I'm not sure what the right approach is, but the jars generated off of current master contain no LICENSE, NOTICE, or other metadata about dependencies. (The ones checked in at the root of the beam repo are not bundled.)
Andrew On Thu, May 24, 2018 at 7:05 AM Kenneth Knowles <k...@google.com> wrote: > I merged Boyuan's PR since it seems like a clear improvement. But it looks > like the suggested approach of overapproximating what is bundled in a > particular artifact is contrary to > http://www.apache.org/dev/licensing-howto.html#bundled-vs-non-bundled > > Kenn > > On Wed, May 23, 2018 at 1:52 PM Scott Wegner <sweg...@google.com> wrote: > >> FYI, I've opened https://issues.apache.org/jira/browse/BEAM-4393 to >> track this work and marked it as a 2.5.0 release blocker. >> >> On Wed, May 23, 2018 at 9:15 AM Andrew Pilloud <apill...@google.com> >> wrote: >> >>> I generated the list of jars to check using the following search: >>> >>> grep 'include(dependency(' $(find . -name 'build.gradle') >>> >>> >>> Andrew >>> >>> On Tue, May 22, 2018 at 7:33 PM Kenneth Knowles <k...@google.com> wrote: >>> >>>> Did you look through all our jars or is that just a sample? >>>> >>>> Kenn >>>> >>>> On Tue, May 22, 2018 at 7:22 PM Davor Bonaci <da...@apache.org> wrote: >>>> >>>>> This analysis looks correct. Great find! >>>>> >>>>> The recommended fix would be different. I'd suggest appending this >>>>> sentence to the end of the LICENSE file: "A part of several convenience >>>>> binary distributions of this software is licensed as follows", followed by >>>>> the full license text (including its copyright, clauses and disclaimer) -- >>>>> for each such case separately. Don't edit the NOTICE file. >>>>> >>>>> I'd suggest keeping things simple: no per-artifact license/notice, >>>>> etc. Just two project-wide files, but I'd suggest including it/attaching >>>>> it >>>>> "everywhere". Opinions on this part may vary, but, for me, "everywhere" >>>>> includes every jar file. >>>>> >>>>> Standard disclaimers apply. >>>>> >>>>> Any volunteers? Thanks so much! >>>>> >>>>> On Tue, May 22, 2018 at 4:02 PM, Andrew Pilloud <apill...@google.com> >>>>> wrote: >>>>> >>>>>> Here is what I think might be missing: >>>>>> >>>>>> (1) what artifacts are impacted and where are they distributed >>>>>> >>>>>> >>>>>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-core/2.4.0/beam-sdks-java-core-2.4.0.jar >>>>>> >>>>>> http://central.maven.org/maven2/org/apache/beam/beam-runners-direct-java/2.4.0/beam-runners-direct-java-2.4.0.jar >>>>>> >>>>>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-harness/2.4.0/beam-sdks-java-harness-2.4.0.jar >>>>>> >>>>>> http://central.maven.org/maven2/org/apache/beam/beam-sdks-java-extensions-sql/2.4.0/beam-sdks-java-extensions-sql-2.4.0.jar >>>>>> >>>>>> (2) the external dependency being distributed >>>>>> >>>>>> beam-sdks-java-core: protobuf >>>>>> beam-runners-direct-java: protobuf >>>>>> beam-runners-direct-java: jsr-305 >>>>>> beam-sdks-java-extensions-sql: janino-compiler >>>>>> >>>>>> (3) license and/or term not adhered to >>>>>> >>>>>> BSD 3 Clause: Redistributions in binary form must reproduce the >>>>>> above copyright notice, this list of conditions and the following >>>>>> disclaimer in the documentation and/or other materials provided with the >>>>>> distribution. >>>>>> >>>>>> (4) any proposed fix >>>>>> >>>>>> NOTICE file in the jar. >>>>>> >>>>>> I am not a lawyer, this is not legal advice. >>>>>> >>>>>> On Tue, May 22, 2018 at 2:55 PM Davor Bonaci <da...@apache.org> >>>>>> wrote: >>>>>> >>>>>>> Thanks for the report! >>>>>>> >>>>>>> Could you please comment more as to: (1) what artifacts are impacted >>>>>>> and where are they distributed, (2) the external dependency being >>>>>>> distributed, (3) license and/or term not adhered to, and (4) any >>>>>>> proposed >>>>>>> fix? >>>>>>> >>>>>>> Any such information would be helpful in triaging the problem -- >>>>>>> thanks so much! >>>>>>> >>>>>>> (If confirmed, this would be release blocking.) >>>>>>> >>>>>>> On Tue, May 22, 2018 at 2:37 PM, Lukasz Cwik <lc...@google.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Does it have to be part of the jar or is it good enough to be part >>>>>>>> of the sources jar (as 2.4.0 had it part of the >>>>>>>> beam-parent-2.4.0-source.zip >>>>>>>> <http://central.maven.org/maven2/org/apache/beam/beam-parent/2.4.0/beam-parent-2.4.0-source.zip> >>>>>>>> )? >>>>>>>> >>>>>>>> On Tue, May 22, 2018 at 11:16 AM Andrew Pilloud < >>>>>>>> apill...@google.com> wrote: >>>>>>>> >>>>>>>>> I was digging around in the SQL jar trying to debug some packaging >>>>>>>>> issues and noticed that we aren't including the copyright notices >>>>>>>>> from the >>>>>>>>> packages we are shading. I also looked at our previously released >>>>>>>>> jars and >>>>>>>>> they are the same (so this isn't a regression). Should we be >>>>>>>>> including the >>>>>>>>> copyright notice from packages we are redistributing? >>>>>>>>> >>>>>>>>> Andrew >>>>>>>>> >>>>>>>> >>>>>>> >>>>>
