On Wed, Dec 3, 2025 at 3:27 PM PJ Fanning <[email protected]> wrote:
> I think we're still missing NOTICE details for Apache licensed 3rd party > libs in the bin tar.gz. > > For instance, scala-xml has this NOTICE file: > https://github.com/scala/scala-xml/blob/main/NOTICE > > We don't seem to have this in the bin tar.gz. > > This is just one example. I think most of the Scala libs have NOTICE files > and there is a good chance that other ASL jars have them too. > > The Pekko NOTICE files are worth checking too because the document some > third party source in their jars. > For the pekko-actor jar, you have: > https://github.com/apache/pekko/blob/main/legal/pekko-actor-jar-notice.txt > > Hi PJ, sorry for the late reply... After looking into this further, I’ve identified a few key issues with how our licenses and notices are being handled: - Missing license/notices: The distribution isn't currently displaying all required license and notice files in its root. - Split sources: A large portion of these are currently linked in etc/legal/LICENSE_extras and NOTICE_extras and then appended to the main distribution files. - Jar-level license/notices: The remaining files are being concatenated into the META-INF folder of the Toree assembly jar, which sits in the lib/ directory of the bin.tar.gz. ``` LICENSE_commons-exec-1.3.txt LICENSE_coursier-util_2.12-2.0.0 LICENSE_jackson-annotations-2.14.2 LICENSE_jackson-core-2.14.2 LICENSE_jackson-databind-2.14.2 LICENSE_jackson-datatype-jsr310-2.9.8 LICENSE_joda-time-2.10.1.txt LICENSE_pekko-actor_2.12-1.1.5 LICENSE_pekko-slf4j_2.12-1.1.5 LICENSE_slf4j-api-2.0.16.txt license_spring-core-5.2.2.RELEASE.txt license_spring-jcl-5.2.2.RELEASE.txt ... NOTICE_commons-exec-1.3.txt NOTICE_jackson-annotations-2.14.2 NOTICE_jackson-core-2.14.2 NOTICE_jackson-databind-2.14.2 NOTICE_joda-time-2.10.1.txt NOTICE_pekko-actor_2.12-1.1.5 NOTICE_pekko-slf4j_2.12-1.1.5 notice_spring-core-5.2.2.RELEASE.txt notice_spring-jcl-5.2.2.RELEASE.txt ``` Before we make further changes, I’d like to align on a strategy for how these should appear in our distributions. Specifically: - Top-level visibility: Is it mandatory to include all these details in the top-level LICENSE and NOTICE files? - Current assembly approach: Is our existing method—where the assembly plugin concatenates these into the META-INF folder of the assembly jar—sufficient for compliance? I’ve already addressed a few missing items in PR #239 <https://github.com/apache/incubator-toree/pull/239>, but I want to ensure we have a consistent approach moving forward. -- Luciano Resende http://twitter.com/lresende1975 http://lresende.blogspot.com/
