On Mon, Jan 23, 2012 at 2:27 PM, Bertrand Delacretaz <bdelacre...@apache.org > wrote:
> On Mon, Jan 23, 2012 at 12:12 PM, Reto Bachmann-Gmür <r...@apache.org> > wrote: > > On Mon, Jan 23, 2012 at 11:32 AM, ant elder <antel...@apache.org> wrote: > >> ...As one example, the binary release clerezza-tdb-distribution.zip > >> contains a big jar platform.launcher.tdb-0.5-incubating.jar which > >> embeds other jars, for example it contains > >> servlet-api-3.0.20100224.jar, which is EPL licensed so that needs to > >> be mentioned in clerezza-tdb-distribution.zip. > >> > > Is there a way to systematically find out the license of such transitive > > maven dependencies? The jar you mention contains no license or notice > file, > > it contains a maven pom file without licensing information... > > I'm afraid the only way to find out about such a license is to hunt > that project's website. > > The techniques mentioned on my blog at [1] should list all the > dependencies of a Maven project, and after you remove all the known > good ones (org.apache.* etc.) you're left with a list of dependencies > that need to be checked. Thanks for the hint. We have to do this for the tdb launcher as well as for the storageless parent as the tdb launcher includes all of the storageless launcher without its dependencies resulting as tdb launcher dependencies (the scope 'provided' prevents transitivity) > The cleanest way to handle that for Clerezza > might be to add a note to the LICENSE file that lists which other > licenses besides Apache are included, and points to a text file with > licensing information for those additional dependencies. Putting some > simple structure in that file might help automating (at least > partially) that check for future releases. > I prefer having different files for the different licenses so that two LICENSE*-files always have the same content. Reto
