Just using this thread to come back to the NOTICE discussion. This came also up with the latest Python release, and I spent quite a bit of time on it.
If it's "used" section is not strictly required in NOTICE from a legal > perspective, the embedded dependencies should be mentioned (either > under the Apache license as soon as they are not a ASF project), > that's the "are not satisfied by either the text of LICENSE or the > presence of licensing information embedded within the bundled > dependency" part of the policy. The source of truth that I follow is the ASF how-to-guide <https://infra.apache.org/licensing-howto.html>. By embedded, I mean distributed in the source distribution but also in > binary distributions (as soon as we publish/distribute it). The term in the how-to guide is bundling. For me, this means that when code is packaged in a Java fat jar, and redistributed under the name of Iceberg. For instance, here https://github.com/apache/karaf/blob/main/NOTICE > you can see the included software (used software is not strictly > required). I think this conflicts with the guide as it states: Do not add anything to NOTICE which is not legally required. This will add a burden to anyone who wants to redistribute Iceberg because they have to check the notices that are not legally required to bubble up in their notice. Not required notices are mentioned in the LICENSE <https://github.com/apache/iceberg/blob/main/LICENSE> file where attribution to the original author is given. This is how I interpret the legalese from the how-to guide after going through it for PyIceberg. I think we should follow the guide, and this also avoids having to keep the NOTICE file up to date. Kind regards, Fokko Op di 20 feb 2024 om 11:06 schreef Ajantha Bhat <ajanthab...@gmail.com>: > Thanks Eduard, > > I will share a new RC info with the fix. > > - Ajantha > > On Tue, Feb 20, 2024 at 12:17 PM Jean-Baptiste Onofré <j...@nanthrax.net> > wrote: > >> Hi Ryan, >> >> If it's "used" section is not strictly required in NOTICE from a legal >> perspective, the embedded dependencies should be mentioned (either >> under the Apache license as soon as they are not a ASF project), >> that's the "are not satisfied by either the text of LICENSE or the >> presence of licensing information embedded within the bundled >> dependency" part of the policy. >> >> By embedded, I mean distributed in the source distribution but also in >> binary distributions (as soon as we publish/distribute it). >> >> For instance, here https://github.com/apache/karaf/blob/main/NOTICE >> you can see the included software (used software is not strictly >> required). >> >> Regards >> JB >> >> On Mon, Feb 19, 2024 at 5:52 PM Ryan Blue <b...@tabular.io> wrote: >> > >> > JB, >> > >> > Can you help me understand your rationale for updating NOTICE? We are >> strict about what goes into the NOTICE file to comply with ASF guidance: >> > >> > The NOTICE file is reserved for a certain subset of legally required >> notifications which are not satisfied by either the text of LICENSE or the >> presence of licensing information embedded within the bundled dependency. >> > … >> > It is important to keep NOTICE as brief and simple as possible, as each >> addition places a burden on downstream consumers. >> > >> > Do not add anything to NOTICE which is not legally required. >> > >> > It sounds like the content you’re talking about would be better located >> in the README instead. >> > >> > Ryan >> > >> > >> > On Mon, Feb 19, 2024 at 2:27 AM Jean-Baptiste Onofré <j...@nanthrax.net> >> wrote: >> >> >> >> +1 (non binding) >> >> >> >> I checked: >> >> - checksum and signature are correct >> >> - ASF headers are OK >> >> - no binary found in the source distribution >> >> - build is OK from the source distribution >> >> >> >> To be improved for next releases (not blocker at all): >> >> - NOTICE file should mention dependencies and tools used (not >> >> necessary included). I'm thinking about openapi, palantir plugins, aws >> >> sdk, jackson, ... I will do a PR about that. >> >> - doap.rdf file can be updated as part of the RC >> >> >> >> Thanks ! >> >> Regards >> >> JB >> >> >> >> On Mon, Feb 19, 2024 at 11:02 AM Ajantha Bhat <ajanthab...@gmail.com> >> wrote: >> >> > >> >> > Hi Everyone, >> >> > >> >> > I propose that we release the following RC as the official Apache >> Iceberg 1.5.0 release. >> >> > >> >> > The commit ID is bff665278245128a71982ba5ac5981a9e71c4509 >> >> > * This corresponds to the tag: apache-iceberg-1.5.0-rc0 >> >> > * https://github.com/apache/iceberg/commits/apache-iceberg-1.5.0-rc0 >> >> > * >> https://github.com/apache/iceberg/tree/bff665278245128a71982ba5ac5981a9e71c4509 >> >> > >> >> > The release tarball, signature, and checksums are here: >> >> > * >> https://dist.apache.org/repos/dist/dev/iceberg/apache-iceberg-1.5.0-rc0 >> >> > >> >> > You can find the KEYS file here: >> >> > * https://dist.apache.org/repos/dist/dev/iceberg/KEYS >> >> > >> >> > Convenience binary artifacts are staged on Nexus. The Maven >> repository URL is: >> >> > * >> https://repository.apache.org/content/repositories/orgapacheiceberg-1150/ >> >> > >> >> > Please download, verify, and test. >> >> > >> >> > Please vote in the next 72 hours. >> >> > >> >> > [ ] +1 Release this as Apache Iceberg 1.5.0 >> >> > [ ] +0 >> >> > [ ] -1 Do not release this because... >> >> > >> >> > Only PMC members have binding votes, but other community members are >> encouraged to cast >> >> > non-binding votes. This vote will pass if there are 3 binding +1 >> votes and more binding >> >> > +1 votes than -1 votes. >> >> > >> >> > Special thanks to Eduard for helping out on publishing the release >> artifacts. >> >> > >> >> > - Ajantha >> > >> > >> > >> > -- >> > Ryan Blue >> > Tabular >> >
