Hi Ryan As you can see in my previous email, I totally agree with you about the issues on the LICENSE_BINARY_DIST. As this release only includes source distribution (no jar files, no binary packages), and I checked LICENSE/NOTICE for this distribution (see my vote email for details), I think we are good.
Do you maintain your -1 vote ? Thanks Regards JB Le lun. 13 janv. 2025 à 19:07, rdb...@gmail.com <rdb...@gmail.com> a écrit : > I’m still -1 on this release due to licensing concerns. > > The LICENSE file includes a blanket statement that there are third-party > components that are licensed under the Apache Software License 2.0, but > doesn’t list what they are. I think this needs to be specific. > > The NOTICE file has a copyright notice for DropWizard that I would expect > to be in LICENSE. The third-party policy states that for third-party > notices: > > Apache releases should contain a copy of each license, usually contained in > the LICENSE document. For many licenses this is a sufficient notice. Some > licenses require some additional notice. In many cases, you can include > this notice within the dependent artifact. > > For the DropWizard content, I’d also expect to see documentation of what > was copied into the Polaris source tree. There are similar notices for ASF > projects, which would be nice to document in the LICENSE file, but aren’t > strictly necessary. > > The binary license file includes this: > > Apache Polaris distributions contain some or all of the following > dependencies > > I don’t think this is adequate. Each binary artifact should document the > third-party code that it includes, the license under which it is included, > and no other license text (see “How should I handle a work when there is a > choice of license?” > <https://www.apache.org/legal/resolved.html#mutually-exclusive>). As it is > right now, there are copies of the GPL and that can create a lot of concern > — doing the work to show that all components use a Category A or B license > is super important for downstream consumers. In addition, it isn’t > sufficient to say that a third-party Category B project might be included. > It needs to be clear for each artifact what exactly is included; this will > also help with the issues below which may not actually apply to artifacts > because dependencies are provided at runtime rather than bundled. > > There should also be a NOTICE for each binary artifact. And given the other > issues with the binary license (see below), I’m not confident that there is > not additional work to be done to compile the NOTICE. > > It’s also a good practice to link to the license text rather than include > it when it is generic, like the CDDL. When the license embeds authorship > information (such as “Neither the name of Company Inc. nor the names of its > contributors …”) I think it’s fine to include. > > I recommend a bit more formatting to make the text more clear. For example, > the jakarta.activation section has confusing sub-sections that state that > the license identifier is BSD-3-clause but just above it says it is > EDLv1.0. It would be better to show that this entire section was copied > from the other project. (This looks like a common problem.) > > The binary license also includes a few issues: > > Sax (0.2) > > - License: SAX-PD > - Project: http://www.megginson.com/downloads/SAX/ > - Source: http://sourceforge.net/project/showfiles.php?group_id=29449 > > I’m not sure what the SAX-PD license is and what category it falls under. > > wagon-http-lightweight (3.0.0) > > - License: Pending > - Project: https://maven.apache.org/wagon/ > - Source: > > > https://mvnrepository.com/artifact/org.apache.maven.wagon/wagon-http-lightweight/3.0.0 > > This needs to be clarified. > > dom4j (1.6.1) > > - License: Custom license based on Apache 1.1 > > Is this custom license compatible? > > jakarta.xml.bind-api has this in its third-party section: > > JTHarness (5.0) > > - License: (GPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0) > - Project: https://wiki.openjdk.java.net/display/CodeTools/JT+Harness > - Source: http://hg.openjdk.java.net/code-tools/jtharness/ > > Neither GPL-2.0 or GPL-2.0 WITH Classpath-exception-2.0 is Category B so I > think this is Category X and cannot be included. SigTest has the same issue > in this section. > > > - > > Service Data Objects (SDO) (2.1) > - > > License: OSOA SDO License > > What is this license and what category does it fall under? > > JPA (2.0) > > - License: Negotiated agreement between Sun and Eclipse (supercedes spec > terms) > - Project: http://jcp.org/en/jsr/detail?id=317 > > org.apache.felix.framework (6.0.3) > > - License: Pending > > pax-exam (n/a) > > - License: Pending > > pax-exam-container-forked (4.13.1) > > - License: Pending > > pax-exam-junit4 (4.13.1) > > - License: Pending > > pax-exam-link-mvn (4.13.1) > > - License: Pending > > There are a lot more “Pending” that I won’t list. > > org.jline:jline > > JLine is distributed under the BSD License, meaning that you are completely > free to redistribute, modify, or sell it with almost no restrictions. > > This should include the license and not a third-party interpretation of > what the license means. > > On Fri, Jan 10, 2025 at 9:51 PM Jean-Baptiste Onofré <j...@nanthrax.net> > wrote: > > > Hi Dmitri > > > > That's right: https://github.com/apache/polaris/issues/648 > > > > I will open a PR soon. > > > > Regards > > JB > > > > On Sat, Jan 11, 2025 at 12:44 AM Dmitri Bourlatchkov <di...@apache.org> > > wrote: > > > > > > +1 (nb) > > > > > > Verified signature, checksum. > > > > > > JB: I believe you mentioned in the community sync call that you were > > going > > > to share some info on how releases are supposed to be verified :) > > > > > > Cheers, > > > Dmitri. > > > > > > On Wed, Jan 8, 2025 at 11:01 AM Jean-Baptiste Onofré <j...@nanthrax.net> > > > wrote: > > > > > > > Hi folks, > > > > > > > > As mentioned in another thread, I submit Apache Polaris > > > > 0.9.0-incubating rc2 to your vote. > > > > > > > > * This corresponds to the tag: apache-polaris-0.9.0-incubating-rc2 > > > > * > > > > > > > https://github.com/apache/polaris/commits/apache-polaris-0.9.0-incubating-rc2 > > > > * > > > > > > > https://github.com/apache/polaris/tree/8289d4e340343f737fade4ee7e20136fe7c8a9ec > > > > > > > > The release tarball, signature, and checksums are here: > > > > * > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/0.9.0-incubating/ > > > > > > > > You can find the KEYS file here: > > > > * https://dist.apache.org/repos/dist/release/incubator/polaris/KEYS > > > > > > > > NB: as we are still working on the binary distributions, this release > > > > "only" includes the source distribution (mandatory by The ASF and The > > > > ASF Incubator). > > > > > > > > Please download, verify, and test. > > > > > > > > Please vote in the next 72 hours. > > > > [ ] +1 Release this as Apache polaris 0.9.0-incubating > > > > [ ] +0 > > > > [ ] -1 Do not release this because... > > > > > > > > Only PPMC members and mentors have binding votes, but other community > > > > members are encouraged to cast non-binding votes. This vote will pass > > > > if there are > > > > 3 binding +1 votes and more binding +1 votes than -1 votes. > > > > > > > > NB: if this vote passes, a new vote will be started on the Incubator > > > > general mailing list. > > > > > > > > Thanks > > > > Regards > > > > JB > > > > > > >
