Roman - can you please comment on SGA requirement for the incubator release?
Thanks, -- Nikita Ivanov On Thu, Apr 9, 2020 at 7:28 PM Nikita Ivanov <[email protected]> wrote: > If necessary, we can just file SGA. We should do it anyway. I just don't > want to hold up release unless it is absolutely necessary. > > Thanks, > -- > Nikita Ivanov > > > > On Thu, Apr 9, 2020 at 7:18 PM Paul King <[email protected]> wrote: > > > On Fri, Apr 10, 2020 at 11:48 AM Dave Fisher <[email protected]> wrote: > > > > > > > > > > > Sent from my iPhone > > > > > > > On Apr 9, 2020, at 5:56 PM, Aaron Radzinski < > [email protected] > > > > > > wrote: > > > > > > > > Paul, > > > > 1. Yes, no third party source code was used/included. > > > > > > +1 > > > > > > > 2. As far as SGA I believe we have to submit it before graduation. > > > There's > > > > no requirement to get it done for the 1st release. > > > > > > SGA is required to make a release. RVS can confirm. > > > > > > > I don't know whether the WIP disclaimer could help here. Can others > > comment? > > > > > > > > 3. Our binary is an all-inclusive JAR that bundles all dependencies > > > (except > > > > for GPLv3 licensed ones). > > > > > > *1 > > > > > > Regards, > > > Dave > > > > > > > > Thanks, > > > > -- > > > > Aaron Radzinski > > > > > > > > > > > > > > > >> On Thu, Apr 9, 2020 at 5:05 PM Paul King <[email protected]> > wrote: > > > >> > > > >> The source code license looks good to me (on the presumption that no > > > third > > > >> party source code is included which I believe is the case). > > > >> There was mention earlier of DataLingvo executing an SGA. Has that > > > >> occurred? (question for Nikita?) > > > >> > > > >> The NOTICE file for source code shouldn't have the additional > > > >> entries, e.g.: > > > >> > > > >>> OpenZipkin > > > >>> Copyright 2015-2020 The OpenZipkin Authors > > > >>> ASLv2 License > > > >> > > > >> would be needed only if you had a source file from OpenZipkin > included > > > in > > > >> NLPCraft source code. > > > >> > > > >> For "Complementary Binary Release", is that a jar which is just the > > > >> compiled source code or a zip bundle with dependencies? > > > >> In general, a convenience binary jar would not need to address > > > >> license/notice issues for transitive dependencies. > > > >> A zip bundle would need something close to your suggestion. > > > >> > > > >> Cheers, Paul. > > > >> > > > >> On Thu, Apr 9, 2020 at 1:41 PM Aaron Radzinski < > > > [email protected]> > > > >> wrote: > > > >> > > > >>> Paul, et. al., > > > >>> Based on these examples here's what I've come up with. NLPCraft > will > > > have > > > >>> both ASF (source) release and complimentary binaries, and they will > > > have > > > >>> separate LICENSE files. > > > >>> > > > >>> ASF (source code) Release: > > > >>> - LICENSE > > > >>> https://github.com/apache/incubator-nlpcraft/blob/master/LICENSE > > > >>> - NOTICE > > > https://github.com/apache/incubator-nlpcraft/blob/master/NOTICE > > > >>> > > > >>> Complimentary Binary Release: > > > >>> - LICENSE > > > >>> > > > > https://github.com/apache/incubator-nlpcraft/blob/master/bindist/LICENSE > > > >>> - NOTICE > > > https://github.com/apache/incubator-nlpcraft/blob/master/NOTICE > > > >>> > > > >>> NOTE: NOTICE file is the same for both releases. > > > >>> > > > >>> Thoughts, comments? > > > >>> -- > > > >>> Aaron Radzinski > > > >>> > > > >>> > > > >>> > > > >>> On Tue, Apr 7, 2020 at 5:40 AM Furkan KAMACI < > [email protected] > > > > > > >>> wrote: > > > >>> > > > >>>> Hi, > > > >>>> > > > >>>> Here is another example which has been graduated just a couple of > > > months > > > >>>> ago: https://github.com/apache/druid/blob/master/LICENSE > > > >>>> > > > >>>> Kind Regards, > > > >>>> Furkan KAMACI > > > >>>> > > > >>>> On Tue, Apr 7, 2020 at 2:49 PM Paul King <[email protected]> > > wrote: > > > >>>> > > > >>>>> The LICENSE and NOTICE from NIFI look good to me for the source > > > >>>> artifact: > > > >>>>> https://github.com/apache/nifi > > > >>>>> > > > >>>>> The LICENSE and NOTICE for the NIFI bundle also look good to me: > > > >>>>> https://github.com/apache/nifi/tree/master/nifi-assembly > > > >>>>> > > > >>>>> HTH, Paul. > > > >>>>> > > > >>>>> > > > >>>>> On Tue, Apr 7, 2020 at 9:43 PM Paul King <[email protected]> > > wrote: > > > >>>>> > > > >>>>>> Most projects should be the same. I am most familiar with Groovy > > and > > > >>>>>> believe it is done correctly there. Gradle is used for building > > > which > > > >>>>> might > > > >>>>>> make it harder to mimic given NLPCraft is using maven. I'll > take a > > > >>>> quick > > > >>>>>> look at some others ... > > > >>>>>> > > > >>>>>> On Tue, Apr 7, 2020 at 6:53 PM Aaron Radzinski < > > > >>>>> [email protected]> > > > >>>>>> wrote: > > > >>>>>> > > > >>>>>>> Paul, > > > >>>>>>> Can you point to some ASF project(s) that has done it right? > I've > > > >>>> looked > > > >>>>>>> at several and they all seem to be doing differently... > > > >>>>>>> > > > >>>>>>> Thank you, > > > >>>>>>> -- > > > >>>>>>> Aaron Radzinski > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> On Mon, Apr 6, 2020 at 9:21 PM Paul King <[email protected]> > > > >>>> wrote: > > > >>>>>>> > > > >>>>>>>> Another important concept is that for any artifact, the > included > > > >>>>>>>> NOTICE/LICENSE should be the minimum required for that > artifact > > > (or > > > >>>>>>>> instead > > > >>>>>>>> of thinking it as the minimum, think just accurately specified > > for > > > >>>> that > > > >>>>>>>> artifact). > > > >>>>>>>> > > > >>>>>>>> So, the list you provide would possibly be appropriate for a > zip > > > >>>>>>>> distribution, assuming that is desirable. If that is needed, > I'd > > > >>>> change > > > >>>>>>>> the > > > >>>>>>>> wording from: > > > >>>>>>>> "NLPCraft project uses or integrates with the following 3rd > > party > > > >>>>>>>> software > > > >>>>>>>> (binary dependencies) that is licensed under non-Apache > License > > > >>>> 2.0" > > > >>>>>>>> to something like: > > > >>>>>>>> "This NLPCraft distribution bundles 3rd party binary > > dependencies > > > >>>> that > > > >>>>>>>> are > > > >>>>>>>> licensed as outlined below." > > > >>>>>>>> > > > >>>>>>>> In general, the source distribution LICENSE would not need > (and > > > >>>>> therefore > > > >>>>>>>> should not have) those entries listed. > > > >>>>>>>> > > > >>>>>>>> A binary jar artifact suitable for publishing in a repo, > > assuming > > > >>>> one > > > >>>>> is > > > >>>>>>>> needed, would also not need most (if not all) of those > entries. > > > The > > > >>>>>>>> LICENSE > > > >>>>>>>> and NOTICE pertain to the artifact itself not listed > > dependencies > > > >>>>> (which > > > >>>>>>>> will already contain their own LICENSE/NOTICE info). > > > >>>>>>>> > > > >>>>>>>> I'd also expect in general modifications to the NOTICE file. > It > > > >>>> would > > > >>>>>>>> include any copyright notice sections from even ASF2 licensed > > > >>>>>>>> dependencies > > > >>>>>>>> which aren't specifically "copyright ASF", e.g. might be > > > >>>> individuals. > > > >>>>> In > > > >>>>>>>> addition, if any of the third party licenses request some kind > > of > > > >>>>>>>> acknowledgement, that would go in the NOTICE file(s). > > > >>>>>>>> > > > >>>>>>>> Cheers, Paul. > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>> On Tue, Apr 7, 2020 at 10:58 AM Aaron Radzinski < > > > >>>>>>>> [email protected]> > > > >>>>>>>> wrote: > > > >>>>>>>> > > > >>>>>>>>> Paul, Roman, et. al., > > > >>>>>>>>> I've listed non-ASF2.0 licenses for our dependencies here: > > > >>>>>>>>> > > https://github.com/apache/incubator-nlpcraft/blob/master/LICENSE > > > >>>>>>>>> > > > >>>>>>>>> Please review and let me know if this passes the muster. > > > >>>>>>>>> > > > >>>>>>>>> Thank you, > > > >>>>>>>>> -- > > > >>>>>>>>> Aaron Radzinski > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>>>>> On Mon, Apr 6, 2020 at 2:58 PM Roman Shaposhnik < > > > >>>>> [email protected]> > > > >>>>>>>>> wrote: > > > >>>>>>>>> > > > >>>>>>>>>> On Mon, Apr 6, 2020 at 12:48 PM Aaron Radzinski > > > >>>>>>>>>> <[email protected]> wrote: > > > >>>>>>>>>>> > > > >>>>>>>>>>> Mentors, > > > >>>>>>>>>>> I'm confused on how to (and why) list licenses for all > > > >>>> project's > > > >>>>>>>>>>> dependencies. To do it explicitly is a major time sink and > > > >>>> it's > > > >>>>>>>> very > > > >>>>>>>>> hard > > > >>>>>>>>>>> to maintain it this way going forward. How do projects > > > >>>> approach > > > >>>>>>>> this in > > > >>>>>>>>>> an > > > >>>>>>>>>>> automated way? Will this be enough to provide an Apache RAT > > > >>>>> report? > > > >>>>>>>>>> > > > >>>>>>>>>> It depends on what you want to distribute. There are two > > > >>>> artifacts > > > >>>>>>>> that > > > >>>>>>>>>> you can > > > >>>>>>>>>> distribute: > > > >>>>>>>>>> #1 source code tarball > > > >>>>>>>>>> #2 binary convenience archives (of any kind) > > > >>>>>>>>>> > > > >>>>>>>>>> For both your downstream consumers have know *exactly* what > > > >>>>> licenses > > > >>>>>>>>>> are covering: > > > >>>>>>>>>> #1 every single line of code in every file > > > >>>>>>>>>> #2 every single bit > > > >>>>>>>>>> > > > >>>>>>>>>> Now, #1 is somewhat easier since all the new code is going > to > > > >>>> be > > > >>>>>>>> licensed > > > >>>>>>>>>> under ALv2. Still, there will be cases when you (or your > build > > > >>>>>>>> system) > > > >>>>>>>>>> statically pulls source code in that ends up in your release > > > >>>> source > > > >>>>>>>>> tarball > > > >>>>>>>>>> that wasn't developed by you and is available under a > > different > > > >>>>>>>> license. > > > >>>>>>>>>> That has to be tracked very, very carefully. > > > >>>>>>>>>> > > > >>>>>>>>>> In fact, that is exactly why a lot of downstream consumers > > > >>>> trust > > > >>>>> ASF > > > >>>>>>>>>> (that we won't subject them to anything by ALv2 compatible > > > >>>>> licenses) > > > >>>>>>>>>> and don't trust a random GH project where somebody simply > > > >>>> slapped > > > >>>>>>>>>> an ALv2 license on their repo. > > > >>>>>>>>>> > > > >>>>>>>>>> As for #2 -- this is where the hell typically breaks lose > and > > > >>>>> that's > > > >>>>>>>>> where > > > >>>>>>>>>> you either do the same good job you do with #1 (there are > not > > > >>>>>>>>>> shortcuts -- sorry) > > > >>>>>>>>>> > > > >>>>>>>>>> OR > > > >>>>>>>>>> > > > >>>>>>>>>> You simply decide NOT to release binary artifacts and make > > them > > > >>>>>>>>>> responsibility of somebody else. A typical example of > somebody > > > >>>>>>>>>> else would be a Linux Distribution company. > > > >>>>>>>>>> > > > >>>>>>>>>> Or it can even be yourself with your individual's hat on -- > it > > > >>>> just > > > >>>>>>>> can > > > >>>>>>>>> NOT > > > >>>>>>>>>> be ASF unless we can do the same due diligence we do for #1. > > > >>>>>>>>>> > > > >>>>>>>>>> Thanks, > > > >>>>>>>>>> Roman. > > > >>>>>>>>>> > > > >>>>>>>>> > > > >>>>>>>> > > > >>>>>>> > > > >>>>> > > > >>>> > > > >>> > > > > > > > >
