Hi, I think the current binary license/notice is not verifiable, or very difficult to be verified.
I did some investigation over exiting TLP and other incubating projects to see how they did the check. I think there are 2 things that need to be checked: a) ensure all the binary dependencies are listed in LICENSE, this includes jar files under BOOT-INF/lib, and javascript dependencies which can be found in package.json b) ensure all the dependencies listed in LICENSE are actually bundled in the distribution. My previous script can check a) but not b). To achieve this, I suggest to add the name of jar into LICENSE, e.g. * Ctripcorp 1.2.0 https://raw.githubusercontent.com/ctripcorp/apollo/v1.2.0/ - apollo-core-1.2.0.jar - apollo-openapi-1.2.0.jar If got a format like this, it is able to verify it using script. raw.githubusercontent.com could be used to detect whether there is a NOTICE file alongside. On Fri, Mar 1, 2019 at 2:02 PM Minxuan Zhuang <[email protected]> wrote: > > Hello Dubbo Community, > because of the license issue in dubbo ops binary release[1], I only > release the source part for the first version, now this issue has been > fixed[2], please help me to check if the current licenses are correct, > thanks > > [1] > https://lists.apache.org/thread.html/98184c2d0c90b4abd2f6f1cfca11b84a4ec869d9ce7d6568d9a75dd4@%3Cgeneral.incubator.apache.org%3E > [2] > https://github.com/apache/incubator-dubbo-ops/commit/b797145214547616a6a02f6e9701178fc73d7ced -- Best Regards! Huxing
