Hi, On Fri, May 18, 2012 at 9:41 PM, Carol Frampton <cfram...@adobe.com> wrote: ... > 1. If we incorporate code into our project that is from another Apache > project covered by an Apache v2 license do we still call out that we've taken > the code or does the Apache license at the top of the LICENSE file cover all > Apache code, not just Flex code? ... > 2. Same question, but we're incorporating code covered by an Apache 1.1 > license. ...
By "incorporate code", do you mean forking another Apache project in Flex? If yes, Flex should IMO change package names of those project's classes to avoid confusion. Best is of course to contribute any required patches to those projects and work with them to have releases of that, but if that's really not possible and the forked code will be released by Flex, Flex must make it clear that the code is not the original. Best way to do that is probably to change the package names, something like o.a.flex.forks.batik for batik code for example. > 3. Many of the jars we use have their own LICENSE and NOTICE files. Right > now they are all in the lib directory right next to their jar. I've seen > other projects put them all in a legal, LICENSE or NOTICE directory. What is > the proper way to organize these and how do you refer to them in the Apache > Flex LICENSE file? ... Jar files are binary dependencies, we don't release them, so they don't need to be mentioned in the LICENSE or NOTICE file. OTOH, it's good to make it clear what the license of required dependencies are - Stanbol for example does a nice thing with a DEPENDENCIES-BY-LICENSE file that's generated with the license-maven-plugin, dunno if there's an equivalent for an ant build. You can see how that's setup at http://svn.apache.org/repos/asf/incubator/stanbol/branches/0.9.0-incubating/parent/pom.xml and the result in the Stanbol release at http://apache.org/dist/incubator/stanbol/ > ...4. If we include a jar that includes other stuff and has NOTICES and > LICENSES from its dependencies to we pull them all up into our LICENSE? I've > seen lots of questions about this and I still don't understand what the right > way to do this is. ... We don't include jars - an Apache release consists of source code only. If Flex wants to provide a convenience package of binary dependencies, that's possible but does not have much to do with the actual release process. >From the release point of view, what's required is that: -The LICENSE and NOTICE files match the source code that's being released -All required dependencies have compatible licenses as per http://apache.org/legal/resolved.html -Users can easily find out what those compatible licenses are The idea with not including binaries is that you can't realistically trust a binary that you didn't build yourself. It's not common in the Java world to build all your dependencies from trusted source, but that's really what people should do if they want to be sure what they're running. > ...If you know of any projects that you think are good examples I would be > happy to take a look. Last time I tried to look > for examples I didn't find a consistent way of doing things so I couldn't > tell what was the preferred way. The best example is probably http://svn.apache.org/repos/asf/httpd/httpd/trunk -Bertrand
