On Thu, 2008-01-10 at 17:08 +0000, Niall Pemberton wrote: > On Jan 10, 2008 3:41 PM, sebb <[EMAIL PROTECTED]> wrote: > > On 10/01/2008, Jochen Wiedmann <[EMAIL PROTECTED]> wrote: > > > I forgot to note: The distribution is available on > > > > > > http://people.apache.org/~jochen/commons-fileupload/dist > > > > -1: > > The NOTICE files in the jars are non-standard. They also refer to > > Commons-IO which is not part of the jar. The NOTICE file is *only* for > > items that are included in the distribution, not external > > dependencies. > > Is this true? I realize the following document has still (after 18 > months) not yet been made official ASF policy, but in the absence of > any other then there are two sections which seem relevant: > - System Requirements > - Optional Add-ons > http://people.apache.org/~rubys/3party.html#options-systemrequirements > > If for example we have component which can use 3rd Party work that > comes under the "excluded licenses" (from memory I think VFS did this) > then we have an obligation to inform the users of this and the NOTICE > file seems an appropriate place to do this. Having the dependencies > and their licenses listed seems like a *good thing* to me for users to > be confident of all the licensing implications of using a distro. > Anyway if theres contention on the format of the NOTICE in this > release then we should ask on legal-discuss to see if we can get an > answer whether its valid or not. I will try to do this later but I'm > going out soon - so hopefully someone else will beat me to it.
Yes, we really do need a real legal opinion on this, to clear things up one way or the other. However I shudder to think about the overhead if we *must* include in the NOTICE information about every dependency. Or even if we must double-check that the information pulled in by maven-remote-resources is correct. When the message is posted to legal-discuss, please clearly point out that we are talking here about two different scenarios: (a) what goes in a single jar, and (b) what goes in a .tgz download bundle. And also point out that the dependencies *are* explicitly spelled out in the pom, and that a readable form of this is present in the maven reports. Yay maven. But until there is an official legal statement on this, I really do have to vote -1 on releasing with any auto-generated NOTICE.txt file. I just don't feel confident that the alternative is legally sensible. Related questions: (1) A maven module (commons-foo) includes stuff from two different copyright holders, licensed under BSD licenses. Can the maven pom define this information? I believe there is only one <license> field. Or is the fallback here to use a manual NOTICE file? (2) If commons-bar then depends on commons-foo, what should be in the NOTICE file? Regards, Simon --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
