Thorsten Glaser created MJAVADOC-669:
----------------------------------------
Summary: Generated sources JARs contain jQuery and other
MIT-licenced works without reproducing a copy of the MIT licence, same for
GPL-licenced works
Key: MJAVADOC-669
URL: https://issues.apache.org/jira/browse/MJAVADOC-669
Project: Maven Javadoc Plugin
Issue Type: Bug
Components: javadoc
Affects Versions: 3.2.0
Reporter: Thorsten Glaser
A sources JAR generated by the Maven Javadoc Plugin 3.2.0 contains multiple
components under the MIT licence:
* jQuery 3.5.1
** {{jquery/external/jquery/jquery.js}}
** {{jquery/jquery-3.5.1.js}} (duplicate of the above, blowing up the PKZIP
archive size of the JAR, why is it included like this?)
* JSZip 3.2.1
** {{jquery/jszip/dist/jszip.js}}
** {{jquery/jszip-utils/dist/jszip-utils-ie.js}}
** {{jquery/jszip-utils/dist/jszip-utils.js}}{{}}
* jQuery UI 1.12.1
** {{jquery/jquery-ui.css}}
** {{jquery/jquery-ui.js}}
** {{jquery/jquery-ui.structure.css}}
* and their respective minified versions
It also contains {{script.js}} and {{search.js}} which are
GPLv2-with-Classpath-exception-licenced and refer to “as provided by Oracle in
the LICENSE file that accompanied this code” but no such file accompanies said
code.
There are also multiple static {{resources}} and {{jquery/images}} whose
licence is not documented.
The MIT licence specifically *requires* that “The […] copyright notice and this
permission notice [the licence body] shall be included in all copies or
substantial portions of the Software.” The distribution PKZIP archives (JAR
files) created by the Maven Javadoc Plugin violate this licence, making them
not redistributable.
Similarily, the GPLv2 used by the Oracle-provided files *requires* that
redistributors “give any other recipients of the Program a copy of this License
along with the Program.” The “if not, write to the Free Software Foundation”
comment is specifically *not sufficient* for this and only provided as fallback
should distributors violate this clause, as Maven Javadoc Plugin-generated
PKZIP archives do. To be effective, the Classpath exception must also be
provided.
h2. Suggested fix
Include the following new files:
* {{jquery/LICENCE}} containing the MIT licence and all respective copyright
notices for the various jQuery-related projects (including those _they_
include, i.e. Sizzle, widget.js, position.js, keycode.js, unique-id.js,
widgets/autocomplete.js, widgets/menu.js, pako, and possibly others)
* {{js/LICENSE}} (creating a new subdirectory) containing the Classpath
exception as provided by Oracle
* {{COPYING}} or {{js/COPYING}} (this being the customary name for this file)
containing the verbatim text of the GNU GPL version 2
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
