Pil0tXia commented on code in PR #4831: URL: https://github.com/apache/eventmesh/pull/4831#discussion_r1570432347
########## tools/dist-license/licenses/java/AL 2.0.txt: ########## @@ -0,0 +1 @@ +https://www.apache.org/licenses/LICENSE-2.0.html Review Comment: >Logback is available under EPL 1.0 and LGPL 2.1. The first one is a [category B](https://www.apache.org/legal/resolved#weak-copyleft-licenses) license and Apache projects can include it in **binary** form. The second one is a [category X](https://www.apache.org/legal/resolved#category-x) license and can **not** be included in Apache distributions. There is an `AND`/`OR` SPDX expression between multiple licenses. An artifact with "category B license OR category X license" is acceptable, but one with "category B license AND category X license" is not. I have configured this in https://github.com/apache/eventmesh/pull/4827. Since the current version of dependency-review-action only supports `AND` expression and treats `OR` as `AND`, I have configured some exemptions for now. >I am not sure if a hyper-link to the license is enough. This is caused by `amqp-client` misconfiguring the license name, which you can see in the [Maven repository](https://mvnrepository.com/artifact/com.rabbitmq/amqp-client/5.16.0). For artifacts that do not strictly adhere to the SPDX identifier, the script can only output content according to the information given by the artifact. There should be no need for manual maintenance either. ########## tools/dist-license/licenses/java/AL 2.0.txt: ########## @@ -0,0 +1 @@ +https://www.apache.org/licenses/LICENSE-2.0.html Review Comment: >Logback is available under EPL 1.0 and LGPL 2.1. The first one is a [category B](https://www.apache.org/legal/resolved#weak-copyleft-licenses) license and Apache projects can include it in **binary** form. The second one is a [category X](https://www.apache.org/legal/resolved#category-x) license and can **not** be included in Apache distributions. There is an `AND`/`OR` SPDX expression between multiple licenses. An artifact with "category B license OR category X license" is acceptable, but one with "category B license AND category X license" is not. I have configured this in https://github.com/apache/eventmesh/pull/4827. Since the current version of dependency-review-action only supports `AND` expression and treats `OR` as `AND`, I configured some exemptions for now. >I am not sure if a hyper-link to the license is enough. This is caused by `amqp-client` misconfiguring the license name, which you can see in the [Maven repository](https://mvnrepository.com/artifact/com.rabbitmq/amqp-client/5.16.0). For artifacts that do not strictly adhere to the SPDX identifier, the script can only output content according to the information given by the artifact. There should be no need for manual maintenance either. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@eventmesh.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@eventmesh.apache.org For additional commands, e-mail: issues-h...@eventmesh.apache.org
