I merged Boyuan's PR since it seems like a clear improvement. But it looks like the suggested approach of overapproximating what is bundled in a particular artifact is contrary to http://www.apache.org/dev/licensing-howto.html#bundled-vs-non-bundled
Kenn On Wed, May 23, 2018 at 1:52 PM Scott Wegner <sweg...@google.com> wrote: > FYI, I've opened https://issues.apache.org/jira/browse/BEAM-4393 to track > this work and marked it as a 2.5.0 release blocker. > > On Wed, May 23, 2018 at 9:15 AM Andrew Pilloud <apill...@google.com> > wrote: > >> I generated the list of jars to check using the following search: >> >> grep 'include(dependency(' $(find . -name 'build.gradle') >> >> >> Andrew >> >> On Tue, May 22, 2018 at 7:33 PM Kenneth Knowles <k...@google.com> wrote: >> >>> Did you look through all our jars or is that just a sample? >>> >>> Kenn >>> >>> On Tue, May 22, 2018 at 7:22 PM Davor Bonaci <da...@apache.org> wrote: >>> >>>> This analysis looks correct. Great find! >>>> >>>> The recommended fix would be different. I'd suggest appending this >>>> sentence to the end of the LICENSE file: "A part of several convenience >>>> binary distributions of this software is licensed as follows", followed by >>>> the full license text (including its copyright, clauses and disclaimer) -- >>>> for each such case separately. Don't edit the NOTICE file. >>>> >>>> I'd suggest keeping things simple: no per-artifact license/notice, etc. >>>> Just two project-wide files, but I'd suggest including it/attaching it >>>> "everywhere". Opinions on this part may vary, but, for me, "everywhere" >>>> includes every jar file. >>>> >>>> Standard disclaimers apply. >>>> >>>> Any volunteers? Thanks so much! >>>> >>>> On Tue, May 22, 2018 at 4:02 PM, Andrew Pilloud <apill...@google.com> >>>> wrote: >>>> >>>>> Here is what I think might be missing: >>>>> >>>>> (1) what artifacts are impacted and where are they distributed >>>>> >>>>> >>>>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-core/2.4.0/beam-sdks-java-core-2.4.0.jar >>>>> >>>>> http://central.maven.org/maven2/org/apache/beam/beam-runners-direct-java/2.4.0/beam-runners-direct-java-2.4.0.jar >>>>> >>>>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-harness/2.4.0/beam-sdks-java-harness-2.4.0.jar >>>>> >>>>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-extensions-sql/2.4.0/beam-sdks-java-extensions-sql-2.4.0.jar >>>>> >>>>> (2) the external dependency being distributed >>>>> >>>>> beam-sdks-java-core: protobuf >>>>> beam-runners-direct-java: protobuf >>>>> beam-runners-direct-java: jsr-305 >>>>> beam-sdks-java-extensions-sql: janino-compiler >>>>> >>>>> (3) license and/or term not adhered to >>>>> >>>>> BSD 3 Clause: Redistributions in binary form must reproduce the above >>>>> copyright notice, this list of conditions and the following disclaimer in >>>>> the documentation and/or other materials provided with the distribution. >>>>> >>>>> (4) any proposed fix >>>>> >>>>> NOTICE file in the jar. >>>>> >>>>> I am not a lawyer, this is not legal advice. >>>>> >>>>> On Tue, May 22, 2018 at 2:55 PM Davor Bonaci <da...@apache.org> wrote: >>>>> >>>>>> Thanks for the report! >>>>>> >>>>>> Could you please comment more as to: (1) what artifacts are impacted >>>>>> and where are they distributed, (2) the external dependency being >>>>>> distributed, (3) license and/or term not adhered to, and (4) any proposed >>>>>> fix? >>>>>> >>>>>> Any such information would be helpful in triaging the problem -- >>>>>> thanks so much! >>>>>> >>>>>> (If confirmed, this would be release blocking.) >>>>>> >>>>>> On Tue, May 22, 2018 at 2:37 PM, Lukasz Cwik <lc...@google.com> >>>>>> wrote: >>>>>> >>>>>>> Does it have to be part of the jar or is it good enough to be part >>>>>>> of the sources jar (as 2.4.0 had it part of the >>>>>>> beam-parent-2.4.0-source.zip >>>>>>> <http://central.maven.org/maven2/org/apache/beam/beam-parent/2.4.0/beam-parent-2.4.0-source.zip> >>>>>>> )? >>>>>>> >>>>>>> On Tue, May 22, 2018 at 11:16 AM Andrew Pilloud <apill...@google.com> >>>>>>> wrote: >>>>>>> >>>>>>>> I was digging around in the SQL jar trying to debug some packaging >>>>>>>> issues and noticed that we aren't including the copyright notices from >>>>>>>> the >>>>>>>> packages we are shading. I also looked at our previously released jars >>>>>>>> and >>>>>>>> they are the same (so this isn't a regression). Should we be including >>>>>>>> the >>>>>>>> copyright notice from packages we are redistributing? >>>>>>>> >>>>>>>> Andrew >>>>>>>> >>>>>>> >>>>>> >>>>
