Hi Ryan Thanks for the review. Here's my comment:
1. The "blanket" is not a blanket: it's just the note about gradle. 2. For DropWizard LICENSE is unmodified LICENSE file (https://www.apache.org/licenses/LICENSE-2.0) without change, so no need to copy into the LICENSE file 3. DropWizard NOTICE is actually included in Polaris NOTICE file, that's this section: "Dropwizard Copyright 2010-2013 Coda Hale and Yammer, Inc., 2014-2020 Dropwizard Team This product includes software developed by Coda Hale and Yammer, Inc. " 4. There's no code copying from Dropwizard, but as we use Discoverable and DropWizard Test Extension, we mention in the NOTICE (which is totally acceptable in NOTICE, some Apache projects use NOTICE to mention used and included dependencies for instance). 5. This release only includes source distribution, so everything in LICENSE-BINARY-DIST is unrelated to the release and will be fixed with the first release including binary distributions (the script generating that should be changed but as we are changing the runtime framework, it will be revisited) Regards JB On Mon, Jan 13, 2025 at 7:07 PM rdb...@gmail.com <rdb...@gmail.com> wrote: > > I’m still -1 on this release due to licensing concerns. > > The LICENSE file includes a blanket statement that there are third-party > components that are licensed under the Apache Software License 2.0, but > doesn’t list what they are. I think this needs to be specific. > > The NOTICE file has a copyright notice for DropWizard that I would expect > to be in LICENSE. The third-party policy states that for third-party > notices: > > Apache releases should contain a copy of each license, usually contained in > the LICENSE document. For many licenses this is a sufficient notice. Some > licenses require some additional notice. In many cases, you can include > this notice within the dependent artifact. > > For the DropWizard content, I’d also expect to see documentation of what > was copied into the Polaris source tree. There are similar notices for ASF > projects, which would be nice to document in the LICENSE file, but aren’t > strictly necessary. > > The binary license file includes this: > > Apache Polaris distributions contain some or all of the following > dependencies > > I don’t think this is adequate. Each binary artifact should document the > third-party code that it includes, the license under which it is included, > and no other license text (see “How should I handle a work when there is a > choice of license?” > <https://www.apache.org/legal/resolved.html#mutually-exclusive>). As it is > right now, there are copies of the GPL and that can create a lot of concern > — doing the work to show that all components use a Category A or B license > is super important for downstream consumers. In addition, it isn’t > sufficient to say that a third-party Category B project might be included. > It needs to be clear for each artifact what exactly is included; this will > also help with the issues below which may not actually apply to artifacts > because dependencies are provided at runtime rather than bundled. > > There should also be a NOTICE for each binary artifact. And given the other > issues with the binary license (see below), I’m not confident that there is > not additional work to be done to compile the NOTICE. > > It’s also a good practice to link to the license text rather than include > it when it is generic, like the CDDL. When the license embeds authorship > information (such as “Neither the name of Company Inc. nor the names of its > contributors …”) I think it’s fine to include. > > I recommend a bit more formatting to make the text more clear. For example, > the jakarta.activation section has confusing sub-sections that state that > the license identifier is BSD-3-clause but just above it says it is > EDLv1.0. It would be better to show that this entire section was copied > from the other project. (This looks like a common problem.) > > The binary license also includes a few issues: > > Sax (0.2) > > - License: SAX-PD > - Project: http://www.megginson.com/downloads/SAX/ > - Source: http://sourceforge.net/project/showfiles.php?group_id=29449 > > I’m not sure what the SAX-PD license is and what category it falls under. > > wagon-http-lightweight (3.0.0) > > - License: Pending > - Project: https://maven.apache.org/wagon/ > - Source: > > > https://mvnrepository.com/artifact/org.apache.maven.wagon/wagon-http-lightweight/3.0.0 > > This needs to be clarified. > > dom4j (1.6.1) > > - License: Custom license based on Apache 1.1 > > Is this custom license compatible? > > jakarta.xml.bind-api has this in its third-party section: > > JTHarness (5.0) > > - License: (GPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0) > - Project: https://wiki.openjdk.java.net/display/CodeTools/JT+Harness > - Source: http://hg.openjdk.java.net/code-tools/jtharness/ > > Neither GPL-2.0 or GPL-2.0 WITH Classpath-exception-2.0 is Category B so I > think this is Category X and cannot be included. SigTest has the same issue > in this section. > > > - > > Service Data Objects (SDO) (2.1) > - > > License: OSOA SDO License > > What is this license and what category does it fall under? > > JPA (2.0) > > - License: Negotiated agreement between Sun and Eclipse (supercedes spec > terms) > - Project: http://jcp.org/en/jsr/detail?id=317 > > org.apache.felix.framework (6.0.3) > > - License: Pending > > pax-exam (n/a) > > - License: Pending > > pax-exam-container-forked (4.13.1) > > - License: Pending > > pax-exam-junit4 (4.13.1) > > - License: Pending > > pax-exam-link-mvn (4.13.1) > > - License: Pending > > There are a lot more “Pending” that I won’t list. > > org.jline:jline > > JLine is distributed under the BSD License, meaning that you are completely > free to redistribute, modify, or sell it with almost no restrictions. > > This should include the license and not a third-party interpretation of > what the license means. > > On Fri, Jan 10, 2025 at 9:51 PM Jean-Baptiste Onofré <j...@nanthrax.net> > wrote: > > > Hi Dmitri > > > > That's right: https://github.com/apache/polaris/issues/648 > > > > I will open a PR soon. > > > > Regards > > JB > > > > On Sat, Jan 11, 2025 at 12:44 AM Dmitri Bourlatchkov <di...@apache.org> > > wrote: > > > > > > +1 (nb) > > > > > > Verified signature, checksum. > > > > > > JB: I believe you mentioned in the community sync call that you were > > going > > > to share some info on how releases are supposed to be verified :) > > > > > > Cheers, > > > Dmitri. > > > > > > On Wed, Jan 8, 2025 at 11:01 AM Jean-Baptiste Onofré <j...@nanthrax.net> > > > wrote: > > > > > > > Hi folks, > > > > > > > > As mentioned in another thread, I submit Apache Polaris > > > > 0.9.0-incubating rc2 to your vote. > > > > > > > > * This corresponds to the tag: apache-polaris-0.9.0-incubating-rc2 > > > > * > > > > > > https://github.com/apache/polaris/commits/apache-polaris-0.9.0-incubating-rc2 > > > > * > > > > > > https://github.com/apache/polaris/tree/8289d4e340343f737fade4ee7e20136fe7c8a9ec > > > > > > > > The release tarball, signature, and checksums are here: > > > > * > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/0.9.0-incubating/ > > > > > > > > You can find the KEYS file here: > > > > * https://dist.apache.org/repos/dist/release/incubator/polaris/KEYS > > > > > > > > NB: as we are still working on the binary distributions, this release > > > > "only" includes the source distribution (mandatory by The ASF and The > > > > ASF Incubator). > > > > > > > > Please download, verify, and test. > > > > > > > > Please vote in the next 72 hours. > > > > [ ] +1 Release this as Apache polaris 0.9.0-incubating > > > > [ ] +0 > > > > [ ] -1 Do not release this because... > > > > > > > > Only PPMC members and mentors have binding votes, but other community > > > > members are encouraged to cast non-binding votes. This vote will pass > > > > if there are > > > > 3 binding +1 votes and more binding +1 votes than -1 votes. > > > > > > > > NB: if this vote passes, a new vote will be started on the Incubator > > > > general mailing list. > > > > > > > > Thanks > > > > Regards > > > > JB > > > > > >
