I agree; I'll close the vote thread, release Apache Daffodil 3.3.0, and fix our NOTICE as a bug fix immediately afterwards. Thanks for the link to the licensing how-to, Steve. I see it also says we don't need to modify our LICENSE or include each NOTICE in its entirety, only everything before and after the line "This product includes software developed at the Apache Software Foundation..." (see excerpts below).
John Bundling an Apache 2-0-licensed dependency Assuming that the bundled dependency itself contains no bundled sub-components under other licenses, so the ALv2 applies uniformly to all files, there is no need to modify LICENSE. However, for completeness it is useful to list the products and their versions, as is done for products under other licenses. If the dependency supplies a NOTICE file, its contents must be analyzed and the relevant portions bubbled up into the top-level NOTICE file. Bundling other ASF products It is not necessary to duplicate the line "This product includes software developed at the Apache Software Foundation...", though the ASF copyright line and any other portions of NOTICE must be considered for propagation. -----Original Message----- From: Steve Lawrence <slawre...@apache.org> Sent: Monday, March 21, 2022 10:24 AM To: dev@daffodil.apache.org Subject: EXT: Re: [VOTE] Release Apache Daffodil 3.3.0-rc1 WARNING: This email originated from outside of GE. Please validate the sender's email address before clicking on links or attachments as they may not be safe. This page mentions LICENSE and NOTICE files for binary distributions: https://infra.apache.org/licensing-howto.html#binary If they are distributed in the convenience binary, no matter how many levels of transitive dependencies, the LICENSE/NOTICE information needs to be included. That said, considering these all Apache licenses with standard notices, I'm okay keeping my vote a +1, as long as we ensure they are added in the next release. On 3/21/22 12:47 PM, Interrante, John A (GE Research, US) wrote: > I downloaded the helper binaries for each new dependency (except xmlresolver > on which I'd already done due diligence as a direct dependency of Saxon-HE - > the rest of those dependencies are dependencies of xmlresolver itself so I'd > missed them) and checked LICENSE/NOTICE files. What is the rule we follow > for incorporating such doubly indirect transitive dependencies' NOTICE files > into our NOTICE file? Is the rule "If you find a NOTICE file, you must > include it in its entirety into your NOTICE file"? If that is the rule, do > people think we need to cancel the vote and generate a second release > candidate with these NOTICE files added to our NOTICE file, or do it as a bug > fix after releasing 3.3.0? > > I also noticed that xmlresolver is not using the latest versions of each and > every dependency (oh well). > > Here's commons-codec-1.11/NOTICE.txt (the most recent version is 1.15): > > --- > Apache Commons Codec > Copyright 2002-2017 The Apache Software Foundation > > This product includes software developed at The Apache Software > Foundation (http://www.apache.org/). > > src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java > contains test data from http://aspell.net/test/orig/batch0.tab. > Copyright (C) 2002 Kevin Atkinson (kev...@gnu.org) > > ====================================================================== > ========= > > The content of package org.apache.commons.codec.language.bm has been > translated from the original php source code available at > http://stevemorse.org/phoneticinfo.htm > with permission from the original authors. > Original source copyright: > Copyright (c) 2008 Alexander Beider & Stephen P. Morse. > --- > > Here's commons-logging-1.2/NOTICE.txt: > > --- > Apache Commons Logging > Copyright 2003-2014 The Apache Software Foundation > > This product includes software developed at The Apache Software > Foundation (http://www.apache.org/). > --- > > Here is httpcomponents-client-4.5.13/NOTICE.txt (the most recent version is > 5.1.3): > > --- > Apache HttpComponents Client > Copyright 1999-2020 The Apache Software Foundation > > This product includes software developed at The Apache Software > Foundation (http://www.apache.org/). > --- > > Here is httpcomponents-core-4.4.15/NOTICE.txt (the most recent version is > 5.1.3): > > --- > Apache HttpComponents Core > Copyright 2005-2020 The Apache Software Foundation > > This product includes software developed at The Apache Software > Foundation (http://www.apache.org/). > --- > > All LICENSES are Apache 2.0. > > John > > -----Original Message----- > From: Steve Lawrence <slawre...@apache.org> > Sent: Monday, March 21, 2022 9:06 AM > To: dev@daffodil.apache.org > Subject: EXT: Re: [VOTE] Release Apache Daffodil 3.3.0-rc1 > > WARNING: This email originated from outside of GE. Please validate the > sender's email address before clicking on links or attachments as they may > not be safe. > > Hmm, I missed those new dependencies. Do we need to update our LICENSE/NOTICE > files in daffodil-cli? > > Looks like we already have xmlresolver mentioned, but we have nothing for the > other dependencies? > > > On 3/21/22 12:00 PM, Interrante, John A (GE Research, US) wrote: >> +1 >> >> FYI, apache-daffodil-3.3.0-bin/lib has 6 new jars in it. Those new >> jars are new transitive dependencies added by the bump of Saxon-HE >> from 10.6 to 11.2. Their names are: >> >> commons-codec.commons-codec-1.11.jar >> commons-logging.commons-logging-1.2.jar >> org.apache.httpcomponents.httpclient-4.5.13.jar >> org.apache.httpcomponents.httpcore-4.4.13.jar >> org.xmlresolver.xmlresolver-4.2.0-data.jar >> org.xmlresolver.xmlresolver-4.2.0.jar >> >> Otherwise, the helper binaries look normal. >> >> I checked the following: >> >> [OK] verified signature of git tag >> [OK] verified signatures of source and helper binaries [OK] verified >> signatures use key in KEYS with apache email address [OK] verified >> source has no unexpected binary files [OK] verified source and git >> tag are same minus KEYS file [OK] verified source and helper binaries >> include LICENSE/NOTICE/README [OK] verified LICENSE/NOTICE/README >> look correct [OK] verified online JavaDoc and ScalaDoc docs look >> correct [OK] compiled source and ran all tests & ratCheck [OK] >> verified jars built from source have same content as helper binary >> jars >> >> John >> >> -----Original Message----- >> From: Interrante, John A (GE Research, US) <john.interra...@ge.com> >> Sent: Friday, March 18, 2022 9:07 AM >> To: dev@daffodil.apache.org >> Subject: EXT: [VOTE] Release Apache Daffodil 3.3.0-rc1 >> >> Hi PMC members, >> >> I'd like to call a vote to release Apache Daffodil 3.3.0-rc1. >> >> All distribution packages, including signatures, digests, etc. can be found >> at: >> >> https://dist.apache.org/repos/dist/dev/daffodil/3.3.0-rc1/ >> >> Staging artifacts can be found at: >> >> https://repository.apache.org/content/repositories/orgapachedaffodil- >> 1029/ >> >> This release has been signed with PGP key 04A735FC1A36AE84, corresponding to >> jinterra...@apache.org, which is included in the KEYS file here: >> >> https://downloads.apache.org/daffodil/KEYS >> >> The release candidate has been tagged in git with v3.3.0-rc1. >> >> For reference, here is a list of all closed JIRAs tagged with 3.3.0: >> >> https://s.apache.org/daffodil-issues-3.3.0 >> >> For a summary of the changes in this release, see: >> >> https://daffodil.apache.org/releases/3.3.0/ >> >> Please review and vote. The vote will be open for at least 72 hours (Monday, >> March 21 2022, 12 Noon EST). >> >> [ ] +1 approve >> [ ] +0 no opinion >> [ ] -1 disapprove (and reason why) >> >> Thanks, >> John >
