If you have the binary release, you need to list all the third party jars in the License file. BTW, you can use maven license plugin[1] to list those jars in your distribution directory. You can find the plugin setting example here[2]. The only missing part is you still need to copy the generated file into License file yourself.
[1]https://www.mojohaus.org/license-maven-plugin/ [2]https://github.com/apache/servicecomb-pack/blob/master/pom.xml#L643 Willem Jiang Twitter: willemjiang Weibo: 姜宁willem On Wed, Jul 24, 2019 at 10:00 AM Xiangdong Huang <saint...@gmail.com> wrote: > > Hi Justin, > > How about the following modifications: > > > 1. Why is license information being mentioned in NOTICE? All license > information should go in LICENSE. > > Remove all license information out of NOTICE, and copy all content of > NOTICEs from all bundled dependencies to our NOTICE? > > > 2. Why is the General Public License (GPL) license mentioned? (It’s a > Category X license) > > I check the content and find that we use `javax.annotation`, which uses > CDDL and GPL double license. > I think it is ok that we use the dependence according to CDDL. So just > removing the content about GPL is ok, I think. > > > 3. Why are dependancies (JUnit / Hamscrest) which I assume are not > bundled mentioned? > > I think we can remove them out of the NOTICE and LICENSE. > > > 4. Why are the binaries mentioned in the source release? Please make > seperate LICENSE and NOTICE for the source and binary releases. > > Do we need to maintain 4 files: LICENSE, NOTICE, LICENSE-binary, and > NOTICE-binary? > > > In LICENSE it also seem you are listing dependancies rather than what is > bundled in the source release? > > According to [1] (BUNDLED VS. NON-BUNDLED DEPENDENCIES), only the (binary) > jars and java (source) files that written by the third part are bundled. > > The dependencies that claimed in pom.xml will be downloaded automatically > from the Maven Repository when the user compile the source code, so they > can be considered as non-bundled. Are these dependencies can be removed > from the LICENSE? > > [1] http://www.apache.org/dev/licensing-howto.html#mod-notice > > Best, > ----------------------------------- > Xiangdong Huang > School of Software, Tsinghua University > > 黄向东 > 清华大学 软件学院 > > > Justin Mclean <jus...@classsoftware.com> 于2019年7月24日周三 上午6:47写道: > > > HI, > > > > I took a quick look at NOTICE and something is not right: > > 1. Why is license information being mentioned in NOTICE? All license > > information should go in LICENSE. > > 2. Why is the General Public License (GPL) license mentioned? (It’s a > > Category X license) > > 3. Why are dependancies (JUnit / Hamscrest) which I assume are not bundled > > mentioned? > > 4. Why are the binaries mentioned in the source release? Please make > > seperate LICENSE and NOTICE for the source and binary releases. > > > > In LICENSE it also seem you are listing dependancies rather than what is > > bundled in the source release? > > > > Thanks, > > Justin