+1, lets not second guess the intention of a third party project. Lets simply ensure *our* projects do what is required.
If anyone here is concerned about the third party being unaware of the results of their distribution practices then that part of this discussion should move to the third party project. Sent from my Windows Phone ________________________________ From: Roman Shaposhnik<mailto:r...@apache.org> Sent: 10/11/2014 12:09 PM To: general@incubator.apache.org<mailto:general@incubator.apache.org> Subject: Re: Bloated NOTICE files are evil On Sat, Oct 11, 2014 at 11:47 AM, Sean Owen <sro...@gmail.com> wrote: >> You are confusing different distributions. Netty provides a source >> distribution which does include a NOTICE file. Netty also provides binary >> (jar) distributions. These do not include a NOTICE file. > > I think this is a fair question. Did the Netty project intend the > NOTICE file to pertain only to the source distribution? from its > contents, it pertains to the binary distro too, since the binary form > contains the elements referenced in the NOTICE. This one really strikes me as an academic exercise. I am not sure second guessing a motivation of a non-ASF project would be fruitful for our discussion. The situation is *really* simple: 1. it seems that for the stuff in Netty's binary distro Drill is doing the right thing with its binary distro 2. it seems that for the stuff in Netty's source distro Drill is doing the right thing with its source distro Is there anything else I am missing? > I supposed I'd expect erring a bit on the side of the intent and > spirit from the ASF in interpreting these things, but hey, let's stick > to technicalities. Just taking the first example -- Netty contains > among other things a modified version of Webbit, a BSD-licensed > library. Drill is distributes this code. Where is this in LICENSE? > It's not even in NOTICE which would be "close" and reference its own > LICENSE, but you don't distribute the NOTICE even. This is the problem > with trying to cut it so fine. I find it unfair to put this burden on Drill. If you really want to help Netty with the spirit of the law -- why don't you talk to the Netty developers and straighten these issues with them first? > It's such a rabbit hole to be sure, and the little downside to being > blessed with freely accessing so many others' projects. I struggled > for a while on Spark with this and still probably don't have it all > right. I mean, shouldn't someone take a look at the many other > dependencies? this is just one I ran into as a spectator. Why the > hostility? just stick to the discussion of the license please. I haven't notice any hostility, really (perhaps participating in some of the more boisterous ASF communities equipped me with thicker skin). That said, I do suggest we stay on topic and not try to boil the ocean here. We are in charge of our own software -- we should do the right thing with it. With projects outside of ASF we can only do so much. On a related note: with every legal council I ever work with, one of the first conversations I have is around the fact that you never ever trust somebody else's legal judgement. Which means that regardless of what the LICENSE or NOTICE say you are on the hook to 'trust by verify'. Hence BlackDuck and Palamida scans. When you distribute something as a commercial vendor it is your responsibility to make sure you are not exposing yourself. Why am I telling you this? The reason is simple: cost. It costs a LOT to make sure that the exposure is not there. If you think that a project run by volunteers can achieve the 100% of cleanless for every single dependency (direct or transitive) you're simply kidding yourself. Once again, what we need to focus on is what we directly control. Not more, not less. Thanks, Roman. --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
