issue I have with Maven). > >> JAX-WS-RI is CDDL/GPLv2 and therefore Category B according to [1]. IMO, > >> the necessary labeling requirements are not met, yet. The same seems to > >> apply to mimepull and saaj. I think the best way is to create a > >> README.txt which contains a manually maintained list and to include that > >> README.txt in all dist ZIPs and WARs (i.e. the files that include the > >> third-parties), maybe even all JARs because they have these dependencies. > >> That would make it very easy for people to verify the dependencies > >> against their own license policies. > > > > I created an issue https://issues.apache.org/jira/browse/CMIS-224 in > > order to track this task. I set 0.2.0 as fix version, but do you believe > > that this should be fixed also in 0.1.0 ? > > > > @devs: anyone who can help creating this text file per package? I can > > then easily include it in the build. > > > > Thanks again for the expert feedback! > > > > Ciao, > > Gab > > Jeremias Maerki