Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/2084
I ran the `mvn dependency:tree` on current `master` and compared to the
output above. There are only 2 differences aside from the version upgrades:
1. `aopalliance:aopalliance:1.0` moves from
`org.springframework:spring-aop:jar:4.2.4.RELEASE` to
`org.springframework.security:spring-security-core:jar:4.2.3.RELEASE` but has
the same version and license as currently exists.
1. `ring-cors:ring-cors:0.1.5` is a new transitive dependency brought in by
`org.apache.storm:storm-core:jar:1.1.1` after it was upgraded from `1.0.1`.
`ring-cors` uses the [EPL 1.0](https://eclipse.org/org/documents/epl-v10.php),
which is considered [Category B by
Apache](https://www.apache.org/legal/resolved.html#category-b). I believe this
is acceptable from the statement:
> For small amounts of source that is directly consumed by the ASF product
at runtime in source form, and for which that source is unmodified and unlikely
to be changed anyway (say, by virtue of being specified by a standard),
inclusion of appropriately labeled source is also permitted.
There is no existing `LICENSE` or `NOTICE` file in the `nifi-external` or
`nifi-external/nifi-storm-spout` modules, which is where this code is brought
in. @joewitt , please advise on proper license/notice model to follow/copy
here.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
