On 2 June 2016 at 19:50, Gale Naylor <[email protected]> wrote: > I'm so sorry - I've been replying to the VOTE thread. > > I'll copy my comments here: > > ------------------------------------------ > UP-FRONT CHECKS > ------------------------------------------ > The MD5 checksums in the [VOTE] email are the same as the SHA1 checksums. > I'm using the downloaded MD5 and SHA-1.
Yes, I copy-pasted wrong! :( db4309131f4330832736586f6357d691 apache-taverna-commandline-3.1.0-incubating-source-release.zip 03c62e8d0d8a8862638655a3591597ba apache-taverna-common-activities-2.1.0-incubating-source-release.zip 8113656bf4ac8ed4e5ed88cb1b0da15d apache-taverna-engine-3.1.0-incubating-source-release.zip (Perhaps we need a vote-email script! > ------------------- > GNU License? > > The list of # Already used licenses in project : includes > > # - GNU Lesser General Public License, Version 2.1 > Isn't this a category-x license? (It doesn't show up in the > "Please fill in the missing licenses" list at the bottom of the file.) I assume you mean apache-taverna-engine-3.1.0-incubating/src/license/THIRD-PARTY.properties which is used if you run manually: mvn license:aggregate-add-third-party http://www.mojohaus.org/license-maven-plugin/aggregate-add-third-party-mojo.html which will generate target/generated-sources/license/THIRD-PARTY.txt based on the <dependencies> and transitive dependencies. Usually the plugin picks up license info from the POM <licenses> section, but some projects don't provide that, in which case the properties file can fill in the blanks. The "Already used" section is written by the plugin if you use -Dlicense.useMissingFile=true But all the LGPL licenses in the report are dual-licensed also as Apache license: stain@biggiebuntu:~/rc/dist/test/apache-taverna-engine-3.1.0-incubating$ grep GNU target/generated-sources/license/THIRD-PARTY.txt (GNU Lesser General Public License, Version 2.1) (The Apache Software License, Version 2.0) Jackson-annotations (com.fasterxml.jackson.core:jackson-annotations:2.2.2 - http://wiki.fasterxml.com/JacksonHome) (GNU Lesser General Public License, Version 2.1) (The Apache Software License, Version 2.0) Jackson-annotations (com.fasterxml.jackson.core:jackson-annotations:2.3.0 - http://wiki.fasterxml.com/JacksonHome) (GNU Lesser General Public License, Version 2.1) (The Apache Software License, Version 2.0) Jackson-annotations (com.fasterxml.jackson.core:jackson-annotations:2.3.3 - http://wiki.fasterxml.com/JacksonHome) (GNU Lesser General Public License, Version 2.1) (The Apache Software License, Version 2.0) Jackson-core (com.fasterxml.jackson.core:jackson-core:2.2.2 - http://wiki.fasterxml.com/JacksonHome) (GNU Lesser General Public License, Version 2.1) (The Apache Software License, Version 2.0) Jackson-core (com.fasterxml.jackson.core:jackson-core:2.3.3 - http://wiki.fasterxml.com/JacksonHome) (GNU Lesser General Public License, Version 2.1) (The Apache Software License, Version 2.0) jackson-databind (com.fasterxml.jackson.core:jackson-databind:2.2.2 - http://wiki.fasterxml.com/JacksonHome) (GNU Lesser General Public License, Version 2.1) (The Apache Software License, Version 2.0) jackson-databind (com.fasterxml.jackson.core:jackson-databind:2.3.3 - http://wiki.fasterxml.com/JacksonHome) > > ------------------- > Missing license information: > > # http://x-stream.github.io/license.html - this link says BSD (but not > which type); > should this copyright be included in our Notice file? Not in our NOTICE file yet, as we don't bundle the x-stream library, we just depend on it. But we would need to include that (and much more) in the NOTICE of the ZIP-file from taverna-commandline-product when/if we decide to distribute that as a binary release. > org.aopalliance--com.springsource.org.aopalliance--1.0.0 - no license > listed Should be clean: http://aopalliance.sourceforge.net/ > LICENCE: all the source code provided by AOP Alliance is Public Domain. (Oh my, that dependency is more than 12 years old..!) > # https://github.com/hunterhacker/jdom/blob/jdom-1.1/core/LICENSE.txt - > this link has a copyright; > include in Notice file? What do we use for "type" of license? "Copyright?" > Or is this also a "JDOM License" like > org.jdom--com.springsource.org.jdom--1.1.0? I think we can just call it the "JDOM license". Same as above, no need for NOTICE as we don't bundle the JAR. > # http://www.xmlpull.org/ - no license listed > Aren't the following licenses listed under category-b, binary release only? But we only have <dependency> on them, they are not distributed by ASF (you won't find these dependencies in our source archive), so that is OK. > 1) University of Manchester copyright in taverna-provenanceconnector > files (see previous email). Bah! Well spotted! Danger of just disabling a Maven module! That is however an (appearant) violation as it claims to be under incompatible LGPL license -- that code was however covered by the software grant and should have ASF headers. I think we might have to pull the RC for this (we could get it through the incubator if it was the first release, but this is our third!). > 2) taverna-execution-hadoop Crossproduct.java file contains copyright > by Adam Pingel and no ASF license. > > I know this is copyright is included in the top level NOTICE > file, but doesn't it have to be removed from the Java file? Strictly speaking we don't need to include that text in the NOTICE if it is also in the file header, however we need it in the NOTICE so that it also comes along in JARs in Maven Central. I don't think we can move this away from the file header, as then downstream consumers who decide to copy that file might then easily violate: > Redistributions of source code must retain the above copyright > notice, this list of conditions and the following disclaimer. > 1) Two README files without license headers: > /taverna-engine-rc2/taverna-prov/README.md > /taverna-engine-rc2/taverna-reference-types/README.md I think it should be added - but personally I wouldn't block the release for that alone. > 2) One JSON file without license header > /taverna-engine-rc2/taverna-run-impl/src/test/resources/workflowrun.json It's tricky to add to JSON as it has no comment headers, but it's possible to add something like this: "http://purl.org/dc/terms/rights": "Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the 'License'); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR Cse": {"@id": "http://www.apache.org/licenses/LICENSE-2.0"}, ONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.", "http://purl.org/dc/terms/licen > 3) Miscellaneous text and html files don't have a license header. > (Also spring.handlers and spring.schemas.) > Are these not considered "code?" Not having checked deeper, but I think the spring.* files can't have license headers. (They don't even have a newline!) The spring-files are very small and not copyrightable (does not achieve Work height) - so it's not a big issue they are missing headers. The HTML files should have license headers. Also I think it's cleaner to use package-info.java with regular Javadoc instead of package.html > Examples: > taverna-activity-archetype...goal.txt, > taverna-credential-manager...text.html, > taverna-prov...3a/3a82e39d-a537-40cf-91a0-2c89d4a2e62b.txt > taverna-prov...greeting.txt > taverna-prov...mimetype > taverna-workflowmodel-impl...package.html > taverna-reference-impl...spring.handlers (and spring.schemas) Most of these are test resources which must match 1:1 - documented in the RAT exclusions of pom.xml: <exclude>**/*.txt</exclude> <!-- workflow values --> <exclude>**/src/main/resources/archetype-resources/</exclude> <!-- Don't want our archetype to generate ASF headers --> <exclude>**/META-INF/spring.*</exclude> <!-- Miniscule spring marker files --> <exclude>**/workflowrun.json</exclude> <!-- example workflow run report --> > 4) Files in services subdirectories also do not have a license headers. Are > they exempt? > > Examples: > taverna-credential-manager...services/ > org.apache.taverna.security.credentialmanager.CredentialProviderSPI > taverna-dataflow-activity.../services/ > net.sf.taverna.t2.workflowmodel.health.HealthChecker They are also very small (just listing classnames) and so would not be copyrightable. However they would support a ## style copyright header which we can add. Thanks for a thorough check! -- Stian Soiland-Reyes Apache Taverna (incubating), Apache Commons http://orcid.org/0000-0001-9842-9718
