I hope all issues are fixed: The shared-all module now only shades artifacts with groupId "org.apache.directory", 3rd-party artifacts are not included. So no special NOTICE/LICENSE file is requried.
There is a new "distribution" module, it is only activated in apache-release profile. It creates source and binary distributions, including 3rd party JARs. All required attribution notices and licenses for 3rd JARs are listed in src/main/release/licenses. I'll prepare the release now and launch a vote afterwards. Kind Regards, Stefan On Sun, Feb 13, 2011 at 11:53 AM, Emmanuel Lecharny <[email protected]> wrote: > Rethinking about the problem this morning under my shower, here are some > more thoughts, as I was probably not clear enough. > > - shared-all source and binary packages both should contain NOTICE and > LICENSES for all the 3rd parties jars > - individuals jars (say, shared-model.jar) should not include a NOTICE or > LICENSES files. > > > On 2/13/11 1:40 AM, Emmanuel Lécharny wrote: >> >> Comments on line >>> >>> Thanks. >>> >>> I'm not sure when those notices should/must be added. >> >> Let's try to figure out... >>> >>> It's clear, when distributing a binary distribution (e.g. >>> ldap-api.zip) where third-party dependencies are included that the >>> licenses and notices of those third-party dependencies have to be >>> added. >> >> +1 >> >>> But is the attribution also required in the JARs (both, binary or >>> source, there in META-INF/LICENSE and META-INF/NOTICE) that are >>> distributed via maven? >> >> Depends... >> >>> I see the following different cases: >>> 1) In shared-ldap-model we use Antlr to generate Java files. So I >>> think in the distributed shared-ldap-model-X.Y.Z.jar the Antlr >>> attribution is required. >> >> +1 >>> >>> 2) The common case that a 3rd-party libary is used/linked in main code >>> (e.g. dom4j or slf4j). Our distributed JAR only contains our >>> .java/.class files. The third-party jar is not redistributed. The >>> dom4j and slf4j licenses say that attribution is required in case the >>> software is 'used'. Does 'use' already include the case that their >>> classes are linked? But in that case we >> >> As soon as we distribute something which makes necessary to include a >> thrid party jar, I think we should also include the 3rd party licenses. >> >> Remember that we release *sources*, not binaries. Binaries are just >> generated for convenience. But in any case, we release in order for users to >> be able to get our packages, and use them in their own products. Somehow, we >> have to make them safe when doing so, that means include the mandatory >> licenses and notice to spare the the burden to do so. >> >> At least, this is how I understand the way we should do things at the >> ASF... >> >>> 3) Similar like 2, but the 3rd-party is only used as test dependency >>> (like junit). Here the code is not distributed at all. >> >> Still, we distribute sources, which means tests, and users should be able >> to build the project by downloading our sources. That include tests. Of >> course, we don't distribute the associated jars (I was thinking about >> findbugs), so in this case, we are not forced to inject the associated >> license. Tests are supposed to be run using Maven, pointing to external >> dependencies we *don't* provide. However, I still think it's safe to add a >> reference to the used libs in the NOTICE. >> >>> 4) 3rd-party source code is included (e.g. in apacheds/jdbm or in >>> junit-addons). Here it is clear that attribution is required. >> >> +1 >> >> Note that this is my perception of the way we should handle those >> license/notice thingy. I may be wrong... >> >> Hope it helps... >> > > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com > >
