Hi Oliver, Apache project's source & binaries are under ASLV2.
Third-party dependent binaries and their licenses will be included in the project distribution. If third-party binary license is not compatible with ASLV2, we don't ship that binary. As of Apache ODE source code distribution, we don't ship any third-party dependent source along with it nor do we take their source and compile it ourself. We only use third-party library in it's binary form and it's binary license will be shipped with the ODE binary distribution. The binary licenses are packaged under /lib directory of the war distribution in release 1.3.7 https://ode.apache.org/getting-ode.html You can also refer http://www.apache.org/legal/ regards, sathwik On Wed, Oct 18, 2017 at 4:19 PM, Oliver Kopp <kopp....@gmail.com> wrote: > Hi, > > We are going to use Apache ODE in a project with involvement of > industry partners. There, we are obliged to proof all (transitive) > dependencies ODE uses, in order to guarantee that all of them apply to > the Apache License Version 2.0. Unfortunately, we were not able to > (automatically) retrieve/find the source code for 15 of the 83 > dependencies (from Maven Central) which are packaged into the final > ODE WAR distribution and therefore cannot check what licenses these > dependencies REALLY have: > > > 1. annogen:annogen:jar:sources:0.1.0 > > 2. org.apache.derby:derby:jar:sources:10.5.3.0_1 > > 3. org.apache.derby:derbytools:jar:sources:10.5.3.0_1 > > 4. tranql:tranql-connector:jar:sources:1.1 > > 5. org.apache.geronimo.specs:geronimo-j2ee-connector_1.5_ > spec:jar:sources:1.0 > > 6. org.apache.velocity:velocity:jar:sources:1.5 > > 7. net.sourceforge.serp:serp:jar:sources:1.13.1 > > 8. org.jibx:jibx-run:jar:sources:1.2.1 > > 9. commons-primitives:commons-primitives:jar:sources:1.0 > > 10. geronimo-spec:geronimo-spec-jms:jar:sources:1.1-rc4 > > 11. org.apache.santuario:xmlsec:jar:sources:1.4.6 > > 12. org.apache.xmlbeans:xmlbeans:jar:sources:2.6.0 > > 13. org.opensaml:opensaml1:jar:sources:1.1 > > 14. org.apache.axis2:axis2-transports:jar:sources:1.0-i6 > > 15. stax:stax-api:jar:sources:1.0.1 > > > The question is, if someone of the ODE team already has transitively > checked all related licenses of the used dependencies when open > sourcing Apache ODE so that we can rely on your checks? > > Otherwise, would it be potentially possible that someone can provide > us the source code for all dependencies bundled within the WAR > distribution of Apache ODE so that we can check them? > > Cheers, > > Oliver >