OK, let me see if I can pull all three responses into one. On 12/20/14, 5:58 PM, "Justin Mclean" <jus...@classsoftware.com> wrote:
>Hi, > >Also on this subject I've no idea why we are prompting for SWFObject when >it is MIT licensed, as MIT is an compatible licence. The same should >apply to any Category A licenses (ie Apache 1.1, BSD and W3C). > >The installer probably needs some changes from this as it is installing >from the binary release not the source release. I’m ok with pulling out SWFObject when we go tweak the install script unless someone has a good reason it should stay in there. >>It looks like we have not handled Saxon correctly since forever. >>The install scripts need to prompt for it. >Not sure we actually do need to prompt as per [1] you only need to >prompt to download the source not the binary. The week copy left >aspects of the licence only apply if you include the source. >The same probably applies to osmf. >"Software under the following licenses may be included in binary >form within an Apache product if the inclusion is appropriately labeled" >"By attaching a prominent label to the distribution and requiring >an explicit action by the user to get the reciprocally-licensed >source, users are less likely to be unaware of restrictions >significantly different from those of the Apache License. >Please include the URL to the product's homepage in the prominent label." My temptation is to fix this by making Saxon a download behind a prompt just like OSMF. That avoids us having to figure out what “prominent label” means. I’d rather not see our packages labelled “apache-flex-sdk-4.14.0-with-MPL-saxon”. The source package’s modules/download.xml would also get a prompt before downloading Saxon. Another option is to make the asdoc compiler “optional”. It seems to the only piece that uses Saxon. And yet another option is to download all of these jars in the install. It would probably be the fewest changes to the repo to make it work as then we wouldn’t need to muck with LICENSE and NOTICE as much, but then there are more downloads that could fail during the install. >Here what I just checked: > >commons-collections.jar Apache 1.1 >commons-discovery.jar Apache 1.1 >commons-logging.jar Apache 2.0 has NOTICE no with no downstream effects >javacc.jar version 5 BSD copyright Sun >saxon9.jar MPL (Michael Kay) and multiple NOTICES that effect downstream >xalan.jar Apache 2.0 and NOTICE that effects downstream >xercesImpl.jar Apache 2.0 and NOTICE that effects downstream >xercesPatch.jar Apache 2.0 and NOTICE that effects downstream >xml-apis-ext.jar Apache 2.0 and WC3 and NOTICE file that effects >downstream >xml-apis.jar Apache 2.0 and WC3 and NOTICE file that effects downstream >velocity-dep-1.4-flex.jar Apache 2.0 and NOTICE file that effects >downstream* >batik-all-flex.jar Apache 2.0 and NOTICE file that effects downstream > >Are there any other jars or 3rd party files included in the binary >that are not in the source distribution? Not to my knowledge. >* NOTICE file may not be correct as velocity original NOTICE file has no >downstream effects. Not sure I understood what you mean by that. >So looks like for the binary license we would need to add >pointers to the following licenses: >- Apache 1.1 >- BSD >- W3C >- MPL From the above list, do we need to add W3C if all jars that have W3C also have AL licenses? >And add multiple pointers to NOTICE. Most of the existing LICENSE and >NOTICE files are in /lib/external with the exception of Velocity and >Batik. Yep >We may have a possible issue with saxon in particular this >lib/external/saxon9-NOTICES/GPL+CLASSPATH.txt? >Do we know what this refers to? At a guess (and hopefully) >it may not apply as it's only in the .NET version of saxon >which I assume we're not using. [1] >I've not looked at transitive dependencies which are likely >to also have some effect on our NOTICE file. OK, let us know what you find. >I also noticed that most of the flex jars have a LICENSE and >NOTICE that is probably incorrect for the jar itself e.g. >compc.jar or flex-compiler-oem.jar as t contains the full >Flex LICENSE and NOTICE file not just what is in the jar Probably worth fixing this now as well. -Alex
