[
https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13125098#comment-13125098
]
Scott Wilson commented on WOOKIE-250:
-------------------------------------
Just had a quick look over what gets packaged in the releases:
Src version:
- the various libraries used in widgets, connector and features such as JQuery,
FlexiFrame etc
- source code for UrlEncodedQueryString.java
WAR version packages src plus:
activation-1.1.jar
ant-1.7.0.jar
ant-launcher-1.7.0.jar
commons-beanutils-1.7.0.jar
commons-beanutils-core-1.7.0.jar
commons-codec-1.5.jar
commons-collections-3.2.jar
commons-compress-1.0.jar
commons-configuration-1.4.jar
commons-digester-1.8.jar
commons-email-1.1.jar
commons-fileupload-1.2.1.jar
commons-httpclient-3.0.1.jar
commons-io-1.4.jar
commons-lang-2.4.jar
commons-logging-1.1.1.jar
commons-logging-api-1.0.4.jar
commons-pool-1.3.jar
dom4j-1.6.1.jar
dwr-2.0.5.jar
google-collections-1.0-rc2.jar
htmlcleaner-2.2.jar
icu4j-4.6.1.jar
jdom-1.1.jar
json-20080701.jar
junit-3.8.1.jar
log4j-1.2.14.jar
mail-1.4.jar
openjpa-all-2.0.0.jar
shindig-common-2.0.0.jar
slf4j-api-1.5.2.jar
slf4j-log4j12-1.5.2.jar
wookie-java-connector-0.9.1-incubating-SNAPSHOT.jar
wookie-parser-0.9.1-incubating-SNAPSHOT.jar
xml-apis-1.0.b2.jar
Standalone: Same as WAR plus:
ant-1.6.5.jar
commons-dbcp-1.2.2.jar
core-3.1.1.jar
derby-10.4.2.0.jar
geronimo-spec-jta-1.0.1B-rc4.jar
jetty-6.1.3.jar
jetty-naming-6.1.3.jar
jetty-plus-6.1.3.jar
jetty-util-6.1.3.jar
jsp-2.1-6.1.3.jar
jsp-api-2.1-6.1.3.jar
servlet-api-2.5-6.1.3.jar
======
If we remove the ASF project jars we just get:
WAR version packages src plus:
activation-1.1.jar
dom4j-1.6.1.jar
dwr-2.0.5.jar
google-collections-1.0-rc2.jar
htmlcleaner-2.2.jar
icu4j-4.6.1.jar
jdom-1.1.jar
json-20080701.jar
junit-3.8.1.jar
log4j-1.2.14.jar
mail-1.4.jar
slf4j-api-1.5.2.jar
slf4j-log4j12-1.5.2.jar
xml-apis-1.0.b2.jar
Standalone: Same as WAR plus:
core-3.1.1.jar
derby-10.4.2.0.jar
geronimo-spec-jta-1.0.1B-rc4.jar
jetty-6.1.3.jar
jetty-naming-6.1.3.jar
jetty-plus-6.1.3.jar
jetty-util-6.1.3.jar
jsp-2.1-6.1.3.jar
jsp-api-2.1-6.1.3.jar
servlet-api-2.5-6.1.3.jar
> Improve license files
> ---------------------
>
> Key: WOOKIE-250
> URL: https://issues.apache.org/jira/browse/WOOKIE-250
> Project: Wookie
> Issue Type: Improvement
> Components: Project Administration
> Affects Versions: 0.9.1
> Environment: n/a
> Reporter: Paul Sharples
> Assignee: Paul Sharples
> Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed
> the 0.9.0 release on the wookie-dev list. Creating an issue for it here so
> its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root
> folder:
> Having these files in the war root means these will be accessible as web
> resources... While still pretty harmless in this case/release, its a bad
> practice and could actually pose a security issue as everyone can thereby
> find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute
> whatever is actually packaged (note: this equally concerns the svn tree,
> which in itself can and should be regarded as a "distribution"). Anything not
> "packaged" need (should) not be attributed. These files serve a legal purpose
> only, and anything not needed and/or redundant will only make it more
> difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for
> building is not required to be attributed in these files. If there are
> specific (buid/runtime) requirements users should be aware of then those
> should be mentioned and explained in additional README, BUILD_NOTES, etc.
> files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE
> attribution that the distribution includes ASF produces software under the
> ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the
> LICENSE files is not harmful in anyway, it is a lot of extra and unneeded
> effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the
> source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in
> the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in
> either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary
> distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but
> not packaged in the source distribution), they are not mentioned in the
> RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for
> (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war
> distribution does not package several artifacts (and thus licenses) contained
> in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate
> RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on
> this but it might be considered to split these files up if causing not too
> much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for
> many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these
> are distributed as "source", they are (thereby) packaged in the binary
> distributions and as such *should* be attributed in the RUNTIME_LICENSE file.
> However, as these 3rd party licenses are properly mentioned in the LICENSE
> file which also is packaged in the binary distribution, legally everything
> probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a
> is single LICENSE file within a release artifact/distribution and thus
> maintain separate LICENSE files for source and binary distributions
> (optionally even two for the latter). And the same holds for the NOTICE file
> which currently also covers everything for both source and binary
> distributions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
