Thanks for the help. Since bookkeeper-all package contains jars whose license are unclear, would like to cancel this vote thread and will remove bookkeeper-all in the new vote thread. The new thread will keep the same rc number.
On Tue, Dec 19, 2017 at 8:25 AM, Sijie Guo <guosi...@gmail.com> wrote: > On Mon, Dec 18, 2017 at 3:32 PM, Ivan Kelly <iv...@apache.org> wrote: > > > >> The pom says ASL, but the pom points to a site where you can get the > > >> original source. It can only be downloaded from a zip from there. The > > >> zip, which is the only source for this that I could find, is BSD 3 > > >> clause. > > >> > > > > > > We do not bundle the source. We bundle the published jar, which is > under > > > ASLv2 in maven central. > > Maven central is not a source of truth. It must be maven central > > because findbugs wanted to use it as a dependency, so it published the > > jar, even though in the findbugs distribution they don't have the > > source. They do have the jar though, and they do get the license right > > in their source distribution. They overlooked it when they put it in > > maven central, and as such violated the 3 clause BSD license. > > > > The license covers binary and source form, so we should adhere to the > > original license, which is 3 clause BSD. > > > I don't think we should be in the business of checking whether it volatiles > 3 clause BSD license or not. > The dependency that we pulled in is a bundled binary, which we should use > the LICENSE that they associated > with the bundled jar that the author pushed to maven central. If it > violates BSD license, the author of this jar should address. > However I am not the lawyer. so I can't judge what is right and what is > wrong. > > > > > > >> So where is the source? This one I assume is a ASL, but the source is > > >> not available anywhere. > > >> > > > > > > There is no public source about this. We have to use the license in > maven > > > as the source-of-truth. > > By not publishing the NOTICE file from apache thrift, twitter is in > > violation of the ASL (clause 4(d)). > > > Same as above. > > You seem to have strong opinions about these two *problematic* > dependencies. And these dependencies were introduced by twitter stats > providers for bookkeeper-all packages. > In order not to block release 4.6.0, I would suggest removing > bookkeeper-all package from release 4.6.0. If people need bookkeeper-all > package, they can compile from src package. > We can resume the discussion of bookkeeper-all package when licensing > concerns are removed. > > > > > > > > -Ivan > > >
