[ https://issues.apache.org/jira/browse/MNG-6771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16960439#comment-16960439 ]
Enrico Olivelli commented on MNG-6771: -------------------------------------- Thank you [~vladimirsitnikov] for reporting these problems. Prelimitar thoughts from me: This is the guide I am following: http://www.apache.org/dev/licensing-howto.html The first fact I see, in addition to [~vladimirsitnikov] and [~hboutemy] comments is that we should cite also other ASLv2 artifacts of products not from ASF, for instance Plexus. I am working in this direction: - understand our dependencies from LICENSE point of view - have LICENSE files consistent with "lib" and "boot" directories - add LICENSE refererences for all non ASF products. see http://www.apache.org/dev/licensing-howto.html#alv2-dep - setup some automatic check of the contents (I am picking up the work we did in BookKeeper project), that I will adapt to whatever decision we do with the expected contents - fix erroneus LICENSE attributions and links - verify NOTICE file and fix it, adding missing parts *Hidden third party code* for ASM, as it is included from a non Maven depedency, I think that it is not our problem, it is a problem of the owner of Sisu, that it is actually re-distributing the file. Yes we are also re-distributing it, but I don't know to which extent we should dig into the bits of third party libs. for JSoup we must fix the problem as it is in Wagon, that is a direct part of Apache Maven project. *Automatic download* we are downloading links to other licenses directly from the poms, so as far as they (maintainers of the third party libs) provide invalid links, any of the link we provide it could break at any point in time, even if I find valid links that work today. So I don't think it is worth to override links taken from other sources. the same discussion should also apply to the "license" we find in public poms, if the owner published to Maven Central such license that the artifact is released with that license, even if the website is saying differently. By the way, these is only to share my current thoughts, I really have to dig into every single dependency and see problems as [~vladimirsitnikov] already did. > Fix license issues on binary distribution > ----------------------------------------- > > Key: MNG-6771 > URL: https://issues.apache.org/jira/browse/MNG-6771 > Project: Maven > Issue Type: Bug > Components: General > Affects Versions: 3.6.2 > Reporter: Vladimir Sitnikov > Assignee: Enrico Olivelli > Priority: Major > Labels: licenses > > Please feel free to adjust the priority, however > [http://www.apache.org/legal/release-policy.html#licensing] says that license > clearance is a must, thus I report this as a Blocker. > {quote}Every ASF release MUST comply with ASF licensing policy. This > requirement is of utmost importance > {quote} > I downloaded apache-maven-3.6.2-bin.zip, and I see the following issues with > it (note: there might be more): > h2. 1) jcl-over-slf4j:1.7.25 > in apache-maven-3.6.2/LICENSE: > {quote} - JCL 1.2 implemented over SLF4J > ([http://www.slf4j.org|http://www.slf4j.org/]) > org.slf4j:jcl-over-slf4j:jar:1.7.25 > License: MIT License (MIT) > [http://www.opensource.org/licenses/mit-license.php] > (lib/jcl-over-slf4j.license){quote} > The license for the artifact is most likely Apache 2.0 rather than MIT: > [https://github.com/qos-ch/slf4j/tree/master/jcl-over-slf4j] > h2. 2) slf4j-api:1.7.25 > in apache-maven-3.6.2/LICENSE: > {quote} - SLF4J API Module ([http://www.slf4j.org|http://www.slf4j.org/]) > org.slf4j:slf4j-api:jar:1.7.25 > License: MIT License (MIT) > [http://www.opensource.org/licenses/mit-license.php] > (lib/slf4j-api.license){quote} > Maven does not comply with SLF4j license. > Here's license for SLF4j: [https://www.slf4j.org/license.html] > It requires to include slf4j copyright notice, however, Maven fails to do > that > h2. 3) MIT license > [http://www.opensource.org/licenses/mit-license.php] must not be used as it > almost never points to a true license. It is extremely unlucky that someone > would copyright their work as "Copyright (c) <year> <copyright holders>" > h2. 4) org.eclipse.sisu.inject:0.3.3 > in apache-maven-3.6.2/LICENSE: > {quote} - org.eclipse.sisu.inject > ([http://www.eclipse.org/sisu/org.eclipse.sisu.inject/]) > org.eclipse.sisu:org.eclipse.sisu.inject:eclipse-plugin:0.3.3 > License: Eclipse Public License, Version 1.0 (EPL-1.0) > [http://www.eclipse.org/legal/epl-v10.html] > (lib/org.eclipse.sisu.inject.license){quote} > The link to eclipse.org/sisu responds with 404. > sisu might have their own copyright notices that should be retained, however > Maven re-distributes none of them (org.eclipse.sisu.inject.site-0.3.3.zip has > notice.html file which is not present in Maven re-distribution) > h2. 5) ASM in org.eclipse.sisu.inject-0.3.3.jar > lib/org.eclipse.sisu.inject-0.3.3.jar bundles ASM. ASM is MIT licensed, thus > every re-distribution MUST retain ASM copyright notice. > Maven re-distributes ASM and fails to comply with ASM license. > h2. 6) jsoup in wagon-http-3.3.3-shaded.jar > lib/wagon-http-3.3.3-shaded.jar bundles jsoup ([https://jsoup.org/license]) > which is MIT-licensed. Maven fails to comply with jsoup license. -- This message was sent by Atlassian Jira (v8.3.4#803005)