Here is a link to the third-party audit report from Jenkins. https://builds.apache.org/job/streams-project-site/site/aggregate-third-party-report.html
I’ve begun looking into excluding / eliminating the 5 cat-x transitive dependencies. On Mar 31, 2018 at 4:08 PM, Steve Blackmon <sblack...@apache.org> wrote: I've opened a pull request that adds license-maven-plugin including a maven site report. https://github.com/apache/streams/pull/429 Once this merges (+1 please?) a new page will appear on the website with a full transitive dependency inventory - and it should say there are just over 550 dependencies, none of which have unidentified licenses. Also used the CLI tool license:aggregate-add-third-party from the plugin to produce some files which I then edited into the attached draft NOTICE file. This process identified 5 dependencies, none important, that are category X. They should be straightforward to exclude / remove. I'd appreciate the PMC's feedback on the attached file, whether the format is acceptable, any other critical content that may be missing, and whether any dependencies may be problematic in addition to the five already identified. Per my understanding, with this accounting done, we need to provide gather the license links and text into the NOTICE file, and once that done we're permitted to perform a release that includes a binary based on the new 'streams-dist' module. Steve Blackmon sblack...@apache.org
