I’m still -1 on this release due to licensing concerns.

The LICENSE file includes a blanket statement that there are third-party
components that are licensed under the Apache Software License 2.0, but
doesn’t list what they are. I think this needs to be specific.

The NOTICE file has a copyright notice for DropWizard that I would expect
to be in LICENSE. The third-party policy states that for third-party
notices:

Apache releases should contain a copy of each license, usually contained in
the LICENSE document. For many licenses this is a sufficient notice. Some
licenses require some additional notice. In many cases, you can include
this notice within the dependent artifact.

For the DropWizard content, I’d also expect to see documentation of what
was copied into the Polaris source tree. There are similar notices for ASF
projects, which would be nice to document in the LICENSE file, but aren’t
strictly necessary.

The binary license file includes this:

Apache Polaris distributions contain some or all of the following
dependencies

I don’t think this is adequate. Each binary artifact should document the
third-party code that it includes, the license under which it is included,
and no other license text (see “How should I handle a work when there is a
choice of license?”
<https://www.apache.org/legal/resolved.html#mutually-exclusive>). As it is
right now, there are copies of the GPL and that can create a lot of concern
— doing the work to show that all components use a Category A or B license
is super important for downstream consumers. In addition, it isn’t
sufficient to say that a third-party Category B project might be included.
It needs to be clear for each artifact what exactly is included; this will
also help with the issues below which may not actually apply to artifacts
because dependencies are provided at runtime rather than bundled.

There should also be a NOTICE for each binary artifact. And given the other
issues with the binary license (see below), I’m not confident that there is
not additional work to be done to compile the NOTICE.

It’s also a good practice to link to the license text rather than include
it when it is generic, like the CDDL. When the license embeds authorship
information (such as “Neither the name of Company Inc. nor the names of its
contributors …”) I think it’s fine to include.

I recommend a bit more formatting to make the text more clear. For example,
the jakarta.activation section has confusing sub-sections that state that
the license identifier is BSD-3-clause but just above it says it is
EDLv1.0. It would be better to show that this entire section was copied
from the other project. (This looks like a common problem.)

The binary license also includes a few issues:

Sax (0.2)

   - License: SAX-PD
   - Project: http://www.megginson.com/downloads/SAX/
   - Source: http://sourceforge.net/project/showfiles.php?group_id=29449

I’m not sure what the SAX-PD license is and what category it falls under.

wagon-http-lightweight (3.0.0)

   - License: Pending
   - Project: https://maven.apache.org/wagon/
   - Source:

   
https://mvnrepository.com/artifact/org.apache.maven.wagon/wagon-http-lightweight/3.0.0

This needs to be clarified.

dom4j (1.6.1)

   - License: Custom license based on Apache 1.1

Is this custom license compatible?

jakarta.xml.bind-api has this in its third-party section:

JTHarness (5.0)

   - License: (GPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0)
   - Project: https://wiki.openjdk.java.net/display/CodeTools/JT+Harness
   - Source: http://hg.openjdk.java.net/code-tools/jtharness/

Neither GPL-2.0 or GPL-2.0 WITH Classpath-exception-2.0 is Category B so I
think this is Category X and cannot be included. SigTest has the same issue
in this section.


   -

   Service Data Objects (SDO) (2.1)
   -

   License: OSOA SDO License

What is this license and what category does it fall under?

JPA (2.0)

   - License: Negotiated agreement between Sun and Eclipse (supercedes spec
   terms)
   - Project: http://jcp.org/en/jsr/detail?id=317

org.apache.felix.framework (6.0.3)

   - License: Pending

pax-exam (n/a)

   - License: Pending

pax-exam-container-forked (4.13.1)

   - License: Pending

pax-exam-junit4 (4.13.1)

   - License: Pending

pax-exam-link-mvn (4.13.1)

   - License: Pending

There are a lot more “Pending” that I won’t list.

org.jline:jline

JLine is distributed under the BSD License, meaning that you are completely
free to redistribute, modify, or sell it with almost no restrictions.

This should include the license and not a third-party interpretation of
what the license means.

On Fri, Jan 10, 2025 at 9:51 PM Jean-Baptiste Onofré <j...@nanthrax.net>
wrote:

> Hi Dmitri
>
> That's right: https://github.com/apache/polaris/issues/648
>
> I will open a PR soon.
>
> Regards
> JB
>
> On Sat, Jan 11, 2025 at 12:44 AM Dmitri Bourlatchkov <di...@apache.org>
> wrote:
> >
> > +1 (nb)
> >
> > Verified signature, checksum.
> >
> > JB: I believe you mentioned in the community sync call that you were
> going
> > to share some info on how releases are supposed to be verified :)
> >
> > Cheers,
> > Dmitri.
> >
> > On Wed, Jan 8, 2025 at 11:01 AM Jean-Baptiste Onofré <j...@nanthrax.net>
> > wrote:
> >
> > > Hi folks,
> > >
> > > As mentioned in another thread, I submit Apache Polaris
> > > 0.9.0-incubating rc2 to your vote.
> > >
> > > * This corresponds to the tag: apache-polaris-0.9.0-incubating-rc2
> > > *
> > >
> https://github.com/apache/polaris/commits/apache-polaris-0.9.0-incubating-rc2
> > > *
> > >
> https://github.com/apache/polaris/tree/8289d4e340343f737fade4ee7e20136fe7c8a9ec
> > >
> > > The release tarball, signature, and checksums are here:
> > > *
> > >
> https://dist.apache.org/repos/dist/dev/incubator/polaris/0.9.0-incubating/
> > >
> > > You can find the KEYS file here:
> > > * https://dist.apache.org/repos/dist/release/incubator/polaris/KEYS
> > >
> > > NB: as we are still working on the binary distributions, this release
> > > "only" includes the source distribution (mandatory by The ASF and The
> > > ASF Incubator).
> > >
> > > Please download, verify, and test.
> > >
> > > Please vote in the next 72 hours.
> > > [ ] +1 Release this as Apache polaris 0.9.0-incubating
> > > [ ] +0
> > > [ ] -1 Do not release this because...
> > >
> > > Only PPMC members and mentors have binding votes, but other community
> > > members are encouraged to cast non-binding votes. This vote will pass
> > > if there are
> > > 3 binding +1 votes and more binding +1 votes than -1 votes.
> > >
> > > NB: if this vote passes, a new vote will be started on the Incubator
> > > general mailing list.
> > >
> > > Thanks
> > > Regards
> > > JB
> > >
>

Reply via email to