Good point Emmanuel,
Regarding the net.i2p.crypto packages - the notices.xml file in src/legal mentions it, but as stated by the site that contains the code: <https://github.com/str4d/ed25519-java> https://github.com/str4d/ed25519-java/blob/master/LICENSE.txt it is using a creative-commons license so we should probably update our file as it indicates public domain... Regarding jgit, we should add its license description to our notices.xml file... Lyor ________________________________ From: Emmanuel Lécharny <[email protected]> Sent: Thursday, May 18, 2017 10:35 AM To: dev Subject: Re: [VOTE] Release Apache Mina SSHD 1.5.0 I have a question regarding N&L. I see that sshd is using the net.i2p.crypto package, and I'm not sure which license applies : https://geti2p.net/en/get-involved/develop/licenses I2P Software Licenses - I2P<https://geti2p.net/en/get-involved/develop/licenses> geti2p.net As required by our threat model (among other reasons), the software developed to support the anonymous communication network we call I2P must be freely available ... In any case, there is no mention of it in N&L files (in assembly) It may not be necessary, but I'd like a double check. Same thing for jgit, which is used, and require their LICENSE file to be added (http://git.eclipse.org/c/gerrit/jgit/jgit.git/tree/LICENSE) FTR, here are the relevant dependencies (and their transitive dependencies, which must also be taken into account ) : $ mvn depenceny:tree ... [INFO] ------------------------------------------------------------------------ [INFO] Building Apache Mina SSHD :: Core 1.5.0 [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ sshd-core --- [INFO] org.apache.sshd:sshd-core:jar:1.5.0 [INFO] +- org.slf4j:slf4j-api:jar:1.7.24:compile OK [INFO] +- org.apache.mina:mina-core:jar:2.0.16:compile OK [INFO] +- tomcat:tomcat-apr:jar:5.5.23:compile OK [INFO] +- org.bouncycastle:bcpg-jdk15on:jar:1.56:compile OK [INFO] | \- org.bouncycastle:bcprov-jdk15on:jar:1.56:compile OK [INFO] +- org.bouncycastle:bcpkix-jdk15on:jar:1.56:compile OK [INFO] +- net.i2p.crypto:eddsa:jar:0.2.0:compile To be checked ... [INFO] ------------------------------------------------------------------------ [INFO] Building Apache Mina SSHD :: Git 1.5.0 [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ sshd-git --- [INFO] org.apache.sshd:sshd-git:jar:1.5.0 OK [INFO] +- org.apache.sshd:sshd-core:jar:1.5.0:compile OK [INFO] | \- org.slf4j:slf4j-api:jar:1.7.24:compile OK [INFO] +- org.eclipse.jgit:org.eclipse.jgit:jar:4.6.0.201612231935-r:compile To be checked [INFO] | +- com.googlecode.javaewah:JavaEWAH:jar:1.1.6:compile To be checked [INFO] | \- org.apache.httpcomponents:httpclient:jar:4.4.1:compile OK [INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.1:compile OK [INFO] | \- commons-codec:commons-codec:jar:1.9:compile OK [INFO] +- org.eclipse.jgit:org.eclipse.jgit.pgm:jar:4.6.0.201612231935-r:compile To be checked [INFO] | +- args4j:args4j:jar:2.0.15:compile To be checked [INFO] | +- org.apache.commons:commons-compress:jar:1.6:compile OK [INFO] | | \- org.tukaani:xz:jar:1.4:compile To be checked [INFO] | +- org.eclipse.jgit:org.eclipse.jgit.archive:jar:4.6.0.201612231935-r:compile To be checked [INFO] | | \- org.osgi:org.osgi.core:jar:4.3.1:compile To be checked [INFO] | +- org.eclipse.jgit:org.eclipse.jgit.ui:jar:4.6.0.201612231935-r:compile To be checked [INFO] | +- org.eclipse.jgit:org.eclipse.jgit.http.apache:jar:4.6.0.201612231935-r:compile To be checked [INFO] | +- log4j:log4j:jar:1.2.17:compile OK [INFO] | +- org.eclipse.jetty:jetty-servlet:jar:9.2.13.v20150730:compile To be checked [INFO] | | \- org.eclipse.jetty:jetty-security:jar:9.2.13.v20150730:compile To be checked [INFO] | | \- org.eclipse.jetty:jetty-server:jar:9.2.13.v20150730:compile To be checked [INFO] | | +- javax.servlet:javax.servlet-api:jar:3.1.0:compile To be checked [INFO] | | +- org.eclipse.jetty:jetty-http:jar:9.2.13.v20150730:compile To be checked [INFO] | | | \- org.eclipse.jetty:jetty-util:jar:9.2.13.v20150730:compile To be checked [INFO] | | \- org.eclipse.jetty:jetty-io:jar:9.2.13.v20150730:compile To be checked [INFO] | +- org.eclipse.jgit:org.eclipse.jgit.lfs:jar:4.6.0.201612231935-r:compile To be checked [INFO] | \- org.eclipse.jgit:org.eclipse.jgit.lfs.server:jar:4.6.0.201612231935-r:compile To be checked All in all, its just about updating the assembly N&L file in assembly/src/main/distribution. Atm, I will cast a -1. Side note : sorry if I haven't expressed such a concern for any previous distribution, I'm just trying to catch up with those complex requirements, and I have spent a huge amount of time last week reading the ASF doco about N&L. -- Emmanuel Lecharny Symas.com directory.apache.org
