We recently did an exercise whereby for some projects for which we distribute binaries that include "dependencies", we looked inside the dependency Jars being distributed to see if there was any unusual license and notice (and other) files, and we found several; we then manually merged these into the binary distribution's License and Notice files.
We even found one where there was a "crypto notice" - which of course required that we add a crypto notice (and update the apache.org/licenses/exports page). Some kind of tooling that helps with this process would be a nice addition - basically it has to open up dependent Jars that ship with a distribution and see if finds anything "interesting" there. It would also be nice if it mostly automatically merged the Licenses and Notices while eliminating duplicates. -Marshall
