[
https://issues.apache.org/jira/browse/WOOKIE-250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13125169#comment-13125169
]
Scott Wilson commented on WOOKIE-250:
-------------------------------------
OK, I'll get started on this now.
> Improve license files
> ---------------------
>
> Key: WOOKIE-250
> URL: https://issues.apache.org/jira/browse/WOOKIE-250
> Project: Wookie
> Issue Type: Improvement
> Components: Project Administration
> Affects Versions: 0.9.1
> Environment: n/a
> Reporter: Paul Sharples
> Assignee: Scott Wilson
> Fix For: 0.9.1
>
>
> Ate made some suggestions we might make to our license files when he reviewed
> the 0.9.0 release on the wookie-dev list. Creating an issue for it here so
> its more visible for 0.9.1
> * wookie.war has DISCLAIMER/LICENSE/NOTICE/RUNTIME_LICENSE files in root
> folder:
> Having these files in the war root means these will be accessible as web
> resources... While still pretty harmless in this case/release, its a bad
> practice and could actually pose a security issue as everyone can thereby
> find/read which runtime artifacts (including there version) are in use.
> The expected/advised location for these files would be under /META-INF.
> * NOTICE/LICENSE/RUNTIME_LICENSE files in general:
> The current ASF policy is that these files only need/should attribute
> whatever is actually packaged (note: this equally concerns the svn tree,
> which in itself can and should be regarded as a "distribution"). Anything not
> "packaged" need (should) not be attributed. These files serve a legal purpose
> only, and anything not needed and/or redundant will only make it more
> difficult to maintain and validate and properly.
> Dependencies not packaged/distributed, but for instance needed (only) for
> building is not required to be attributed in these files. If there are
> specific (buid/runtime) requirements users should be aware of then those
> should be mentioned and explained in additional README, BUILD_NOTES, etc.
> files, only.
> * License attribution to other ASF projects packaged sources/artifacts:
> From a legal POV, this is not needed: the basic (required) NOTICE and LICENSE
> attribution that the distribution includes ASF produces software under the
> ASL 2.0 license already covers all legal requirements.
> While mentioning each and every other ASF project source/artifact in the
> LICENSE files is not harmful in anyway, it is a lot of extra and unneeded
> effort not easy to maintain properly.
> For example, the LICENSE file does mention the
> shindig-common-1.1-BETA5-incubating.jar (which is *not* packaged in the
> source distribution, more about that below), but does not mention
> shindig/dist/shindig-features-1.1-BETA5-incubating.jar which *is* packaged in
> the source distribution. However neither is really problematic as isn't needed
> anyway
> Another example is some extra jackrabbit jars which are not mentioned in
> either the LICENSE or RUNTIME_LICENSE file but are packaged with the binary
> distributions.
> And while commons-io and commons-email are mentioned in the LICENSE file (but
> not packaged in the source distribution), they are not mentioned in the
> RUNTIME_LICENSE file while they *are* packaged in the binary distributions.
> * RUNTIME_LICENSE file:
> - The RUNTIME_LICENSE file is used/intended to cover the requirements for
> (both) the binary distributions, wookie war/standalone.
> However, as a single file it covers both distributions while the war
> distribution does not package several artifacts (and thus licenses) contained
> in the standalone distribution (Eclipsse, Jetty, Servlet/JSP etc.)
> From a legal POV, this is not "wrong", but AFAIK not ideal either.
> To "solve" this however would require maintaining two separate
> RUNTIME_LICENSE files which isn't ideal either. I have no strong opinion on
> this but it might be considered to split these files up if causing not too
> much of a burden to maintain.
> - More/most serious is the omission of the 3rd party license attributions for
> many (all?) of the packaged Widgets in the RUNTIME_LICENSE file. While these
> are distributed as "source", they are (thereby) packaged in the binary
> distributions and as such *should* be attributed in the RUNTIME_LICENSE file.
> However, as these 3rd party licenses are properly mentioned in the LICENSE
> file which also is packaged in the binary distribution, legally everything
> probably is still OK, even if somewhat confusing.
> - My suggestion for future releases however is to consider packaging only a
> is single LICENSE file within a release artifact/distribution and thus
> maintain separate LICENSE files for source and binary distributions
> (optionally even two for the latter). And the same holds for the NOTICE file
> which currently also covers everything for both source and binary
> distributions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
