Hi Justin,
Thanks for spotting this and reaching out.
Looking at the license/notice generation, I think there are two things
that went wrong for 1.0 release:
1. The maven license plugin [1] picked the wrong license for
dependencies when there were multiple to choose from (i.e. LGPL vs
Apache 2.0 in [2]).
2. We're trying to include far too much stuff in NOTICE. Quoting the
really useful link you shared [3]:
"Do not add anything to NOTICE which is not legally required."
---
We should review point 1 above to confirm there really are no licenses
that are forbidden in apache projects. And we should review point 2 to
change the way we generate NOTICE files so it doesn't include everything.
Aled
[1] https://github.com/ahgittin/license-audit-maven-plugin
[2] https://github.com/java-native-access/jna/blob/master/pom-jna.xml
[3] http://www.apache.org/dev/licensing-howto.html
[4] https://www.apache.org/legal/resolved.html#category-x
On 17/05/2020 10:20, Justin Mclean wrote:
Hi,
I was looking reviewing your board report and mailing list and took a look at
your release. The current LICENSE and NOTICE are not in line with ASF policy.
For instance, your license contains licenses that can't be used in a source
release. I think what you have misunderstood is that you're listing the
licenses of all dependencies rather than just what is bundled in the release.
Your notice file also doesn't need to list dependencies but just required
notices, content from other ALv2 notice files and relocated copyright notices.
This is a good guide [1] if you need help on fixing this, please reach out.
Thanks,
Justin
1. http://www.apache.org/dev/licensing-howto.html