The “blanket” is not a blanket: it’s just the note about gradle. I do read it as a blanket statement because it is not clearly associated with the next lines about gradle and refers to “various third-party components”. Here’s the text:
This product bundles various third-party components also under the Apache Software License 2.0. Third-party components need to be individually documented so that people using the library know what is included in the source tree and the license under which those components are available. Saying there are “various third-party components” doesn’t meet the requirement. If it is only gradle, then I think it should state that the Gradle wrapper is included and that it is under the ALv2 license (See this for how Iceberg does it). For DropWizard LICENSE is unmodified LICENSE file ( https://www.apache.org/licenses/LICENSE-2.0) without change, so no need to copy into the LICENSE file DropWizard NOTICE is actually included in Polaris NOTICE file There’s no code copying from Dropwizard, but as we use Discoverable and DropWizard Test Extension, we mention in the NOTICE If there is no code copied into the release tarball, then there is no need to note it in LICENSE or NOTICE. From the Assembling LICENSE and NOTICE files page <https://infra.apache.org/licensing-howto.html>: The LICENSE and NOTICE files must *exactly* represent the contents of the distribution they reside in. Only components and resources that are actually included in a distribution have any bearing on the content of that distribution’s NOTICE and LICENSE. And: You must customize LICENSE and NOTICE files according to the content of the specific distribution they reside within. Do not add to LICENSE and NOTICE dependencies which are not in the distribution. *Only bundled bits matter.* When a dependency is downloaded directly and is not bundled, it should not affect the license documentation. From what you wrote, it sounds like that’s the case with the DropWizard components. as we use Discoverable and DropWizard Test Extension, we mention in the NOTICE (which is totally acceptable in NOTICE, some Apache projects use NOTICE to mention used and included dependencies for instance) It’s not true to say that this is “totally acceptable”. The section about Modifications to NOTICE is very clear: *Do not* add anything to NOTICE which is not legally required. The reason for this is that additions to NOTICE create obligations for downstream consumers. NOTICE is not the right place to document bundled code or bundled dependencies. The place for that is in LICENSE, even if other projects have not done this correctly. From the same section: The NOTICE file is reserved for a certain subset of legally required notifications which are not satisfied by either the text of LICENSE or the presence of licensing information embedded within the bundled dependency. Last, thanks for pointing out that there are no binaries. That means that the license problems there aren’t as critical, but still, I would not vote to approve this release with the issues and with that file present in the RC. Since the issues above need to be handled, I’d recommend removing the file from the release tarball to avoid possible confusion. On Mon, Jan 13, 2025 at 11:52 AM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > Hi Ryan > > Thanks for the review. Here's my comment: > > 1. The "blanket" is not a blanket: it's just the note about gradle. > 2. For DropWizard LICENSE is unmodified LICENSE file > (https://www.apache.org/licenses/LICENSE-2.0) without change, so no > need to copy into the LICENSE file > 3. DropWizard NOTICE is actually included in Polaris NOTICE file, > that's this section: > "Dropwizard > Copyright 2010-2013 Coda Hale and Yammer, Inc., 2014-2020 Dropwizard Team > > This product includes software developed by Coda Hale and Yammer, Inc. > " > 4. There's no code copying from Dropwizard, but as we use Discoverable > and DropWizard Test Extension, we mention in the NOTICE (which is > totally acceptable in NOTICE, some Apache projects use NOTICE to > mention used and included dependencies for instance). > 5. This release only includes source distribution, so everything in > LICENSE-BINARY-DIST is unrelated to the release and will be fixed with > the first release including binary distributions (the script > generating that should be changed but as we are changing the runtime > framework, it will be revisited) > > Regards > JB > > On Mon, Jan 13, 2025 at 7:07 PM rdb...@gmail.com <rdb...@gmail.com> wrote: > > > > I’m still -1 on this release due to licensing concerns. > > > > The LICENSE file includes a blanket statement that there are third-party > > components that are licensed under the Apache Software License 2.0, but > > doesn’t list what they are. I think this needs to be specific. > > > > The NOTICE file has a copyright notice for DropWizard that I would expect > > to be in LICENSE. The third-party policy states that for third-party > > notices: > > > > Apache releases should contain a copy of each license, usually contained > in > > the LICENSE document. For many licenses this is a sufficient notice. Some > > licenses require some additional notice. In many cases, you can include > > this notice within the dependent artifact. > > > > For the DropWizard content, I’d also expect to see documentation of what > > was copied into the Polaris source tree. There are similar notices for > ASF > > projects, which would be nice to document in the LICENSE file, but aren’t > > strictly necessary. > > > > The binary license file includes this: > > > > Apache Polaris distributions contain some or all of the following > > dependencies > > > > I don’t think this is adequate. Each binary artifact should document the > > third-party code that it includes, the license under which it is > included, > > and no other license text (see “How should I handle a work when there is > a > > choice of license?” > > <https://www.apache.org/legal/resolved.html#mutually-exclusive>). As it > is > > right now, there are copies of the GPL and that can create a lot of > concern > > — doing the work to show that all components use a Category A or B > license > > is super important for downstream consumers. In addition, it isn’t > > sufficient to say that a third-party Category B project might be > included. > > It needs to be clear for each artifact what exactly is included; this > will > > also help with the issues below which may not actually apply to artifacts > > because dependencies are provided at runtime rather than bundled. > > > > There should also be a NOTICE for each binary artifact. And given the > other > > issues with the binary license (see below), I’m not confident that there > is > > not additional work to be done to compile the NOTICE. > > > > It’s also a good practice to link to the license text rather than include > > it when it is generic, like the CDDL. When the license embeds authorship > > information (such as “Neither the name of Company Inc. nor the names of > its > > contributors …”) I think it’s fine to include. > > > > I recommend a bit more formatting to make the text more clear. For > example, > > the jakarta.activation section has confusing sub-sections that state that > > the license identifier is BSD-3-clause but just above it says it is > > EDLv1.0. It would be better to show that this entire section was copied > > from the other project. (This looks like a common problem.) > > > > The binary license also includes a few issues: > > > > Sax (0.2) > > > > - License: SAX-PD > > - Project: http://www.megginson.com/downloads/SAX/ > > - Source: http://sourceforge.net/project/showfiles.php?group_id=29449 > > > > I’m not sure what the SAX-PD license is and what category it falls under. > > > > wagon-http-lightweight (3.0.0) > > > > - License: Pending > > - Project: https://maven.apache.org/wagon/ > > - Source: > > > > > https://mvnrepository.com/artifact/org.apache.maven.wagon/wagon-http-lightweight/3.0.0 > > > > This needs to be clarified. > > > > dom4j (1.6.1) > > > > - License: Custom license based on Apache 1.1 > > > > Is this custom license compatible? > > > > jakarta.xml.bind-api has this in its third-party section: > > > > JTHarness (5.0) > > > > - License: (GPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0) > > - Project: https://wiki.openjdk.java.net/display/CodeTools/JT+Harness > > - Source: http://hg.openjdk.java.net/code-tools/jtharness/ > > > > Neither GPL-2.0 or GPL-2.0 WITH Classpath-exception-2.0 is Category B so > I > > think this is Category X and cannot be included. SigTest has the same > issue > > in this section. > > > > > > - > > > > Service Data Objects (SDO) (2.1) > > - > > > > License: OSOA SDO License > > > > What is this license and what category does it fall under? > > > > JPA (2.0) > > > > - License: Negotiated agreement between Sun and Eclipse (supercedes > spec > > terms) > > - Project: http://jcp.org/en/jsr/detail?id=317 > > > > org.apache.felix.framework (6.0.3) > > > > - License: Pending > > > > pax-exam (n/a) > > > > - License: Pending > > > > pax-exam-container-forked (4.13.1) > > > > - License: Pending > > > > pax-exam-junit4 (4.13.1) > > > > - License: Pending > > > > pax-exam-link-mvn (4.13.1) > > > > - License: Pending > > > > There are a lot more “Pending” that I won’t list. > > > > org.jline:jline > > > > JLine is distributed under the BSD License, meaning that you are > completely > > free to redistribute, modify, or sell it with almost no restrictions. > > > > This should include the license and not a third-party interpretation of > > what the license means. > > > > On Fri, Jan 10, 2025 at 9:51 PM Jean-Baptiste Onofré <j...@nanthrax.net> > > wrote: > > > > > Hi Dmitri > > > > > > That's right: https://github.com/apache/polaris/issues/648 > > > > > > I will open a PR soon. > > > > > > Regards > > > JB > > > > > > On Sat, Jan 11, 2025 at 12:44 AM Dmitri Bourlatchkov <di...@apache.org > > > > > wrote: > > > > > > > > +1 (nb) > > > > > > > > Verified signature, checksum. > > > > > > > > JB: I believe you mentioned in the community sync call that you were > > > going > > > > to share some info on how releases are supposed to be verified :) > > > > > > > > Cheers, > > > > Dmitri. > > > > > > > > On Wed, Jan 8, 2025 at 11:01 AM Jean-Baptiste Onofré < > j...@nanthrax.net> > > > > wrote: > > > > > > > > > Hi folks, > > > > > > > > > > As mentioned in another thread, I submit Apache Polaris > > > > > 0.9.0-incubating rc2 to your vote. > > > > > > > > > > * This corresponds to the tag: apache-polaris-0.9.0-incubating-rc2 > > > > > * > > > > > > > > > https://github.com/apache/polaris/commits/apache-polaris-0.9.0-incubating-rc2 > > > > > * > > > > > > > > > https://github.com/apache/polaris/tree/8289d4e340343f737fade4ee7e20136fe7c8a9ec > > > > > > > > > > The release tarball, signature, and checksums are here: > > > > > * > > > > > > > > > https://dist.apache.org/repos/dist/dev/incubator/polaris/0.9.0-incubating/ > > > > > > > > > > You can find the KEYS file here: > > > > > * > https://dist.apache.org/repos/dist/release/incubator/polaris/KEYS > > > > > > > > > > NB: as we are still working on the binary distributions, this > release > > > > > "only" includes the source distribution (mandatory by The ASF and > The > > > > > ASF Incubator). > > > > > > > > > > Please download, verify, and test. > > > > > > > > > > Please vote in the next 72 hours. > > > > > [ ] +1 Release this as Apache polaris 0.9.0-incubating > > > > > [ ] +0 > > > > > [ ] -1 Do not release this because... > > > > > > > > > > Only PPMC members and mentors have binding votes, but other > community > > > > > members are encouraged to cast non-binding votes. This vote will > pass > > > > > if there are > > > > > 3 binding +1 votes and more binding +1 votes than -1 votes. > > > > > > > > > > NB: if this vote passes, a new vote will be started on the > Incubator > > > > > general mailing list. > > > > > > > > > > Thanks > > > > > Regards > > > > > JB > > > > > > > > >
