[jira] [Created] (MNG-6771) Please fix license issues

Tue, 01 Oct 2019 06:35:35 -0700 

Vladimir Sitnikov created MNG-6771:
--------------------------------------

             Summary: Please fix license issues
                 Key: MNG-6771
                 URL: https://issues.apache.org/jira/browse/MNG-6771
             Project: Maven
          Issue Type: Bug
          Components: core
    Affects Versions: 3.6.2
            Reporter: Vladimir Sitnikov


Please feel free to adjust the priority, however 
[http://www.apache.org/legal/release-policy.html#licensing] says that license 
clearance is a must, thus I report this as a Blocker.
{quote}Every ASF release MUST comply with ASF licensing policy. This 
requirement is of utmost importance
{quote}
I downloaded apache-maven-3.6.2-bin.zip, and I see the following issues with it 
(note: there might be more):

1) apache-maven-3.6.2/LICENSE:
{quote} - JCL 1.2 implemented over SLF4J 
([http://www.slf4j.org|http://www.slf4j.org/]) 
org.slf4j:jcl-over-slf4j:jar:1.7.25
 License: MIT License (MIT) 
[http://www.opensource.org/licenses/mit-license.php] 
(lib/jcl-over-slf4j.license){quote}
The license for the artifact is most likely Apache 2.0 rather than MIT: 
[https://github.com/qos-ch/slf4j/tree/master/jcl-over-slf4j]

2) apache-maven-3.6.2/LICENSE:
{quote} - SLF4J API Module ([http://www.slf4j.org|http://www.slf4j.org/]) 
org.slf4j:slf4j-api:jar:1.7.25
 License: MIT License (MIT) 
[http://www.opensource.org/licenses/mit-license.php] 
(lib/slf4j-api.license){quote}
Maven does not comply with SLF4j license.
 Here's license for SLF4j: [https://www.slf4j.org/license.html]
 It requires to include slf4j copyright notice, however, Maven fails to do that

3) [http://www.opensource.org/licenses/mit-license.php] must not be used as it 
almost never points to a true license. It is extremely unluky that someone 
would copyright their work as "Copyright (c) <year> <copyright holders>"

4) apache-maven-3.6.2/LICENSE:
{quote} - org.eclipse.sisu.inject 
([http://www.eclipse.org/sisu/org.eclipse.sisu.inject/]) 
org.eclipse.sisu:org.eclipse.sisu.inject:eclipse-plugin:0.3.3
 License: Eclipse Public License, Version 1.0 (EPL-1.0) 
[http://www.eclipse.org/legal/epl-v10.html] 
(lib/org.eclipse.sisu.inject.license){quote}
The link to eclipse.org/sisu responds with 404.

sisu might have their own copyright notices that should be retained, however 
Maven re-distributes none of them (org.eclipse.sisu.inject.site-0.3.3.zip has 
notice.html file which is not present in Maven re-distribution)

5) lib/org.eclipse.sisu.inject-0.3.3.jar bundles ASM. ASM is MIT licensed, thus 
every re-distribution MUST retain ASM copyright notice.
 Maven re-distributes ASM and fails to comply with ASM license.

6) lib/wagon-http-3.3.3-shaded.jar bundles jsoup ([https://jsoup.org/license]) 
which is MIT-licensed. Maven fails to comply with jsoup license.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to