Here is the Apache policy for MIT and BSD licensed dependencies: http://www.apache.org/legal/resolved.html#category-a "Many of these licenses have specific attribution terms that need to be adhered to, for example CC-A, often by adding them to the NOTICE file. Ensure you are doing this when including these works."
Do you any of you know what are the specific attribution terms for MIT and BSD licenses? And should we follow them for test dependencies? Also, I see some of the dependencies are not marked test scoped in the poms, should we fix them? And here is the policy for Eclipse: http://www.apache.org/legal/resolved.html#category-b "Each license in this category requires some degree of reciprocity or other restriction on use ". Not entirely sure what is required here. On Mon, Jan 25, 2016 at 11:46 AM, Sravya Tirukkovalur <[email protected]> wrote: > Plugin, "analyze-report" did not work for Sentry, also it generates the > dependencies but not the licenses. Filed Sentry-1029 to track automating > this process of generating dependencies as well as their licenses. > > Here is the list of external dependencies which I manually compiled for > now: > https://cwiki.apache.org/confluence/display/SENTRY/External+dependencies+and+Licenses > > Can some one please double check the accuracy? > > Looking at the list, looks like would be best to make sure the non Apache > licensed dependencies are attributed and handled well? By the way, all of > these seem like test dependencies. > > Easymock (MIT) > > Mockito (MIT) > > Slf4j (MIT) > > Hamcrest (BSD) > > Junit (Eclipse) > > One thing to note it Sentry makes source only releases, not sure if it > changes how we handle licenses of dependencies. > > On Fri, Jan 22, 2016 at 5:06 PM, Lenni Kuff <[email protected]> wrote: > >> Thanks for the updates Sravya, looks good. >> >> Yes, we should document the dependencies someplace putting them on a wiki >> is probably okay for now, but it will likely change fairly frequently. >> Would be good to have some automation around this - the Maven dependency >> plugin has support for generating a report on all dependencies: >> >> https://maven.apache.org/plugins/maven-dependency-plugin/analyze-report-mojo.html >> >> Example output: >> >> https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/dependency-analysis.html >> >> We should consider doing something similar. >> >> Thanks, >> Lenni >> >> >> On Fri, Jan 22, 2016 at 4:54 PM, Sravya Tirukkovalur <[email protected] >> > >> wrote: >> >> > Thanks Lenni for your feedback! Added some data points (links) to the >> doc. >> > >> > For the external dependencies, here is the list I got using "mvn clean >> > dependency:list -DexcludeTransitive=true" and doing some cleaning up for >> > duplicates: >> > >> > ant-contrib >> > >> > cglib >> > >> > com.google.guava >> > >> > com.jolbox >> > >> > commons-cli >> > >> > commons-lang >> > >> > commons-logging >> > >> > io.dropwizard.metrics >> > >> > javax.jdo >> > >> > joda-time >> > >> > junit >> > >> > log4j >> > >> > org.apache.commons >> > >> > org.apache.curator >> > >> > org.apache.derby >> > >> > org.apache.hadoop >> > >> > org.apache.hive.hcatalog >> > >> > org.apache.hive >> > >> > org.apache.pig >> > >> > org.apache.sentry >> > >> > org.apache.shiro >> > >> > org.apache.solr >> > >> > org.apache.sqoop >> > >> > org.apache.thrift >> > >> > org.apache.zookeeper >> > >> > org.datanucleus >> > >> > org.easymock >> > >> > org.easytesting >> > >> > org.eclipse.jetty >> > >> > org.hamcrest >> > >> > org.mockito >> > >> > org.objenesis >> > org.slf4j >> > >> > I do not see anything except for junit in our proposal document. I >> think we >> > should document these dependencies and their licenses some where? >> > >> > Thanks! >> > >> > On Wed, Jan 20, 2016 at 4:41 PM, Lenni Kuff <[email protected]> >> wrote: >> > >> > > Hi Sravya, >> > > Thanks for putting together this document, it's very useful. With >> respect >> > > to your comments: >> > > >> > > 1) Dependencies - Not sure if there is a better way, but you can run >> > > something like: >> > > *>* *mvn clean dependency:list -DexcludeTransitive=true* >> > > to get a listing of all the current dependencies specified in the >> > > project. >> > > >> > > >> > > 2) Only comments in the doc are to point out links to backup your >> point >> > > where relevant. >> > > >> > > Thanks, >> > > Lenni >> > > >> > > On Wed, Jan 20, 2016 at 2:53 PM, Sravya Tirukkovalur < >> > [email protected]> >> > > wrote: >> > > >> > > > Hello all, >> > > > >> > > > Bumping up this thread after the holiday season. Please take a look >> and >> > > > provide feedback. >> > > > >> > > > Also I updated the doc to capture the vote for Committer == PPMC. >> > > > >> > > > I still have one outstanding question: >> > > > - How do projects usually keep track of list of external >> dependencies >> > for >> > > > license checking? Is it just reading through the maven pom file? Or >> is >> > > > there a standard way? >> > > > >> > > > I think I figured the answer for this question - What is the source >> of >> > > > truth for ICLAs? How do we double check all new committers have >> ICLAs >> > > > filed? >> > > > - Members with ICLAs filed and in Sentry group should appear here: >> > > > http://people.apache.org/committers-by-project.html#sentry >> > > > >> > > > On Fri, Nov 27, 2015 at 10:25 PM, Sravya Tirukkovalur < >> > > [email protected] >> > > > > >> > > > wrote: >> > > > >> > > > > Hi folks, >> > > > > >> > > > > Here is the initial draft of Sentry maturity assessment: >> > > > > >> > > > >> > > >> > >> https://cwiki.apache.org/confluence/display/SENTRY/Sentry+maturity+assessment >> > > > > >> > > > > Mentors & community members: Your feedback is valuable here. >> Looking >> > > > > forward to constructive criticism if any, which can help the >> Sentry >> > > > > community and its graduation. >> > > > > >> > > > > Also, I had a couple quick questions while drafting this. >> > > > > 1. How do projects usually keep track of list of external >> > dependencies? >> > > > Is >> > > > > it just reading through the maven pom file? Or is there a standard >> > way? >> > > > > 2. What is the source of truth for ICLAs? How do we double check >> all >> > > new >> > > > > committers have ICLAs filed apart from reading through the private >> > mail >> > > > > archives? >> > > > > >> > > > > Regards, >> > > > > -- >> > > > > Sravya Tirukkovalur >> > > > > >> > > > >> > > > >> > > > >> > > > -- >> > > > Sravya Tirukkovalur >> > > > >> > > >> > >> > >> > >> > -- >> > Sravya Tirukkovalur >> > >> > > > > -- > Sravya Tirukkovalur > -- Sravya Tirukkovalur
