Thanks for pointing this out, Justin. All, I'm not sure what the procedure here should be. Do we need to re-release 1.0.0 or is that horse gone, and we should release a fixed 1.0.1?
Regards Geoff On Mon, 18 May 2020, 10:18 Aled Sage, <[email protected]> wrote: > Hi Justin, > > Thanks for spotting this and reaching out. > > Looking at the license/notice generation, I think there are two things > that went wrong for 1.0 release: > > 1. The maven license plugin [1] picked the wrong license for > dependencies when there were multiple to choose from (i.e. LGPL vs > Apache 2.0 in [2]). > > 2. We're trying to include far too much stuff in NOTICE. Quoting the > really useful link you shared [3]: > > "Do not add anything to NOTICE which is not legally required." > > --- > > We should review point 1 above to confirm there really are no licenses > that are forbidden in apache projects. And we should review point 2 to > change the way we generate NOTICE files so it doesn't include everything. > > Aled > > [1] https://github.com/ahgittin/license-audit-maven-plugin > > [2] https://github.com/java-native-access/jna/blob/master/pom-jna.xml > > [3] http://www.apache.org/dev/licensing-howto.html > > [4] https://www.apache.org/legal/resolved.html#category-x > > > On 17/05/2020 10:20, Justin Mclean wrote: > > Hi, > > > > I was looking reviewing your board report and mailing list and took a > look at your release. The current LICENSE and NOTICE are not in line with > ASF policy. For instance, your license contains licenses that can't be used > in a source release. I think what you have misunderstood is that you're > listing the licenses of all dependencies rather than just what is bundled > in the release. Your notice file also doesn't need to list dependencies but > just required notices, content from other ALv2 notice files and relocated > copyright notices. This is a good guide [1] if you need help on fixing > this, please reach out. > > > > Thanks, > > Justin > > > > 1. http://www.apache.org/dev/licensing-howto.html >
