After reading your notes and reviewing the links, I’m not sure I’m that far off from being “good enough”. My goal is to make the fewest and easiest changes possible to get us into compliance, so I opted for copying entire NOTICE files instead of picking apart pieces of it, leveraging the build script code that appends the .bin file, and not fixing anything that I didn’t think was truly broken.
More comments in-line. On 1/2/15, 1:40 PM, "Justin Mclean" <jus...@classsoftware.com> wrote: >Hi, > >This is for discussion before I make any changes to the current files >after a first pass. They still need a bit of work IMO. > >I assume LICENSE.bin is appended to LICENSE as part of the build process, >this does mean that if you look at the LICENSE.bin in svn it's not >correct. Would it be better to not assemble it but have it contain the >full LICENSE? Same for NOTICE.bin. In looking around, AOO seems to have it in pieces. Other projects have the full AL in the various versions. I chose pieces so that if we add a license or notice to the source package, it automatically gets propagated to the binary. I’ll go with whatever the majority wants to do. > >LICENSE >1. Could use short form of BSD [1] Funny, you argued against using a pointer for Squiggly. IMO, not an error, no need to change it. The more we change, the more energy gets spent. > >NOTICE >1. Year is wrong, recommend it's a range btw [2] Well, now that it is 2015, a full scrub for 2014 needs to happen. >2. There's probably no need for the copyright notice from Robert Penner. >The code is BSD licensed, and in that case it shouldn't be added to >notice.[1][3] The only reason it could possibly be there was if copyright >notices were removed from source files. I will have to check next time I’m back in the office. I know that his work got flagged when we were scrubbing the Adobe code for donation to Apache but my records for that are on a different computer. I can’t see his copyright in the Adobe source for 4.6, but his AS1 examples do have a copyright, so at some point it got moved. >3. There is no need for the Xerces Patch developed at Apache lines [4] The instructions at [4] say “It is not necessary”, but doesn’t prohibit it. > >LICENSE.bin >1. No need for lib/external/commons-logging.jar as it's Apache 2.0 >licensed [5] >2. Could use the short form of the BSD license for >lib/external/java-cc.jar >3. No need for lib/external/xercesImpl.jar as it's Apache 2.0. [5] >4. No need for lib/external/xalan.jar as it's Apache 2.0. [5] >5. No need for lib/external/xml-apis-ext.jar as it's Apache 2.0. [5] When concatenated to LICENSE, these items are added to the SUBCOMPONENTS section. We mention other AL2.0 subcomponents in LICENSE already. >6. Need to add WC3 see [6] I puzzled over this for a while and still am not sure of the answer. Both Batik and Xerces seem to use W3C code, but don’t mention/point to W3C directly in the LICENSE. Batik doesn’t mention it at all and Xerces has these separate license files like you show in [6] but no pointer. Rat also doesn’t flag W3C files it finds in the scan. I’m wondering if W3C code has some special status that it doesn’t have to be pointed to from LICENSE. > >NOTICE.bin >1. No need for the xalan copyright notice [3] >2. No need to list Apache under "This product includes software developed >by the following:" [4] Looks to be an error in their NOTICE file. >3. No need for W3C under "This product includes software developed by the >following:" as it a compatible license. (Should be in LICENSE not >NOTICE). Again an error in their NOTICE file. >4. The referenced xxxx.README.txt files are missing. We are probably need >to add these. I don’t think it is our problem to resolve issues in Xalan’s NOTICE. The README files don’t seem to be in the binary package we use. >5. No need for the XML commons resolver copyright or this software >developed at lines [3][4] >6. Missing some notices from xerces (there are several NOTICE files) I think I got them all. Which ones did I miss? >7. Missing required notices from XML commons extensions >8. Missing required notices from XML commons Which files are you referring to here? > >Re the Saxon and the CERN issue it may not be an issue as according to >this [7]. The Cern code in question is a generic sorter [8]. I can't see >why the CERN license in question wouldn't be compatible with Apache. I'll >add this to the JIRA. I agree that Apache Legal should rule that Saxon is ok. But they haven’t yet and until they do, separating it out is our only option, IMO. -Alex > >1. http://www.apache.org/dev/licensing-howto.html#permissive-deps >2. http://www.apache.org/dev/licensing-howto.html#simple >3. http://www.apache.org/dev/licensing-howto.html#mod-notice >4. http://www.apache.org/dev/licensing-howto.html#bundle-asf-product >5. http://www.apache.org/dev/licensing-howto.html#alv2-dep >6. >https://svn.apache.org/repos/asf/xerces/java/trunk/LICENSE.DOM-software.ht >ml >7. http://www.saxonica.com/documentation9.5/conditions/ >8. >http://www.saxonica.com/documentation9.5/conditions/third-party-components >.html
