Hi,
On Tue, Mar 5, 2019 at 1:26 PM Justin Mclean <[email protected]> wrote:
>
> Hi,
>
> > I think there are 2 things that need to be checked:
> > a) ensure all the binary dependencies are listed in LICENSE, this
> > includes jar files under BOOT-INF/lib, and javascript dependencies
> > which can be found in package.json
>
> Dependancies should not be listed just what in included in the releases, if
> it’s not in the release there's no need to list it even if it is a dependancy.
Yes, what I mean is to ensure all the jar files that under
BOOT-INF/lib are list in LICENSE.
For javascript it is a bit more tricky, because all the javascript
dependencies will be merged into one single and minimized javascript.
This make it hard to be verified in the binary distribution.
>
> the other thing you may need to do is look inside each jar and see what it
> contains and it may bundle other 3rd party code inside that’s under different
> licenses, usually this is fairly obvious froth package name.
I doubt this can be done in a practical way. If do it manually, it
might be done for once, but check every jar for each release, that
looks impossible to me.
If do it with script, it is difficult to find a rule.
For example, a jar called spring-jcl-5.0.6.RELEASE.jar, if I extract it, I got:
jar -tvf spring-jcl-5.0.6.RELEASE.jar
0 Tue May 08 08:05:42 CST 2018 META-INF/
177 Tue May 08 08:05:42 CST 2018 META-INF/MANIFEST.MF
0 Tue May 08 08:05:42 CST 2018 org/
0 Tue May 08 08:05:42 CST 2018 org/apache/
0 Tue May 08 08:05:42 CST 2018 org/apache/commons/
0 Tue May 08 08:05:42 CST 2018 org/apache/commons/logging/
3390 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/LogFactory$Slf4jLocationAwareLog.class
692 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/LogFactory$Log4jDelegate.class
1226 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/LogFactory$Slf4jDelegate.class
707 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/LogFactory$JavaUtilDelegate.class
3811 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/LogFactory$JavaUtilLog.class
3961 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/LogFactory$Log4jLog.class
3192 Tue May 08 08:05:42 CST 2018 org/apache/commons/logging/LogFactory.class
3967 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/LogFactory$Slf4jLog.class
3132 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/LogFactory$LocationResolvingLogRecord.class
1255 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/LogFactory$LogApi.class
0 Tue May 08 08:05:42 CST 2018 org/apache/commons/logging/impl/
943 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/impl/SimpleLog.class
1999 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/impl/NoOpLog.class
455 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/LogFactory$1.class
479 Tue May 08 08:05:42 CST 2018 org/apache/commons/logging/Log.class
846 Tue May 08 08:05:42 CST 2018
org/apache/commons/logging/LogFactory$2.class
484 Tue May 08 08:04:32 CST 2018 META-INF/notice.txt
14767 Tue May 08 08:04:32 CST 2018 META-INF/license.txt
How should I tell the script that org/apache/commons packages are good?
>
> Thanks,
> Justin
>
--
Best Regards!
Huxing
