On 9/20/16, 11:50 AM, "Donald Szeto" <don...@apache.org> wrote:

>Hi all,
>I am preparing my first Apache release and am wondering if I need to check
>licenses of all transitive deps if the release contains:
>- a single source tarball;
>- a few binary JAR artifacts on Nexus that contain no transitive deps in
>either binary or source form.

An official Apache release only contains source.  It cannot contained
compiled binaries.

Official Apache releases may be accompanied by a "convenience binary
package" that contains the result of running the build contained in the
source script.  It could bundle third-party jars.

The LICENSE file in the source package may be different from the LICENSE
in the "convenience binary" if the convenience binary contains a bundled
third-party jar.  The LICENSE files must reflect the contents of its
containing package.

>Would it be sufficient to make sure the licenses of all sources comply
>Apache policy in this case? Do I need to check transitive deps in this

You must chase down transitive deps in the package.  If the source package
doesn't contain any non-ASF code then there isn't anything to chase for
the source package.  If the binary does contain third-party jars, then you
have to chase transitive deps on those jars.


[1] http://www.apache.org/dev/licensing-howto.html
[2] http://www.apache.org/dev/release.html#what

Reply via email to