bchapuis commented on PR #920: URL: https://github.com/apache/incubator-baremaps/pull/920#issuecomment-2597979530
@CalvinKirs I think it's good to be cautious, and I also apologize for the amount of work that results from my questions. In this regard, how would you frame the question to the legal team? Personally, I feel quite comfortable with the current solution, as we include all the NOTICE files in our binary distribution, which seems in line with what other projects are doing. The current solution is already hard to maintain and will probably require a couple of hours of manual work per release to keep it up to date. What worries me is that the proposed solution will be even more impractical in terms of maintenance, without addressing the fundamental issue of licensing. To illustrate my current understanding, here is a description of the maintenance steps involved: When updating a dependency, we should obtain the latest NOTICE file, audit it, retain the meaningful parts, and copy it into the NOTICE-binary directory. I didn't update the dependencies in version 0.8.2 for this reason. I believe this is why, even in top-level projects, these NOTICE-binary directories quickly become outdated. Overall, even if these practices make a few people more comfortable, they are probably a lose-lose situation for both maintainers and legal specialists, as outdated NOTICE files would likely not survive a serious audit. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
