On Mon, Dec 18, 2017 at 3:32 PM, Ivan Kelly <iv...@apache.org> wrote:
> >> The pom says ASL, but the pom points to a site where you can get the > >> original source. It can only be downloaded from a zip from there. The > >> zip, which is the only source for this that I could find, is BSD 3 > >> clause. > >> > > > > We do not bundle the source. We bundle the published jar, which is under > > ASLv2 in maven central. > Maven central is not a source of truth. It must be maven central > because findbugs wanted to use it as a dependency, so it published the > jar, even though in the findbugs distribution they don't have the > source. They do have the jar though, and they do get the license right > in their source distribution. They overlooked it when they put it in > maven central, and as such violated the 3 clause BSD license. > > The license covers binary and source form, so we should adhere to the > original license, which is 3 clause BSD. I don't think we should be in the business of checking whether it volatiles 3 clause BSD license or not. The dependency that we pulled in is a bundled binary, which we should use the LICENSE that they associated with the bundled jar that the author pushed to maven central. If it violates BSD license, the author of this jar should address. However I am not the lawyer. so I can't judge what is right and what is wrong. > > >> So where is the source? This one I assume is a ASL, but the source is > >> not available anywhere. > >> > > > > There is no public source about this. We have to use the license in maven > > as the source-of-truth. > By not publishing the NOTICE file from apache thrift, twitter is in > violation of the ASL (clause 4(d)). Same as above. You seem to have strong opinions about these two *problematic* dependencies. And these dependencies were introduced by twitter stats providers for bookkeeper-all packages. In order not to block release 4.6.0, I would suggest removing bookkeeper-all package from release 4.6.0. If people need bookkeeper-all package, they can compile from src package. We can resume the discussion of bookkeeper-all package when licensing concerns are removed. > > -Ivan >
