It is true, we need not list the dependencies under ASL2. I originally added them as a convenience list of bundles dependencies of the source release.
I think it is nice to keep them, if not resulting in excessive overhead for maintenance. On Mon, Jun 15, 2015 at 7:22 PM, Ted Dunning <ted.dunn...@gmail.com> wrote: > Here are some cogent comments from Marvin Humphrey. > > > > On Mon, Jun 15, 2015 at 6:04 PM, Marvin Humphrey <mar...@rectangular.com> > wrote: > > > Hi Ted, > > > > The discussion seems to be about the convenience binary, not the official > > source release, so ASF policy differs. The party who supplies a > > convenience binary bears responsibility for its licensing info. The > ASF's > > chief concern with regards to licensing info of a convenience binary is > > that > > it be legally correct, allowing us and anyone downstream to redistribute. > > Beyond that, we might not be as finicky as we are about licensing info in > > the > > official source release. > > > > That said, applying the Licensing HowTo to a convenience binary is not a > > bad > > plan -- it should result in correct licensing info. > > > > Bottom line: in all cases, LICENSE and NOTICE must reflect the bundled > > bits. > > > > It is true that the ASF does not require the enumeration of dependencies > > which > > are under the ALv2 in LICENSE. Think of LICENSE as surfacing all the > > licenses > > for all code bundled in the artifact. It would be a problem if bundled > > bits > > under BSD3 were not mentioned in the LICENSE of a convenience binary as > > required by BSD3's second clause -- and each BSD3 license differs > slightly > > because it is a template with a copyright notice plugged in. In > contrast, > > a > > single copy of the ALv2 applies to all ALv2-licensed code. > > > > *However*, you still have to keep NOTICE up-to-date for all ALv2 > > dependencies > > that supply one. In practice, this means that you will end up > enumerating > > ASF-sourced ALv2 dependencies (and possibly others) in NOTICE. > > > > With regards to shading/Guava/ASM, I don't fully understand what Till is > > proposing so I'm reluctant to comment specifically. But the bottom line > is > > still the bottom line: LICENSE and NOTICE must reflect the bundled bits. > > > > Hope this helps, > > > > Marvin > > > > On Fri, Jun 12, 2015 at 9:45 AM, Ted Dunning <ted.dunn...@gmail.com> > > wrote: > > > Marvin, > > > > > > Can you comment on this question that the flink guys have? > > > > > > > > > ---------- Forwarded message ---------- > > > From: Till Rohrmann <trohrm...@apache.org> > > > Date: Fri, Jun 12, 2015 at 9:33 AM > > > Subject: Listing Apache-2.0 dependencies in LICENSE file > > > To: "dev@flink.apache.org" <dev@flink.apache.org> > > > > > > > > > Hi guys, > > > > > > I just updated our LICENSE of the binary distribution and noticed that > we > > > also list dependencies which are licensed under Apache-2.0. As far as I > > > understand the ASF guidelines [1], this is not strictly necessary. > Since > > it > > > is a lot of work to keep the list up to date, I was wondering whether > we > > > want to remove Apache-2.0 dependencies from this list or not. I would > be > > in > > > favour of this if it does not contradict an ASF policy which I miss. > > > > > > This might even have another advantage. Currently, we're shading in > many > > > modules the Guava and ASM dependency away. Thus their binary data is > > > contained in nearly every jar we publish on maven. If we wanted to be > > > consistent with our license policy then we would have to add in each of > > > these jars a LICENSE/NOTICE file which lists these two dependencies, > IMO. > > > > > > Cheers, > > > Till > > > > > > [1] http://www.apache.org/dev/licensing-howto.html#mod-notice > > > > > > > > On Mon, Jun 15, 2015 at 1:37 AM, Till Rohrmann <trohrm...@apache.org> > wrote: > > > Hi Henry, > > > > there are actually two licensing questions and one update for the current > > release going on but all of them are orthogonal and therefore I would > like > > to keep them separate. > > > > The PR [1] which you referred to are the necessary updates for the source > > and binary distribution of the upcoming release. There it's important > that > > maybe another pair of eyes takes a look at it. > > > > Then we have the question whether we have to include a LICENSE and NOTICE > > file in our jars because they contain shaded dependencies. > > > > And last but not least, the question of this thread is whether we want to > > keep the list of Apache-2.0 dependencies in our LICENSE files or not. > Thus, > > let's first discuss and then maybe decide later on this issue here in > this > > thread. > > > > Cheers, > > Till > > > > On Sun, Jun 14, 2015 at 8:03 PM Henry Saputra <henry.sapu...@gmail.com> > > wrote: > > > > > Hi Till, > > > > > > There are several discussions about LICENSE for dependencies happening > > > at the same time so I would like to make sure we merge them into a > > > decision in dev@ list. > > > > > > Is this related to PR https://github.com/apache/flink/pull/830 for > > > updating LICENSE and NOTCE of Flink dependencies? > > > > > > - Henry > > > > > > On Sun, Jun 14, 2015 at 6:28 AM, Maximilian Michels <m...@apache.org> > > > wrote: > > > > Hi Till, > > > > > > > > That's correct, It is not necessary to include Apache 2.0-licensed > > > projects > > > > in the LICENSE file, unless they contain non-Apache 2.0-licensed > code. > > We > > > > should definitely remove those entries from the LICENSE file. > > > > > > > > Best, > > > > Max > > > > > > > > On Sat, Jun 13, 2015 at 4:51 PM, Aljoscha Krettek < > aljos...@apache.org > > > > > > > wrote: > > > > > > > >> If it is not against the Apache Guidelines I would vote for removing > > > them. > > > >> I'm always in favour of keeping things simple. > > > >> > > > >> On Fri, 12 Jun 2015 at 18:34 Till Rohrmann <trohrm...@apache.org> > > > wrote: > > > >> > > > >> > Hi guys, > > > >> > > > > >> > I just updated our LICENSE of the binary distribution and noticed > > > that we > > > >> > also list dependencies which are licensed under Apache-2.0. As far > > as > > > I > > > >> > understand the ASF guidelines [1], this is not strictly necessary. > > > Since > > > >> it > > > >> > is a lot of work to keep the list up to date, I was wondering > > whether > > > we > > > >> > want to remove Apache-2.0 dependencies from this list or not. I > > would > > > be > > > >> in > > > >> > favour of this if it does not contradict an ASF policy which I > miss. > > > >> > > > > >> > This might even have another advantage. Currently, we're shading > in > > > many > > > >> > modules the Guava and ASM dependency away. Thus their binary data > is > > > >> > contained in nearly every jar we publish on maven. If we wanted to > > be > > > >> > consistent with our license policy then we would have to add in > each > > > of > > > >> > these jars a LICENSE/NOTICE file which lists these two > dependencies, > > > IMO. > > > >> > > > > >> > Cheers, > > > >> > Till > > > >> > > > > >> > [1] http://www.apache.org/dev/licensing-howto.html#mod-notice > > > >> > > > > >> > > > > > >
