Thanks for the idea Lenni! I did reach out on general@ and looks like[1] we do not need to deal with licenses of external dependencies as they are not part of our source release as long as they are Apache compatible. So we are good.
[1]: http://mail-archives.apache.org/mod_mbox/incubator-general/201601.mbox/%3C58DC821E-9418-4CD5-B99C-EE51364C2684%40classsoftware.com%3E On Mon, Jan 25, 2016 at 12:33 PM, Lenni Kuff <[email protected]> wrote: > Hi Sravya, > You might want to ask this question on general@ to understand how other > projects handle this and what the requirements are. > > Thanks, > Lenni > > On Mon, Jan 25, 2016 at 11:55 AM, Sravya Tirukkovalur <[email protected] > > > wrote: > > > Here is the Apache policy for MIT and BSD licensed dependencies: > > http://www.apache.org/legal/resolved.html#category-a > > "Many of these licenses have specific attribution terms that need to be > > adhered to, for example CC-A, often by adding them to the NOTICE file. > > Ensure you are doing this when including these works." > > > > Do you any of you know what are the specific attribution terms for MIT > and > > BSD licenses? And should we follow them for test dependencies? Also, I > see > > some of the dependencies are not marked test scoped in the poms, should > we > > fix them? > > > > And here is the policy for Eclipse: > > http://www.apache.org/legal/resolved.html#category-b > > "Each license in this category requires some degree of reciprocity or > other > > restriction on use ". Not entirely sure what is required here. > > > > > > On Mon, Jan 25, 2016 at 11:46 AM, Sravya Tirukkovalur < > [email protected] > > > > > wrote: > > > > > Plugin, "analyze-report" did not work for Sentry, also it generates the > > > dependencies but not the licenses. Filed Sentry-1029 to track > automating > > > this process of generating dependencies as well as their licenses. > > > > > > Here is the list of external dependencies which I manually compiled for > > > now: > > > > > > https://cwiki.apache.org/confluence/display/SENTRY/External+dependencies+and+Licenses > > > > > > Can some one please double check the accuracy? > > > > > > Looking at the list, looks like would be best to make sure the non > Apache > > > licensed dependencies are attributed and handled well? By the way, all > of > > > these seem like test dependencies. > > > > > > Easymock (MIT) > > > > > > Mockito (MIT) > > > > > > Slf4j (MIT) > > > > > > Hamcrest (BSD) > > > > > > Junit (Eclipse) > > > > > > One thing to note it Sentry makes source only releases, not sure if it > > > changes how we handle licenses of dependencies. > > > > > > On Fri, Jan 22, 2016 at 5:06 PM, Lenni Kuff <[email protected]> > wrote: > > > > > >> Thanks for the updates Sravya, looks good. > > >> > > >> Yes, we should document the dependencies someplace putting them on a > > wiki > > >> is probably okay for now, but it will likely change fairly frequently. > > >> Would be good to have some automation around this - the Maven > dependency > > >> plugin has support for generating a report on all dependencies: > > >> > > >> > > > https://maven.apache.org/plugins/maven-dependency-plugin/analyze-report-mojo.html > > >> > > >> Example output: > > >> > > >> > > > https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/dependency-analysis.html > > >> > > >> We should consider doing something similar. > > >> > > >> Thanks, > > >> Lenni > > >> > > >> > > >> On Fri, Jan 22, 2016 at 4:54 PM, Sravya Tirukkovalur < > > [email protected] > > >> > > > >> wrote: > > >> > > >> > Thanks Lenni for your feedback! Added some data points (links) to > the > > >> doc. > > >> > > > >> > For the external dependencies, here is the list I got using "mvn > clean > > >> > dependency:list -DexcludeTransitive=true" and doing some cleaning up > > for > > >> > duplicates: > > >> > > > >> > ant-contrib > > >> > > > >> > cglib > > >> > > > >> > com.google.guava > > >> > > > >> > com.jolbox > > >> > > > >> > commons-cli > > >> > > > >> > commons-lang > > >> > > > >> > commons-logging > > >> > > > >> > io.dropwizard.metrics > > >> > > > >> > javax.jdo > > >> > > > >> > joda-time > > >> > > > >> > junit > > >> > > > >> > log4j > > >> > > > >> > org.apache.commons > > >> > > > >> > org.apache.curator > > >> > > > >> > org.apache.derby > > >> > > > >> > org.apache.hadoop > > >> > > > >> > org.apache.hive.hcatalog > > >> > > > >> > org.apache.hive > > >> > > > >> > org.apache.pig > > >> > > > >> > org.apache.sentry > > >> > > > >> > org.apache.shiro > > >> > > > >> > org.apache.solr > > >> > > > >> > org.apache.sqoop > > >> > > > >> > org.apache.thrift > > >> > > > >> > org.apache.zookeeper > > >> > > > >> > org.datanucleus > > >> > > > >> > org.easymock > > >> > > > >> > org.easytesting > > >> > > > >> > org.eclipse.jetty > > >> > > > >> > org.hamcrest > > >> > > > >> > org.mockito > > >> > > > >> > org.objenesis > > >> > org.slf4j > > >> > > > >> > I do not see anything except for junit in our proposal document. I > > >> think we > > >> > should document these dependencies and their licenses some where? > > >> > > > >> > Thanks! > > >> > > > >> > On Wed, Jan 20, 2016 at 4:41 PM, Lenni Kuff <[email protected]> > > >> wrote: > > >> > > > >> > > Hi Sravya, > > >> > > Thanks for putting together this document, it's very useful. With > > >> respect > > >> > > to your comments: > > >> > > > > >> > > 1) Dependencies - Not sure if there is a better way, but you can > run > > >> > > something like: > > >> > > *>* *mvn clean dependency:list > -DexcludeTransitive=true* > > >> > > to get a listing of all the current dependencies specified in > > the > > >> > > project. > > >> > > > > >> > > > > >> > > 2) Only comments in the doc are to point out links to backup your > > >> point > > >> > > where relevant. > > >> > > > > >> > > Thanks, > > >> > > Lenni > > >> > > > > >> > > On Wed, Jan 20, 2016 at 2:53 PM, Sravya Tirukkovalur < > > >> > [email protected]> > > >> > > wrote: > > >> > > > > >> > > > Hello all, > > >> > > > > > >> > > > Bumping up this thread after the holiday season. Please take a > > look > > >> and > > >> > > > provide feedback. > > >> > > > > > >> > > > Also I updated the doc to capture the vote for Committer == > PPMC. > > >> > > > > > >> > > > I still have one outstanding question: > > >> > > > - How do projects usually keep track of list of external > > >> dependencies > > >> > for > > >> > > > license checking? Is it just reading through the maven pom file? > > Or > > >> is > > >> > > > there a standard way? > > >> > > > > > >> > > > I think I figured the answer for this question - What is the > > source > > >> of > > >> > > > truth for ICLAs? How do we double check all new committers have > > >> ICLAs > > >> > > > filed? > > >> > > > - Members with ICLAs filed and in Sentry group should appear > here: > > >> > > > http://people.apache.org/committers-by-project.html#sentry > > >> > > > > > >> > > > On Fri, Nov 27, 2015 at 10:25 PM, Sravya Tirukkovalur < > > >> > > [email protected] > > >> > > > > > > >> > > > wrote: > > >> > > > > > >> > > > > Hi folks, > > >> > > > > > > >> > > > > Here is the initial draft of Sentry maturity assessment: > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > > https://cwiki.apache.org/confluence/display/SENTRY/Sentry+maturity+assessment > > >> > > > > > > >> > > > > Mentors & community members: Your feedback is valuable here. > > >> Looking > > >> > > > > forward to constructive criticism if any, which can help the > > >> Sentry > > >> > > > > community and its graduation. > > >> > > > > > > >> > > > > Also, I had a couple quick questions while drafting this. > > >> > > > > 1. How do projects usually keep track of list of external > > >> > dependencies? > > >> > > > Is > > >> > > > > it just reading through the maven pom file? Or is there a > > standard > > >> > way? > > >> > > > > 2. What is the source of truth for ICLAs? How do we double > check > > >> all > > >> > > new > > >> > > > > committers have ICLAs filed apart from reading through the > > private > > >> > mail > > >> > > > > archives? > > >> > > > > > > >> > > > > Regards, > > >> > > > > -- > > >> > > > > Sravya Tirukkovalur > > >> > > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > > -- > > >> > > > Sravya Tirukkovalur > > >> > > > > > >> > > > > >> > > > >> > > > >> > > > >> > -- > > >> > Sravya Tirukkovalur > > >> > > > >> > > > > > > > > > > > > -- > > > Sravya Tirukkovalur > > > > > > > > > > > -- > > Sravya Tirukkovalur > > > -- Sravya Tirukkovalur
