This analysis looks correct. Great find! The recommended fix would be different. I'd suggest appending this sentence to the end of the LICENSE file: "A part of several convenience binary distributions of this software is licensed as follows", followed by the full license text (including its copyright, clauses and disclaimer) -- for each such case separately. Don't edit the NOTICE file.
I'd suggest keeping things simple: no per-artifact license/notice, etc. Just two project-wide files, but I'd suggest including it/attaching it "everywhere". Opinions on this part may vary, but, for me, "everywhere" includes every jar file. Standard disclaimers apply. Any volunteers? Thanks so much! On Tue, May 22, 2018 at 4:02 PM, Andrew Pilloud <apill...@google.com> wrote: > Here is what I think might be missing: > > (1) what artifacts are impacted and where are they distributed > > http://central.maven.org/maven2/org/apache/beam/beam- > sdks-java-core/2.4.0/beam-sdks-java-core-2.4.0.jar > http://central.maven.org/maven2/org/apache/beam/beam- > runners-direct-java/2.4.0/beam-runners-direct-java-2.4.0.jar > http://central.maven.org/maven2/org/apache/beam/beam- > sdks-java-harness/2.4.0/beam-sdks-java-harness-2.4.0.jar > http://central.maven.org/maven2/org/apache/beam/beam- > sdks-java-extensions-sql/2.4.0/beam-sdks-java-extensions-sql-2.4.0.jar > > (2) the external dependency being distributed > > beam-sdks-java-core: protobuf > beam-runners-direct-java: protobuf > beam-runners-direct-java: jsr-305 > beam-sdks-java-extensions-sql: janino-compiler > > (3) license and/or term not adhered to > > BSD 3 Clause: Redistributions in binary form must reproduce the above > copyright notice, this list of conditions and the following disclaimer in > the documentation and/or other materials provided with the distribution. > > (4) any proposed fix > > NOTICE file in the jar. > > I am not a lawyer, this is not legal advice. > > On Tue, May 22, 2018 at 2:55 PM Davor Bonaci <da...@apache.org> wrote: > >> Thanks for the report! >> >> Could you please comment more as to: (1) what artifacts are impacted and >> where are they distributed, (2) the external dependency being distributed, >> (3) license and/or term not adhered to, and (4) any proposed fix? >> >> Any such information would be helpful in triaging the problem -- thanks >> so much! >> >> (If confirmed, this would be release blocking.) >> >> On Tue, May 22, 2018 at 2:37 PM, Lukasz Cwik <lc...@google.com> wrote: >> >>> Does it have to be part of the jar or is it good enough to be part of >>> the sources jar (as 2.4.0 had it part of the >>> beam-parent-2.4.0-source.zip >>> <http://central.maven.org/maven2/org/apache/beam/beam-parent/2.4.0/beam-parent-2.4.0-source.zip> >>> )? >>> >>> On Tue, May 22, 2018 at 11:16 AM Andrew Pilloud <apill...@google.com> >>> wrote: >>> >>>> I was digging around in the SQL jar trying to debug some packaging >>>> issues and noticed that we aren't including the copyright notices from the >>>> packages we are shading. I also looked at our previously released jars and >>>> they are the same (so this isn't a regression). Should we be including the >>>> copyright notice from packages we are redistributing? >>>> >>>> Andrew >>>> >>> >>
