Thanks for clarifying Taylor. If I understand it correctly, the L & N for source should only contain licenses for source we include. So the L & N files we have now are probably fine for this, as they contain licensing for the Javascript we have in UI, and I don't believe we include other kinds of external source in the source dist. I'll do a quick check that all the JS we have is covered.
For the binary distribution, we should have a L & N that is the L & N for the source, plus any licenses for binaries we include (e.g. everything in the /lib directory). We should update the L & N in storm-dist/binary, and I'd also like to move them to the project root, e.g. as "LICENSE-binary". I think they're a little well hidden right now. I get the impression that the binary license should not include licenses for e.g. dependencies downloaded when a topology uses `storm-hbase`, as those binaries aren't part of the distribution. Is this right? Do those kinds of dependencies still need to have their licenses listed somewhere (e.g. in the autogenerated dependency-licenses file), or is this not necessary? Den tir. 26. mar. 2019 kl. 00.45 skrev P. Taylor Goetz <ptgo...@gmail.com>: > L & N files usually differ between source and binary distributions. > Usually due to shading, contents of lib directory, etc. Source > distributions are simpler, since they can’t contain any binaries. For a > binary distribution, the L & N files need to reflect everything in the > binary dependencies. > > I think it’s important that we review licensing issues, so I’ll cancel > this RC. > > Kudos to Stig for paying attention to license hygiene! > > -Taylor > > > On Mar 25, 2019, at 1:21 PM, Stig Rohde Døssing <stigdoess...@gmail.com> > wrote: > > > > Maybe something like this? https://github.com/apache/storm/pull/2980 > > > > Den man. 25. mar. 2019 kl. 14.12 skrev Stig Rohde Døssing < > > stigdoess...@gmail.com>: > > > >> The ASF guideline says the file "should identify the third-party > product, > >> its licensing, and a url to the its homepage". If we can get away with > >> including the license name and not the license text, I think > >> THIRD-PARTY.txt contains what we need. E.g. Spark also only lists the > >> license names, and not the texts. > >> > >> We can clean up the output a bit more, e.g. collapse all the Apache > >> licenses together under one header, I just didn't bother because I > didn't > >> expect the file to be user facing. > >> > >> Den man. 25. mar. 2019 kl. 13.47 skrev Jungtaek Lim <kabh...@gmail.com > >: > >> > >>> According to how other projects are doing right now, looks like we are > >>> not doing. > >>> > >>> https://github.com/apache/flink/blob/master/NOTICE-binary > >>> https://github.com/apache/spark/blob/master/LICENSE-binary > >>> https://github.com/apache/kafka/blob/trunk/LICENSE > >>> > >>> If I understand correct, aether in storm-submit-tool is also EPL v1.0. > >>> > >>> Btw, I just ran the command "mvn generate-resources > >>> -Dlicense.skipAggregateAddThirdParty=false" and see the output: the > format > >>> of output looks good though the output is a bit verbose. (Attached the > >>> output file.) > >>> > >>> Would it be OK to include the file without cleaning up? > >>> > >>> 2019년 3월 25일 (월) 오후 8:19, Stig Rohde Døssing <stigdoess...@gmail.com > >님이 > >>> 작성: > >>> > >>>> 0 > >>>> > >>>> Built and ran tests from source zip. > >>>> Ran ExclamationTopology on local install set up from binary zip. > >>>> Verified no unexpected error logs. > >>>> Ran integration test locally. > >>>> Clicked around in UI for a bit, checked that logviewer works. > >>>> Ran the license check plugin, and verified that all dependency > licenses > >>>> are > >>>> either category A or B. > >>>> > >>>> We have some category B dependencies, e.g. JAXB and Jersey under CDDL. > >>>> > https://apache.org/legal/resolved.html#appropriately-labelled-condition > >>>> mentions that we should list category B dependencies somewhere > visible to > >>>> users. Do we do this currently? > >>>> > >>>> Den fre. 22. mar. 2019 kl. 21.23 skrev P. Taylor Goetz < > >>>> ptgo...@gmail.com>: > >>>> > >>>>> This is a call to vote on releasing Apache Storm 2.0.0 (rc5) > >>>>> > >>>>> Full list of changes in this release: > >>>>> > >>>>> > >>>>> > >>>> > https://dist.apache.org/repos/dist/dev/storm/apache-storm-2.0.0-rc5/RELEASE_NOTES.html > >>>>> > >>>>> The tag/commit to be voted upon is v2.0.0: > >>>>> > >>>>> > >>>>> > >>>> > https://git-wip-us.apache.org/repos/asf?p=storm.git;a=tree;h=7e0a711e4ed5315f04f9f726caff61e0f169e320;hb=b5823809bd4b438e789a36f163f318d4b161ad13 > >>>>> > >>>>> The source archive being voted upon can be found here: > >>>>> > >>>>> > >>>>> > >>>> > https://dist.apache.org/repos/dist/dev/storm/apache-storm-2.0.0-rc5/apache-storm-2.0.0-src.tar.gz > >>>>> > >>>>> Other release files, signatures and digests can be found here: > >>>>> > >>>>> https://dist.apache.org/repos/dist/dev/storm/apache-storm-2.0.0-rc5/ > >>>>> > >>>>> The release artifacts are signed with the following key: > >>>>> > >>>>> > >>>>> > >>>> > https://git-wip-us.apache.org/repos/asf?p=storm.git;a=blob_plain;f=KEYS;hb=22b832708295fa2c15c4f3c70ac0d2bc6fded4bd > >>>>> > >>>>> The Nexus staging repository for this release is: > >>>>> > >>>>> > https://repository.apache.org/content/repositories/orgapachestorm-1076 > >>>>> > >>>>> Please vote on releasing this package as Apache Storm 2.0.0. > >>>>> > >>>>> When voting, please list the actions taken to verify the release. > >>>>> > >>>>> This vote will be open for at least 72 hours. > >>>>> > >>>>> [ ] +1 Release this package as Apache Storm 2.0.0 > >>>>> [ ] 0 No opinion > >>>>> [ ] -1 Do not release this package because... > >>>>> > >>>>> Thanks to everyone who contributed to this release. > >>>>> > >>>>> -Taylor > >>>> > >>> > >