Hi Oliver, We make our best effort to list all the third-party licenses. In case something is missing feel free to report them.
regards, sathwik On Wed, Oct 18, 2017 at 7:02 PM, Sathwik B P <sath...@apache.org> wrote: > Hi Oliver, > > Apache project's source & binaries are under ASLV2. > > Third-party dependent binaries and their licenses will be included in the > project distribution. If third-party binary license is not compatible with > ASLV2, we don't ship that binary. > > As of Apache ODE source code distribution, we don't ship any third-party > dependent source along with it nor do we take their source and compile it > ourself. We only use third-party library in it's binary form and it's > binary license will be shipped with the ODE binary distribution. > > The binary licenses are packaged under /lib directory of the war > distribution in release 1.3.7 https://ode.apache.org/getting-ode.html > > You can also refer http://www.apache.org/legal/ > > regards, > sathwik > > > On Wed, Oct 18, 2017 at 4:19 PM, Oliver Kopp <kopp....@gmail.com> wrote: > >> Hi, >> >> We are going to use Apache ODE in a project with involvement of >> industry partners. There, we are obliged to proof all (transitive) >> dependencies ODE uses, in order to guarantee that all of them apply to >> the Apache License Version 2.0. Unfortunately, we were not able to >> (automatically) retrieve/find the source code for 15 of the 83 >> dependencies (from Maven Central) which are packaged into the final >> ODE WAR distribution and therefore cannot check what licenses these >> dependencies REALLY have: >> >> >> 1. annogen:annogen:jar:sources:0.1.0 >> >> 2. org.apache.derby:derby:jar:sources:10.5.3.0_1 >> >> 3. org.apache.derby:derbytools:jar:sources:10.5.3.0_1 >> >> 4. tranql:tranql-connector:jar:sources:1.1 >> >> 5. org.apache.geronimo.specs:geronimo-j2ee-connector_1.5_spec: >> jar:sources:1.0 >> >> 6. org.apache.velocity:velocity:jar:sources:1.5 >> >> 7. net.sourceforge.serp:serp:jar:sources:1.13.1 >> >> 8. org.jibx:jibx-run:jar:sources:1.2.1 >> >> 9. commons-primitives:commons-primitives:jar:sources:1.0 >> >> 10. geronimo-spec:geronimo-spec-jms:jar:sources:1.1-rc4 >> >> 11. org.apache.santuario:xmlsec:jar:sources:1.4.6 >> >> 12. org.apache.xmlbeans:xmlbeans:jar:sources:2.6.0 >> >> 13. org.opensaml:opensaml1:jar:sources:1.1 >> >> 14. org.apache.axis2:axis2-transports:jar:sources:1.0-i6 >> >> 15. stax:stax-api:jar:sources:1.0.1 >> >> >> The question is, if someone of the ODE team already has transitively >> checked all related licenses of the used dependencies when open >> sourcing Apache ODE so that we can rely on your checks? >> >> Otherwise, would it be potentially possible that someone can provide >> us the source code for all dependencies bundled within the WAR >> distribution of Apache ODE so that we can check them? >> >> Cheers, >> >> Oliver >> > >