Did you look through all our jars or is that just a sample? Kenn
On Tue, May 22, 2018 at 7:22 PM Davor Bonaci <da...@apache.org> wrote: > This analysis looks correct. Great find! > > The recommended fix would be different. I'd suggest appending this > sentence to the end of the LICENSE file: "A part of several convenience > binary distributions of this software is licensed as follows", followed by > the full license text (including its copyright, clauses and disclaimer) -- > for each such case separately. Don't edit the NOTICE file. > > I'd suggest keeping things simple: no per-artifact license/notice, etc. > Just two project-wide files, but I'd suggest including it/attaching it > "everywhere". Opinions on this part may vary, but, for me, "everywhere" > includes every jar file. > > Standard disclaimers apply. > > Any volunteers? Thanks so much! > > On Tue, May 22, 2018 at 4:02 PM, Andrew Pilloud <apill...@google.com> > wrote: > >> Here is what I think might be missing: >> >> (1) what artifacts are impacted and where are they distributed >> >> >> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-core/2.4.0/beam-sdks-java-core-2.4.0.jar >> >> http://central.maven.org/maven2/org/apache/beam/beam-runners-direct-java/2.4.0/beam-runners-direct-java-2.4.0.jar >> >> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-harness/2.4.0/beam-sdks-java-harness-2.4.0.jar >> >> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-extensions-sql/2.4.0/beam-sdks-java-extensions-sql-2.4.0.jar >> >> (2) the external dependency being distributed >> >> beam-sdks-java-core: protobuf >> beam-runners-direct-java: protobuf >> beam-runners-direct-java: jsr-305 >> beam-sdks-java-extensions-sql: janino-compiler >> >> (3) license and/or term not adhered to >> >> BSD 3 Clause: Redistributions in binary form must reproduce the above >> copyright notice, this list of conditions and the following disclaimer in >> the documentation and/or other materials provided with the distribution. >> >> (4) any proposed fix >> >> NOTICE file in the jar. >> >> I am not a lawyer, this is not legal advice. >> >> On Tue, May 22, 2018 at 2:55 PM Davor Bonaci <da...@apache.org> wrote: >> >>> Thanks for the report! >>> >>> Could you please comment more as to: (1) what artifacts are impacted and >>> where are they distributed, (2) the external dependency being distributed, >>> (3) license and/or term not adhered to, and (4) any proposed fix? >>> >>> Any such information would be helpful in triaging the problem -- thanks >>> so much! >>> >>> (If confirmed, this would be release blocking.) >>> >>> On Tue, May 22, 2018 at 2:37 PM, Lukasz Cwik <lc...@google.com> wrote: >>> >>>> Does it have to be part of the jar or is it good enough to be part of >>>> the sources jar (as 2.4.0 had it part of the >>>> beam-parent-2.4.0-source.zip >>>> <http://central.maven.org/maven2/org/apache/beam/beam-parent/2.4.0/beam-parent-2.4.0-source.zip> >>>> )? >>>> >>>> On Tue, May 22, 2018 at 11:16 AM Andrew Pilloud <apill...@google.com> >>>> wrote: >>>> >>>>> I was digging around in the SQL jar trying to debug some packaging >>>>> issues and noticed that we aren't including the copyright notices from the >>>>> packages we are shading. I also looked at our previously released jars and >>>>> they are the same (so this isn't a regression). Should we be including the >>>>> copyright notice from packages we are redistributing? >>>>> >>>>> Andrew >>>>> >>>> >>> >