Hey JB, I just sent a reply to the list with additional details. I don't think that this release applies license policy correctly even in the other files, so my vote is still -1.
On Tue, Jan 14, 2025 at 11:05 AM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > Hi Ryan > > As you can see in my previous email, I totally agree with you about the > issues on the LICENSE_BINARY_DIST. > As this release only includes source distribution (no jar files, no binary > packages), and I checked LICENSE/NOTICE for this distribution (see my vote > email for details), I think we are good. > > Do you maintain your -1 vote ? > > Thanks > Regards > JB > > Le lun. 13 janv. 2025 à 19:07, rdb...@gmail.com <rdb...@gmail.com> a > écrit : > > > I’m still -1 on this release due to licensing concerns. > > > > The LICENSE file includes a blanket statement that there are third-party > > components that are licensed under the Apache Software License 2.0, but > > doesn’t list what they are. I think this needs to be specific. > > > > The NOTICE file has a copyright notice for DropWizard that I would expect > > to be in LICENSE. The third-party policy states that for third-party > > notices: > > > > Apache releases should contain a copy of each license, usually contained > in > > the LICENSE document. For many licenses this is a sufficient notice. Some > > licenses require some additional notice. In many cases, you can include > > this notice within the dependent artifact. > > > > For the DropWizard content, I’d also expect to see documentation of what > > was copied into the Polaris source tree. There are similar notices for > ASF > > projects, which would be nice to document in the LICENSE file, but aren’t > > strictly necessary. > > > > The binary license file includes this: > > > > Apache Polaris distributions contain some or all of the following > > dependencies > > > > I don’t think this is adequate. Each binary artifact should document the > > third-party code that it includes, the license under which it is > included, > > and no other license text (see “How should I handle a work when there is > a > > choice of license?” > > <https://www.apache.org/legal/resolved.html#mutually-exclusive>). As it > is > > right now, there are copies of the GPL and that can create a lot of > concern > > — doing the work to show that all components use a Category A or B > license > > is super important for downstream consumers. In addition, it isn’t > > sufficient to say that a third-party Category B project might be > included. > > It needs to be clear for each artifact what exactly is included; this > will > > also help with the issues below which may not actually apply to artifacts > > because dependencies are provided at runtime rather than bundled. > > > > There should also be a NOTICE for each binary artifact. And given the > other > > issues with the binary license (see below), I’m not confident that there > is > > not additional work to be done to compile the NOTICE. > > > > It’s also a good practice to link to the license text rather than include > > it when it is generic, like the CDDL. When the license embeds authorship > > information (such as “Neither the name of Company Inc. nor the names of > its > > contributors …”) I think it’s fine to include. > > > > I recommend a bit more formatting to make the text more clear. For > example, > > the jakarta.activation section has confusing sub-sections that state that > > the license identifier is BSD-3-clause but just above it says it is > > EDLv1.0. It would be better to show that this entire section was copied > > from the other project. (This looks like a common problem.) > > > > The binary license also includes a few issues: > > > > Sax (0.2) > > > > - License: SAX-PD > > - Project: http://www.megginson.com/downloads/SAX/ > > - Source: http://sourceforge.net/project/showfiles.php?group_id=29449 > > > > I’m not sure what the SAX-PD license is and what category it falls under. > > > > wagon-http-lightweight (3.0.0) > > > > - License: Pending > > - Project: https://maven.apache.org/wagon/ > > - Source: > > > > > > > https://mvnrepository.com/artifact/org.apache.maven.wagon/wagon-http-lightweight/3.0.0 > > > > This needs to be clarified. > > > > dom4j (1.6.1) > > > > - License: Custom license based on Apache 1.1 > > > > Is this custom license compatible? > > > > jakarta.xml.bind-api has this in its third-party section: > > > > JTHarness (5.0) > > > > - License: (GPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0) > > - Project: https://wiki.openjdk.java.net/display/CodeTools/JT+Harness > > - Source: http://hg.openjdk.java.net/code-tools/jtharness/ > > > > Neither GPL-2.0 or GPL-2.0 WITH Classpath-exception-2.0 is Category B so > I > > think this is Category X and cannot be included. SigTest has the same > issue > > in this section. > > > > > > - > > > > Service Data Objects (SDO) (2.1) > > - > > > > License: OSOA SDO License > > > > What is this license and what category does it fall under? > > > > JPA (2.0) > > > > - License: Negotiated agreement between Sun and Eclipse (supercedes > spec > > terms) > > - Project: http://jcp.org/en/jsr/detail?id=317 > > > > org.apache.felix.framework (6.0.3) > > > > - License: Pending > > > > pax-exam (n/a) > > > > - License: Pending > > > > pax-exam-container-forked (4.13.1) > > > > - License: Pending > > > > pax-exam-junit4 (4.13.1) > > > > - License: Pending > > > > pax-exam-link-mvn (4.13.1) > > > > - License: Pending > > > > There are a lot more “Pending” that I won’t list. > > > > org.jline:jline > > > > JLine is distributed under the BSD License, meaning that you are > completely > > free to redistribute, modify, or sell it with almost no restrictions. > > > > This should include the license and not a third-party interpretation of > > what the license means. > > > > On Fri, Jan 10, 2025 at 9:51 PM Jean-Baptiste Onofré <j...@nanthrax.net> > > wrote: > > > > > Hi Dmitri > > > > > > That's right: https://github.com/apache/polaris/issues/648 > > > > > > I will open a PR soon. > > > > > > Regards > > > JB > > > > > > On Sat, Jan 11, 2025 at 12:44 AM Dmitri Bourlatchkov <di...@apache.org > > > > > wrote: > > > > > > > > +1 (nb) > > > > > > > > Verified signature, checksum. > > > > > > > > JB: I believe you mentioned in the community sync call that you were > > > going > > > > to share some info on how releases are supposed to be verified :) > > > > > > > > Cheers, > > > > Dmitri. > > > > > > > > On Wed, Jan 8, 2025 at 11:01 AM Jean-Baptiste Onofré < > j...@nanthrax.net> > > > > wrote: > > > > > > > > > Hi folks, > > > > > > > > > > As mentioned in another thread, I submit Apache Polaris > > > > > 0.9.0-incubating rc2 to your vote. > > > > > > > > > > * This corresponds to the tag: apache-polaris-0.9.0-incubating-rc2 > > > > > * > > > > > > > > > > > https://github.com/apache/polaris/commits/apache-polaris-0.9.0-incubating-rc2 > > > > > * > > > > > > > > > > > https://github.com/apache/polaris/tree/8289d4e340343f737fade4ee7e20136fe7c8a9ec > > > > > > > > > > The release tarball, signature, and checksums are here: > > > > > * > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/0.9.0-incubating/ > > > > > > > > > > You can find the KEYS file here: > > > > > * > https://dist.apache.org/repos/dist/release/incubator/polaris/KEYS > > > > > > > > > > NB: as we are still working on the binary distributions, this > release > > > > > "only" includes the source distribution (mandatory by The ASF and > The > > > > > ASF Incubator). > > > > > > > > > > Please download, verify, and test. > > > > > > > > > > Please vote in the next 72 hours. > > > > > [ ] +1 Release this as Apache polaris 0.9.0-incubating > > > > > [ ] +0 > > > > > [ ] -1 Do not release this because... > > > > > > > > > > Only PPMC members and mentors have binding votes, but other > community > > > > > members are encouraged to cast non-binding votes. This vote will > pass > > > > > if there are > > > > > 3 binding +1 votes and more binding +1 votes than -1 votes. > > > > > > > > > > NB: if this vote passes, a new vote will be started on the > Incubator > > > > > general mailing list. > > > > > > > > > > Thanks > > > > > Regards > > > > > JB > > > > > > > > > > >
