Hi team-
I've taken a deeper look at the license/notice issues raised by Justin
and I think have resolved them in PR [1] (and various PRs it
references). A summary is below. Justin, thank you for spotting these
bugs.
If anyone has comments please reply here or on the issue [1].
Regarding the use of Category-X [2] licenses:
* net.java.dev.jna - this is dual-licensed under LGPL and ASL; the
NOTICE incorrectly stated it was being used under the former; it now
correctly states it is being used under the latter
* com.google.code.findbugs.annotations - Apache Brooklyn does not use
nor depend on this LGPL project. It is a compile-time-only dependency of
libraries we use, but not accurately reported in those libraries as
compile-time-only dependencies and so was picked up as a transient
dependency of apache Brooklyn. Our maven POMs now explicitly exclude
this so it is no longer treated as a dependency, not included in our
binary dist, and not noted in NOTICE.
* With the above two fixes there are no longer any Category-X [2]
licenses in our source or binary builds.
Regarding the information included in our NOTICE files:
* Our source dist and JAR NOTICE files (in the root of projects, in JARs
and in the source dist artifact) previously for convenience reported the
binary dependencies pulled in. These were clearly labelled as such but
nevertheless contrary to the philosophy that NOTICE files should contain
only what is legally required. These NOTICES have been fixed so that
they only list third-party artifacts actually included in our source.
Consequently they are much, much smaller.
* Our binary dist NOTICE files (in binary TGZs, RPMs, WARs and all other
binary artifacts) list all runtime dependencies included in the binary
dist where a custom notice, attribution, and/or license for that
dependency is appropriate. Where there is doubt about any such
obligation we have erred on the side of inclusion.
* A non-statutory DEPENDENCIES file is now included alongside the source
dist NOTICE files advising what binary dependencies will be included in
the built artifact. This file contains what was formerly in the source
dist NOTICE files. This makes it easy for users to analyse the full set
of dependencies of Apache Brooklyn without conferring the undue legal
burden entailed by including this information in any of the statutory
NOTICE files.
There are some additional changes:
* Some libraries have been updated or added recently and use the new
licenses EPL v2 and EDL v1 which were not previously recognised
* Some dependencies were overlooked in some reports where the "karaf"
project did not depend on the bundles it incorporates; this is remedied,
and the license/notice generation only applies to that relevant project
(and license-gen running faster by only running on that project)
* Some icons had been added from Apache projects and elsewhere, with no
NOTICE; this is remedied
I believe with [1] all LICENSE and NOTICE files will now be current,
correct, and compliant with Apache policy.
Best
Alex
[1] https://github.com/apache/brooklyn-dist/pull/164
[2] https://www.apache.org/legal/resolved.html#category-x
On 18/05/2020 10:18, Aled Sage wrote:
Hi Justin,
Thanks for spotting this and reaching out.
Looking at the license/notice generation, I think there are two things
that went wrong for 1.0 release:
1. The maven license plugin [1] picked the wrong license for
dependencies when there were multiple to choose from (i.e. LGPL vs
Apache 2.0 in [2]).
2. We're trying to include far too much stuff in NOTICE. Quoting the
really useful link you shared [3]:
"Do not add anything to NOTICE which is not legally required."
---
We should review point 1 above to confirm there really are no licenses
that are forbidden in apache projects. And we should review point 2 to
change the way we generate NOTICE files so it doesn't include everything.
Aled
[1] https://github.com/ahgittin/license-audit-maven-plugin
[2] https://github.com/java-native-access/jna/blob/master/pom-jna.xml
[3] http://www.apache.org/dev/licensing-howto.html
[4] https://www.apache.org/legal/resolved.html#category-x
On 17/05/2020 10:20, Justin Mclean wrote:
Hi,
I was looking reviewing your board report and mailing list and took a
look at your release. The current LICENSE and NOTICE are not in line
with ASF policy. For instance, your license contains licenses that
can't be used in a source release. I think what you have
misunderstood is that you're listing the licenses of all dependencies
rather than just what is bundled in the release. Your notice file
also doesn't need to list dependencies but just required notices,
content from other ALv2 notice files and relocated copyright notices.
This is a good guide [1] if you need help on fixing this, please
reach out.
Thanks,
Justin
1. http://www.apache.org/dev/licensing-howto.html
