On 05/06/2017 09:53 PM, Emmanuel Lécharny wrote: > but I can't cas a +1 : the N&L are lacking some required external > licenses (MIT for mockito, qos.ch for slf4j, BSD for harmcrest, ASM is > BSD, and bytebuddy depends on it, Junit is ECL, Netty has a NOTICE file > just must be included - see > https://github.com/netty/netty/blob/4.1/NOTICE.txt- , and has *many* > dependencies on other products, that must be listed if used -see > https://github.com/netty/netty/tree/4.1/license-)
I don't think we have to list all those licenses. As far as I see for Kerby we only distribute the source (which is ASLv2 only) and the JARs. We don't distribute any artifact that bundles any third-party dependency. [1] clearly states: "Dependencies which are not included in the distribution MUST NOT be added to LICENSE and NOTICE. As far as LICENSE and NOTICE are concerned, only bundled bits matter." But maybe I'm wrong and Maven dependencies count as "bundled"? Kind Regards, Stefan [1] https://www.apache.org/dev/licensing-howto.html#bundled-vs-non-bundled
