JinwooHwang opened a new pull request, #7961: URL: https://github.com/apache/geode/pull/7961
## Overview This pull request comprehensively updates the Apache Geode LICENSE file to accurately reflect the current state of third-party dependencies. The changes include removing the CDDL dependency list, adding a new EPL 2.0 license section for Jakarta EE components, and updating dependency versions across multiple license sections to match the actual dependencies used in the project. ## Related Issue - **JIRA**: GEODE-10511 - **Branch**: `feature/GEODE-10511` ## Problem Statement The LICENSE file was outdated and contained several inaccuracies: 1. **CDDL Dependencies Section**: Listed legacy Java EE dependencies (javax.*) and old Jakarta versions that are no longer used in the project. The project has migrated to Jakarta EE 10 with different dependencies and licenses. 2. **Missing EPL 2.0 Section**: No dedicated section existed for Eclipse Public License 2.0 dependencies, even though multiple Jakarta EE components use this license. 3. **Outdated Versions**: Dependency versions listed across multiple license sections (BSD, EDL, MIT) did not match the actual versions used in the project's build configuration. 4. **Incorrect License Attribution**: The CDDL section incorrectly implied that current Jakarta EE components use CDDL, when they actually use EPL 2.0 with GPL-2.0 and Classpath Exception. ## Changes Made ### 1. Removed Outdated CDDL Dependencies Removed the following legacy Java EE dependencies from the CDDL section: - javax.activation v1.2.0 - javax.mail v1.6.2 - javax.resource v1.7.1 - javax.servlet v3.1.0 - javax.transaction v1.3 - jaxb v2.3.2 ### 2. Added New EPL 2.0 License Section Created a new section documenting components under EPL 2.0 with GPL-2.0 and Classpath Exception: ``` --------------------------------------------------------------------------- The EPL 2.0 License (https://www.eclipse.org/legal/epl-2.0/) --------------------------------------------------------------------------- Apache Geode bundles the following files under the Eclipse Public License 2.0 with the Secondary License of GPL-2.0 with Classpath Exception: - jakarta.annotation v2.1.1 (https://github.com/jakartaee/common-annotations-api) - jakarta.el v5.0.0 (https://github.com/jakartaee/expression-language) - jakarta.interceptor v2.1.0 (https://github.com/jakartaee/interceptors) - jakarta.mail v2.1.2 (https://github.com/jakartaee/mail-api) - jakarta.resource v2.1.0 (https://github.com/jakartaee/connectors) - jakarta.servlet v6.0.0 (https://github.com/jakartaee/servlet) - jakarta.transaction v2.0.1 (https://github.com/jakartaee/transactions) For the full EPL 2.0 license text, see: https://www.eclipse.org/legal/epl-2.0/ ``` ### 3. Updated EDL 1.0 Section Updated the Eclipse Distribution License (EDL 1.0) section with current JAXB versions: **Removed:** - istack-commons-runtime v4.0.1 - jakarta.activation v1.2.1 - jakarta.validation v2.0.2 - jakarta.xml.bind v2.3.2 **Added:** - istack-commons-runtime v4.1.1 - jakarta.xml.bind v4.0.2 - jaxb-core v4.0.2 - jaxb-runtime v4.0.2 - txw2 v4.0.2 ### 4. Updated BSD 3-Clause Section Updated component versions in the BSD 3-Clause section: **Added:** - angus-activation v2.0.0 (https://github.com/eclipse-ee4j/angus-activation) - jakarta.activation v2.1.3 (https://github.com/jakartaee/jaf-api) **Updated:** - ASM v9.1 → v9.8 ### 5. Updated MIT License Section Updated SLF4J version: - SLF4J API v1.7.36 → v2.0.17 ## Verification ### License Verification Process All Jakarta EE component licenses were verified through: 1. **Maven Central Repository**: Checked license declarations on https://mvnrepository.com/ 2. **Official GitHub Repositories**: Verified LICENSE.md files in Jakarta EE project repositories 3. **Eclipse Foundation Documentation**: Confirmed license terms at https://www.eclipse.org/legal/epl-2.0/ ### Specific Verifications - **jakarta.servlet v6.0.0**: Verified at https://github.com/jakartaee/servlet (EPL 2.0 + GPL-2.0 with Classpath Exception) - **jakarta.transaction v2.0.1**: Verified at https://github.com/jakartaee/transactions (EPL 2.0 + GPL-2.0 with Classpath Exception) - All other Jakarta EE components: Verified through their respective GitHub repositories under jakartaee organization ### Build Dependency Verification Confirmed actual dependency versions used in the project: - Checked `build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy` - Verified that listed versions match those declared in the project's build configuration ## Impact ### Legal Compliance - Ensures accurate license attribution for all bundled dependencies - Properly documents EPL 2.0 with Secondary License terms - Removes references to legacy dependencies no longer in use ### Documentation - LICENSE file now accurately reflects the Jakarta EE 10 migration - Provides correct license information for downstream users and distributions - Maintains compliance with Apache Software Foundation requirements ### No Functional Changes - This is a documentation-only change - No code modifications - No impact on build process or runtime behavior ## Testing ### Validation Steps Completed 1. Verified all Jakarta EE component licenses through official sources 2. Confirmed dependency versions match project build configuration 3. Reviewed diff to ensure no unintended changes 4. Validated LICENSE file formatting and structure ### Expected Results - LICENSE file accurately documents all third-party dependencies - All Jakarta EE components properly listed under EPL 2.0 section - CDDL section retained for historical reference (license text preserved) - No build or runtime impacts ## Files Changed - `geode-assembly/src/main/dist/LICENSE` (43 insertions, 16 deletions) ## Checklist - [x] Verified license information with official sources - [x] Updated dependency versions to match current project configuration - [x] Removed obsolete dependency references - [x] Added new license section for EPL 2.0 - [x] Maintained proper LICENSE file formatting - [x] No functional code changes - [x] Changes committed and pushed to feature branch ## Additional Notes ### Why Keep CDDL Section? The CDDL 1.1 license section (including full license text) has been retained even though no current dependencies use it. This is intentional for: 1. **Historical Reference**: Documents license terms that were used in previous versions 2. **Legal Compliance**: Ensures proper attribution for historical distributions 3. **Conservative Approach**: Avoids potential legal issues from removing license text prematurely ### Jakarta EE License Structure Jakarta EE components use a dual-license structure: - **Primary License**: Eclipse Public License 2.0 (EPL 2.0) - **Secondary License**: GPL-2.0 with Classpath Exception This allows users to choose between EPL 2.0 or GPL-2.0 with Classpath Exception, providing maximum flexibility for different use cases. ## Reviewer Notes ### Key Review Points 1. **License Accuracy**: Verify that all Jakarta EE components are correctly listed under EPL 2.0 2. **Version Correctness**: Confirm listed versions match those in `DependencyConstraints.groovy` 3. **Format Consistency**: Check that formatting follows existing LICENSE file conventions 4. **Completeness**: Ensure no dependencies were accidentally omitted ### References for Review - Jakarta EE Projects: https://github.com/jakartaee - EPL 2.0 License Text: https://www.eclipse.org/legal/epl-2.0/ - Maven Central (for license verification): https://mvnrepository.com/ --- <!-- Thank you for submitting a contribution to Apache Geode. --> <!-- In order to streamline review of your contribution we ask that you ensure you've taken the following steps. --> ### For all changes, please confirm: - [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [x] Has your PR been rebased against the latest commit within the target branch (typically `develop`)? - [x] Is your initial contribution a single, squashed commit? - [x] Does `gradlew build` run cleanly? - [ ] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
