Thanks for taking this on Alex, it's a terrific bit of work. I've looked it all over and added my approval, but I won't merge anything now, as I expect others will want to look at it too.
Best, Geoff On Tue, 2 Jun 2020 at 10:48, Alex Heneveld <a...@cloudsoft.io> wrote: > > Hi team- > > I've taken a deeper look at the license/notice issues raised by Justin > and I think have resolved them in PR [1] (and various PRs it > references). A summary is below. Justin, thank you for spotting these > bugs. > > If anyone has comments please reply here or on the issue [1]. > > Regarding the use of Category-X [2] licenses: > > * net.java.dev.jna - this is dual-licensed under LGPL and ASL; the > NOTICE incorrectly stated it was being used under the former; it now > correctly states it is being used under the latter > > * com.google.code.findbugs.annotations - Apache Brooklyn does not use > nor depend on this LGPL project. It is a compile-time-only dependency of > libraries we use, but not accurately reported in those libraries as > compile-time-only dependencies and so was picked up as a transient > dependency of apache Brooklyn. Our maven POMs now explicitly exclude > this so it is no longer treated as a dependency, not included in our > binary dist, and not noted in NOTICE. > > * With the above two fixes there are no longer any Category-X [2] > licenses in our source or binary builds. > > > Regarding the information included in our NOTICE files: > > * Our source dist and JAR NOTICE files (in the root of projects, in JARs > and in the source dist artifact) previously for convenience reported the > binary dependencies pulled in. These were clearly labelled as such but > nevertheless contrary to the philosophy that NOTICE files should contain > only what is legally required. These NOTICES have been fixed so that > they only list third-party artifacts actually included in our source. > Consequently they are much, much smaller. > > * Our binary dist NOTICE files (in binary TGZs, RPMs, WARs and all other > binary artifacts) list all runtime dependencies included in the binary > dist where a custom notice, attribution, and/or license for that > dependency is appropriate. Where there is doubt about any such > obligation we have erred on the side of inclusion. > > * A non-statutory DEPENDENCIES file is now included alongside the source > dist NOTICE files advising what binary dependencies will be included in > the built artifact. This file contains what was formerly in the source > dist NOTICE files. This makes it easy for users to analyse the full set > of dependencies of Apache Brooklyn without conferring the undue legal > burden entailed by including this information in any of the statutory > NOTICE files. > > > There are some additional changes: > > * Some libraries have been updated or added recently and use the new > licenses EPL v2 and EDL v1 which were not previously recognised > > * Some dependencies were overlooked in some reports where the "karaf" > project did not depend on the bundles it incorporates; this is remedied, > and the license/notice generation only applies to that relevant project > (and license-gen running faster by only running on that project) > > * Some icons had been added from Apache projects and elsewhere, with no > NOTICE; this is remedied > > I believe with [1] all LICENSE and NOTICE files will now be current, > correct, and compliant with Apache policy. > > Best > Alex > > > [1] https://github.com/apache/brooklyn-dist/pull/164 > > [2] https://www.apache.org/legal/resolved.html#category-x > > > On 18/05/2020 10:18, Aled Sage wrote: > > Hi Justin, > > > > Thanks for spotting this and reaching out. > > > > Looking at the license/notice generation, I think there are two things > > that went wrong for 1.0 release: > > > > 1. The maven license plugin [1] picked the wrong license for > > dependencies when there were multiple to choose from (i.e. LGPL vs > > Apache 2.0 in [2]). > > > > 2. We're trying to include far too much stuff in NOTICE. Quoting the > > really useful link you shared [3]: > > > > "Do not add anything to NOTICE which is not legally required." > > > > --- > > > > We should review point 1 above to confirm there really are no licenses > > that are forbidden in apache projects. And we should review point 2 to > > change the way we generate NOTICE files so it doesn't include everything. > > > > Aled > > > > [1] https://github.com/ahgittin/license-audit-maven-plugin > > > > [2] https://github.com/java-native-access/jna/blob/master/pom-jna.xml > > > > [3] http://www.apache.org/dev/licensing-howto.html > > > > [4] https://www.apache.org/legal/resolved.html#category-x > > > > > > On 17/05/2020 10:20, Justin Mclean wrote: > >> Hi, > >> > >> I was looking reviewing your board report and mailing list and took a > >> look at your release. The current LICENSE and NOTICE are not in line > >> with ASF policy. For instance, your license contains licenses that > >> can't be used in a source release. I think what you have > >> misunderstood is that you're listing the licenses of all dependencies > >> rather than just what is bundled in the release. Your notice file > >> also doesn't need to list dependencies but just required notices, > >> content from other ALv2 notice files and relocated copyright notices. > >> This is a good guide [1] if you need help on fixing this, please > >> reach out. > >> > >> Thanks, > >> Justin > >> > >> 1. http://www.apache.org/dev/licensing-howto.html > > >