Hi all, as far as I've understood we are quite in an impasse here: is there any quick way out?
I've performed some more analysis and I've come to the following findings: 1. XPP3 is pulled in by XStream (syncope-core and syncope-console WAR files) [INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.2:compile [INFO] | \- xpp3:xpp3_min:jar:1.1.4c:compile and by ApacheDS (syncope-build-tools WAR file) [INFO] +- org.apache.directory.server:apacheds-all:jar:1.5.7:compile [INFO] | +- org.apache.directory.shared:shared-ldif:jar:0.9.19:compile [INFO] | \- org.apache.directory.shared:shared-dsml-parser:jar:0.9.19:compile [INFO] | \- xpp3:xpp3:jar:1.1.4c:compile XStream says that other XML parsers can be used ( http://xstream.codehaus.org/download.html#optional-deps), I don't know about ApacheDS - but guess Emmanuel does. 2. The following are all the transitive dependencies currently not mentioned in L&N files: org.livetribe:livetribe-jsr223:jar:2.0.6 org.mybatis:mybatis:jar:3.0.6 xmlpull:xmlpull:jar:1.1.3.1 xpp3:xpp3_min:jar:1.1.4c / xpp3:xpp3:jar:1.1.4c aopalliance:aopalliance:jar:1.0 asm:asm:jar:3.3.1 antlr:antlr:jar:2.7.7 dom4j:dom4j:jar:1.6.1 joda-time:joda-time:jar:2.0 Can we found a simple and shared way to assess what is the legal, correct and complete, content of Syncope L&N files? Is there any other ASF project distributing WAR files we can check? If not: what if just include in L&N files all the deps reported above? Is this harmful in any way? Please help: we'd really like to cut out first release... Best regards. On 15/05/2012 11:36, Christian Grobmeier wrote: >> The point is that we don't vote binaries, we vote sources. Generated >> binaries are just by-products of the build. >> >> That we distribute binaries is just for convenience. > which does not change anything imho > >> Now, I do think that we should include into the N&L files the licenses for >> 3rd parties we *directly* include, but not those that are transivitely >> included. I may be wrong though. I understand your position, too. >> >> It may be worthful to ask beside this thread what is the correct way to >> refer those transitive dependencies... > +1 > > Did not know there were other positions actually. > >>> http://incubator.apache.org/guides/releasemanagement.html#best-practice-license >>> "All the licenses on all the files to be included within a package >>> should be included in the LICENSE document. " >> But as soon as we include the deps' licenses we include, even if they >> themselves include some 3rd party licenses, my understanding is that they >> already have done the job... > If they did it it. I have not opened all the files to be honest, but > is this something we can rely on (that they have done their job > proberly)? > >>> It says to me, it does not matter who depends on what, it does only >>> matter whats inside your war. >>> >>> Btw, I am still unsure which license XPP has. This is worse, because: >>> http://www.apache.org/dev/release.html#distribute-other-artifacts >>> "Again, these artifacts may be distributed only if they contain >>> LICENSE and NOTICE files" >> >> See on >> http://www.extreme.indiana.edu/dist/java-repository/xpp3/distributions/, >> unzip the >> http://www.extreme.indiana.edu/dist/java-repository/xpp3/distributions/xpp3-1.1.4c_src.tgz >> tarball and check the included license. > Thanks! I opened the jar from the Syncope war, there was no info included. > > Is that compatible? "Indiana University Extreme! Lab Software License" > I think its fine, but I am not very good with that boring stuff: > http://apache.org/legal/3party.html > > Btw, this phrase is interesting: > "Redistributions in binary form must reproduce the above copyright notice" > > This includes the provided war file. There is no copyright notice of > XPP and my guess is the license holders are not interested if we are > having it as transitive lib or not. -- Francesco Chicchiriccò Apache Cocoon PMC and Apache Syncope PPMC Member http://people.apache.org/~ilgrosso/