You are right that if you are not redistributing third-party
dependencies yourself (e.g. part of source code or embedded within
ZIP/JAR files) - then you should not be propagating their
However you still need to check that the dependencies your code relies
on is acceptable according to
..that is - any downstream user should be able to take all the JARs
you depend on and assume they are compatible with the Apache license
2.0 (following their attribution requirements).
So for instance if you have dependencies that are licensed as GPL,
LGPL or Amazon Software License, then those would not be compatible.
The exception is if those are OPTIONAL dependencies you would not
normally use - see https://www.apache.org/legal/resolved#optional for
how to deal with those.
As predictionio is using SBT, I had a look at using this plugin
which gave a very nice report (eventually):
it's quite a long list.. obviously you should fix your own metadata so
predictionio does not become one of the "unknown licenses". :)
You can assume that all the org.apache ones commons-* are also Apache license.
You then need to check each of the 'No license specified' ones like
Jetty and Jettison
Perhaps track this in a wiki page or see if you can tweak the config
for the plugin to map the unknown dependencies.
I can see a couple of GPL dependencies in there (mysql) which are red
flags, e.g. mysql-connector-java, stax-api (dual licensed?) but
otherwise it looks not bad. (quite a long list though! :)
BTW, your LICENSE.txt is looking good. Some comments:
This reference to Apache Spark can now be removed, as Apache projects
don't need to attribute each-other (we are all ASF). (You can do so by
a regular comment within the file if you like). You should check
Apache Spark's NOTICE if there are any other attributions you should
propagate (in which case they should be in NOTICE rather than LICENSE)
2) No hunt-around required
> The PredictionIO project contains subcomponents with separate copyright
> and license terms. Your use of the source code for these subcomponents is
> subject to the terms and conditions of the following licenses.
Users should not be required to hunt around in your source-tree for
other licenses - so all of these needs to be referenced, including for
the glyphicons-halflings font)
It's usually enough to just list them in the top level LICENSE.txt
with license name, which files they cover, and refer to the deeper
license files which you generally already seem to have in the source
3) CC No-Commercial
> For documentation in docs/manual/:
> This work is licensed under a Creative Commons
> Attribution-NonCommercial-ShareAlike 3.0 Unported License.
This is a big no-no I'm afraid.. (Category X). Apache projects must
be usable and redistributable also for commercial use.
Was the documentation under docs/ all part of the Software Grant to
ASF, so that it can be relicensed as Apache License? (Check any
outside contributions to them as those would have to sign ICLAs and
agree to the relicensing)
I also see there are several pictures/binaries which you may need to
JPEG image data, Exif standard: [TIFF image
data, little-endian, direntries=1, copyright=Marc Wiegelmann],
baseline, precision 8, 75x75, frames 3
But this should become clear if checking for the license headers of
all the source files.. for instance with Apache Rat or a more crude
grep -c -r "Licensed to the Apache" . | grep :0$ | grep -v target
Sorry for the long email - don't be discouraged - PredictionIO looks
quite good license wise :)
On 20 September 2016 at 20:02, Christopher <ctubb...@apache.org> wrote:
> As I understand things, the licensing information you provide in your
> artifacts should reflect everything contained within that artifact. You do
> not need to provide license/notice information for dependencies which are
> not bundled in your artifact.
> On Tue, Sep 20, 2016 at 3:01 PM Donald Szeto <don...@apache.org> wrote:
>> Sorry. I should have mentioned that I am preparing a release for
>> On Tuesday, September 20, 2016, Donald Szeto <don...@apache.org> wrote:
>> > Hi all,
>> > I am preparing my first Apache release and am wondering if I need to
>> > licenses of all transitive deps if the release contains:
>> > - a single source tarball;
>> > - a few binary JAR artifacts on Nexus that contain no transitive deps in
>> > either binary or source form.
>> > Would it be sufficient to make sure the licenses of all sources comply
>> > with Apache policy in this case? Do I need to check transitive deps in
>> > case?
>> > Thanks!
>> > Regards,
>> > Donald
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org