sijie commented on issue #888: Rework of binary distribution licenses URL: https://github.com/apache/bookkeeper/pull/888#issuecomment-352880237 first, I think it is a good idea to have a check script to do the things. I am not against it. my main concern is about the approach how we maintain the source-of-truth of notice files and how this script does the verification. basically you maintain some notice/license files as the source-of-truth, and have a script verifying the LICENSE file against the _maintained_ notice/license files. How do you guarantee the notice/license files can always be the correct? That introduces extra complexities than maintaining a LICENSE file. when I am saying "look for better solutions", I am not saying "doing it manually". There can always be better solutions. I am not sure how it is feasible, just thinking here, you can get artifactory (version, name) from pom files or assembled package, and fetch their licenses/notice from their website and verify the LICENSE against their notice. At the minimal, I don't think we should be maintaining any LICENSE and NOTICE files from dependencies, and we shouldn't use our maintained versions as the source-of-truth for verification.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
