On 9/20/16, 11:50 AM, "Donald Szeto" <don...@apache.org> wrote:
>I am preparing my first Apache release and am wondering if I need to check
>licenses of all transitive deps if the release contains:
>- a single source tarball;
>- a few binary JAR artifacts on Nexus that contain no transitive deps in
>either binary or source form.
An official Apache release only contains source. It cannot contained
Official Apache releases may be accompanied by a "convenience binary
package" that contains the result of running the build contained in the
source script. It could bundle third-party jars.
The LICENSE file in the source package may be different from the LICENSE
in the "convenience binary" if the convenience binary contains a bundled
third-party jar. The LICENSE files must reflect the contents of its
>Would it be sufficient to make sure the licenses of all sources comply
>Apache policy in this case? Do I need to check transitive deps in this
You must chase down transitive deps in the package. If the source package
doesn't contain any non-ASF code then there isn't anything to chase for
the source package. If the binary does contain third-party jars, then you
have to chase transitive deps on those jars.