[
https://issues.apache.org/jira/browse/SOLR-15465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17360658#comment-17360658
]
Jan Høydahl commented on SOLR-15465:
------------------------------------
I see the benefit of checking in the sha1 sums so you get alerted if a jar
changes.
I also agree it is good to know the license of all our dependencies. But we are
legally allowed to USE more licenses in the DEV/test workflow than we are
allowed to re-distribute, so treating them specially is logical.
When someone downloads our release tar and look in the licenses folder, there
are 593 files. Of which 48 related to non-shipped jars. The intention of a
licenses/ folder is for end users to be able to know what they will be running
(and potentially re-distributing). Thus the content of the licenses/ folder
should match the shipped files as closely as possible. Some ASF projects even
have different LICENSE/NOTICE files in source and binary distributions since
source distros don't ship the jars, but I'm not proposing that right now.
A practical approach, to keep the benefit of tracking jar sha's, and be
internally aware of dependency licenses, is for the build to generate another
folder "test-licenses" which is not packaged up in the release. The folder
could either have the same strucure and files, and we could accept empty files
like "byte-buddy-LICENSE-ASL.txt", or some different structure to record the
license of each test-dependency.
> Do not require LICENSE and NOTICE files for test-dependencies
> -------------------------------------------------------------
>
> Key: SOLR-15465
> URL: https://issues.apache.org/jira/browse/SOLR-15465
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Build
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
>
> Our current build (and the ant build before it) checks that every single jar,
> even test dependencies, have a .sha1 file in licenses/ folder along with a
> LICENSE file and optinally a NOTICE file.
> However, according to [https://infra.apache.org/licensing-howto.html] we only
> need to supply LICENSE/NOTICE files for bits we ship, either as copy/pasted
> source code in the source dist or jar deps in the binary dist.
> Thus, I think we can stop shipping those LICENSE/NOTICE files for deps that
> we never distribute. Perhaps the sha1 files should remain for extra
> validation of binaries pulled from mvn, I don't know.
> [~dsmiley] [~dweiss]
> This probably goes for the Lucene build too.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
