On Jan 10, 2008 5:47 PM, simon <[EMAIL PROTECTED]> wrote: > > > On Thu, 2008-01-10 at 17:08 +0000, Niall Pemberton wrote: > > On Jan 10, 2008 3:41 PM, sebb <[EMAIL PROTECTED]> wrote: > > > On 10/01/2008, Jochen Wiedmann <[EMAIL PROTECTED]> wrote: > > > > I forgot to note: The distribution is available on > > > > > > > > http://people.apache.org/~jochen/commons-fileupload/dist > > > > > > -1: > > > The NOTICE files in the jars are non-standard. They also refer to > > > Commons-IO which is not part of the jar. The NOTICE file is *only* for > > > items that are included in the distribution, not external > > > dependencies. > > > > Is this true? I realize the following document has still (after 18 > > months) not yet been made official ASF policy, but in the absence of > > any other then there are two sections which seem relevant: > > - System Requirements > > - Optional Add-ons > > http://people.apache.org/~rubys/3party.html#options-systemrequirements > > > > If for example we have component which can use 3rd Party work that > > comes under the "excluded licenses" (from memory I think VFS did this) > > then we have an obligation to inform the users of this and the NOTICE > > file seems an appropriate place to do this. Having the dependencies > > and their licenses listed seems like a *good thing* to me for users to > > be confident of all the licensing implications of using a distro. > > Anyway if theres contention on the format of the NOTICE in this > > release then we should ask on legal-discuss to see if we can get an > > answer whether its valid or not. I will try to do this later but I'm > > going out soon - so hopefully someone else will beat me to it. > > Yes, we really do need a real legal opinion on this, to clear things up > one way or the other.
See http://apache.markmail.org/message/zsgfkulbut3bowqu > However I shudder to think about the overhead if we *must* include in > the NOTICE information about every dependency. Or even if we must > double-check that the information pulled in by maven-remote-resources is > correct. > > When the message is posted to legal-discuss, please clearly point out > that we are talking here about two different scenarios: > (a) what goes in a single jar, and > (b) what goes in a .tgz download bundle. > And also point out that the dependencies *are* explicitly spelled out in > the pom, and that a readable form of this is present in the maven > reports. Yay maven. OK I only just re-read this after I posted on legal-discuss - but I framed the question as I thought appropriate. Niall > But until there is an official legal statement on this, I really do have > to vote -1 on releasing with any auto-generated NOTICE.txt file. I just > don't feel confident that the alternative is legally sensible. > > Related questions: > (1) A maven module (commons-foo) includes stuff from two different > copyright holders, licensed under BSD licenses. Can the maven pom define > this information? I believe there is only one <license> field. Or is the > fallback here to use a manual NOTICE file? > (2) If commons-bar then depends on commons-foo, what should be in the > NOTICE file? > > Regards, > > Simon > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
