Is it possible that RAT is only configured for reporting and not invocation from a build? The log4j RAT passes.
Gary On Tue, Dec 21, 2021, 16:12 Matt Sicker <boa...@gmail.com> wrote: > The jquery.js file has a license header; I have no idea why rat complains > about it. And these two files are copied verbatim from log4j2, so I don’t > see the issue here. I looked at the rat report on the site and it looked > fine, too. > -- > Matt Sicker > > > On Dec 21, 2021, at 14:55, Gary Gregory <garydgreg...@gmail.com> wrote: > > > > The RAT check (mvn apache-rat:check) fails on: > > > > src/site/resources/js/jquery.min.js > > src/site/resources/js/jquery.js > > > > If it is indeed ok to ship these files, then the RAT check should exclude > > these files and the NOTICE file be updated with an appropriate entry. I > > know this is not the runtime, it's the site, but we still include the > > files, so might as well be neat and today about it. > > > > Also, why ship BOTH the plain and "min" versions? > > > > In one of the files, I see "Dual licensed under the MIT or GPL Version 2 > > licenses." > > I'm pretty sure GPL part is not OK but MIT might be, the comment in the > RAT > > exclusion should say so if these are OK to ship. > > > > Thoughts? > > > > Gary > > > > On Mon, Dec 20, 2021 at 11:02 PM Matt Sicker <boa...@gmail.com <mailto: > boa...@gmail.com>> wrote: > > > >> This is a vote to release Log4j Kotlin API version 1.2.0, the next > version > >> of the Kotlin facade for Log4j2. > >> > >> Please download, test, and cast your votes on the log4j developers list. > >> [] +1, release the artifacts > >> [] -1, don't release because... > >> > >> The vote will remain open for 24 hours (or more if required). All votes > >> are welcome and we encourage everyone to test the release, but only > Logging > >> PMC votes are “officially” counted. As always, at least 3 +1 votes and > more > >> positive than negative votes are required. > >> > >> Changes in this release include: > >> > >> * LOG4J2-3218: Update Log4j dependency to 2.17.0. > >> > >> This is primarily provided to help upgrade transitive dependencies on > >> log4j-core which was recently updated to fix CVE-2021-44228, > >> CVE-2021-45046, and CVE-2021-45105. > >> > >> Tag: > >> a) for a new copy do "git clone > >> https://github.com/apache/logging-log4j-kotlin.git < > >> https://github.com/apache/logging-log4j-kotlin.git < > https://github.com/apache/logging-log4j-kotlin.git>>” and then "git > >> checkout tags/log4j-api-kotlin-1.2.0-rc3” or just "git clone -b > >> log4j-api-kotlin-1.2.0-rc3 > >> https://github.com/apache/logging-log4j-kotlin.git < > https://github.com/apache/logging-log4j-kotlin.git> < > >> https://github.com/apache/logging-log4j-kotlin.git < > https://github.com/apache/logging-log4j-kotlin.git>>" > >> b) for an existing working copy to “git pull” and then “git checkout > >> tags/log4j-api-kotlin-1.2.0-rc3” > >> > >> Web Site: https://logging.staged.apache.org/log4j/kotlin/index.html < > https://logging.staged.apache.org/log4j/kotlin/index.html> < > >> https://logging.staged.apache.org/log4j/kotlin/index.html < > https://logging.staged.apache.org/log4j/kotlin/index.html>> > >> > >> Maven Artifacts: > >> > https://repository.apache.org/content/repositories/orgapachelogging-1075/ > <https://repository.apache.org/content/repositories/orgapachelogging-1075/ > > > >> > >> Distribution archives: > >> https://dist.apache.org/repos/dist/dev/logging/log4j/kotlin/ < > https://dist.apache.org/repos/dist/dev/logging/log4j/kotlin/> < > >> https://dist.apache.org/repos/dist/dev/logging/log4j/kotlin/ < > https://dist.apache.org/repos/dist/dev/logging/log4j/kotlin/>> > >> > >> You may download all the Maven artifacts by executing: > >> wget -e robots=off --cut-dirs=7 -nH -r -p -np --no-check-certificate > >> > https://repository.apache.org/content/repositories/orgapachelogging-1075/org/apache/logging/log4j/ > < > https://repository.apache.org/content/repositories/orgapachelogging-1075/org/apache/logging/log4j/ > > > >> < > >> > https://repository.apache.org/content/repositories/orgapachelogging-1075/org/apache/logging/log4j/ > < > https://repository.apache.org/content/repositories/orgapachelogging-1075/org/apache/logging/log4j/ > > > >>> > >> > >> -- > >> Matt Sicker > >
