Usually the 3rd party license and notices (if applicable) are bundled but I'm not against providing links. I would suggest that if we already bundle some licenses and notices to keep those bundled. The missing ones - maybe links are ok. It's certainly better than not having any indication of their licensing.
On Thu, 29 Jan 2026 at 12:15, PJ Fanning <[email protected]> wrote: > > The issue under discussion is a fat jar - one bundles Toree classes > with lots of classes from 3rd party libs. > That jar must contain the details of all the licenses and notices from > the 3rd party classes - and also include our Apache license and > notice. > > On Thu, 29 Jan 2026 at 05:31, Luciano Resende <[email protected]> wrote: > > > > On Wed, Dec 3, 2025 at 3:27 PM PJ Fanning <[email protected]> wrote: > > > > > I think we're still missing NOTICE details for Apache licensed 3rd party > > > libs in the bin tar.gz. > > > > > > For instance, scala-xml has this NOTICE file: > > > https://github.com/scala/scala-xml/blob/main/NOTICE > > > > > > We don't seem to have this in the bin tar.gz. > > > > > > This is just one example. I think most of the Scala libs have NOTICE files > > > and there is a good chance that other ASL jars have them too. > > > > > > The Pekko NOTICE files are worth checking too because the document some > > > third party source in their jars. > > > For the pekko-actor jar, you have: > > > https://github.com/apache/pekko/blob/main/legal/pekko-actor-jar-notice.txt > > > > > > > > Hi PJ, sorry for the late reply... > > > > After looking into this further, I’ve identified a few key issues with how > > our licenses and notices are being handled: > > - Missing license/notices: The distribution isn't currently displaying all > > required license and notice files in its root. > > - Split sources: A large portion of these are currently linked in > > etc/legal/LICENSE_extras and NOTICE_extras and then appended to the main > > distribution files. > > - Jar-level license/notices: The remaining files are being concatenated > > into the META-INF folder of the Toree assembly jar, which sits in the lib/ > > directory of the bin.tar.gz. > > > > ``` > > LICENSE_commons-exec-1.3.txt > > LICENSE_coursier-util_2.12-2.0.0 > > LICENSE_jackson-annotations-2.14.2 > > LICENSE_jackson-core-2.14.2 > > LICENSE_jackson-databind-2.14.2 > > LICENSE_jackson-datatype-jsr310-2.9.8 > > LICENSE_joda-time-2.10.1.txt > > LICENSE_pekko-actor_2.12-1.1.5 > > LICENSE_pekko-slf4j_2.12-1.1.5 > > LICENSE_slf4j-api-2.0.16.txt > > license_spring-core-5.2.2.RELEASE.txt > > license_spring-jcl-5.2.2.RELEASE.txt > > ... > > NOTICE_commons-exec-1.3.txt > > NOTICE_jackson-annotations-2.14.2 > > NOTICE_jackson-core-2.14.2 > > NOTICE_jackson-databind-2.14.2 > > NOTICE_joda-time-2.10.1.txt > > NOTICE_pekko-actor_2.12-1.1.5 > > NOTICE_pekko-slf4j_2.12-1.1.5 > > notice_spring-core-5.2.2.RELEASE.txt > > notice_spring-jcl-5.2.2.RELEASE.txt > > ``` > > > > Before we make further changes, I’d like to align on a strategy for how > > these should appear in our distributions. Specifically: > > - Top-level visibility: Is it mandatory to include all these details in > > the top-level LICENSE and NOTICE files? > > - Current assembly approach: Is our existing method—where the assembly > > plugin concatenates these into the META-INF folder of the assembly > > jar—sufficient for compliance? > > > > I’ve already addressed a few missing items in PR #239 > > <https://github.com/apache/incubator-toree/pull/239>, but I want to ensure > > we have a consistent approach moving forward. > > > > -- > > Luciano Resende > > http://twitter.com/lresende1975 > > http://lresende.blogspot.com/
