>> The pom says ASL, but the pom points to a site where you can get the >> original source. It can only be downloaded from a zip from there. The >> zip, which is the only source for this that I could find, is BSD 3 >> clause. >> > > We do not bundle the source. We bundle the published jar, which is under > ASLv2 in maven central. Maven central is not a source of truth. It must be maven central because findbugs wanted to use it as a dependency, so it published the jar, even though in the findbugs distribution they don't have the source. They do have the jar though, and they do get the license right in their source distribution. They overlooked it when they put it in maven central, and as such violated the 3 clause BSD license.
The license covers binary and source form, so we should adhere to the original license, which is 3 clause BSD. >> So where is the source? This one I assume is a ASL, but the source is >> not available anywhere. >> > > There is no public source about this. We have to use the license in maven > as the source-of-truth. By not publishing the NOTICE file from apache thrift, twitter is in violation of the ASL (clause 4(d)). -Ivan
