Le 5/16/12 9:45 AM, Francesco Chicchiriccò a écrit :
Hi all,
Hi Francesco
as far as I've understood we are quite in an impasse here: is there any
quick way out?
Thinking twice about the third party components, I came to the
conclusion that we should include the license of those requiring that it
should be done, even if we have some transitive dependencies.
The reason is that if a direct 3rd party does not have a N&L containing
transitive 3rd party, then those direct 3rd party are faulty. But
because they are faulty does not mean we should also be (transitively)
faulty !
That also means some of the ASF projects (including ApacheDS I'm working
on !) have to double check their N&L files, something I'll do asap.
I'll be a bit busy the next 4 days, but I'll try to get a clear decision
about this problem before next week, as it may impact many other projects.
Thanks !
I've performed some more analysis and I've come to the following findings:
1. XPP3 is pulled in by XStream (syncope-core and syncope-console WAR files)
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.2:compile
[INFO] | \- xpp3:xpp3_min:jar:1.1.4c:compile
and by ApacheDS (syncope-build-tools WAR file)
[INFO] +- org.apache.directory.server:apacheds-all:jar:1.5.7:compile
[INFO] | +- org.apache.directory.shared:shared-ldif:jar:0.9.19:compile
[INFO] | \-
org.apache.directory.shared:shared-dsml-parser:jar:0.9.19:compile
[INFO] | \- xpp3:xpp3:jar:1.1.4c:compile
XStream says that other XML parsers can be used (
http://xstream.codehaus.org/download.html#optional-deps), I don't know
about ApacheDS - but guess Emmanuel does.
2. The following are all the transitive dependencies currently not
mentioned in L&N files:
org.livetribe:livetribe-jsr223:jar:2.0.6
org.mybatis:mybatis:jar:3.0.6
xmlpull:xmlpull:jar:1.1.3.1
xpp3:xpp3_min:jar:1.1.4c / xpp3:xpp3:jar:1.1.4c
aopalliance:aopalliance:jar:1.0
asm:asm:jar:3.3.1
antlr:antlr:jar:2.7.7
dom4j:dom4j:jar:1.6.1
joda-time:joda-time:jar:2.0
Can we found a simple and shared way to assess what is the legal,
correct and complete, content of Syncope L&N files?
Is there any other ASF project distributing WAR files we can check?
If not: what if just include in L&N files all the deps reported above?
Is this harmful in any way?
Please help: we'd really like to cut out first release...
Best regards.
On 15/05/2012 11:36, Christian Grobmeier wrote:
The point is that we don't vote binaries, we vote sources. Generated
binaries are just by-products of the build.
That we distribute binaries is just for convenience.
which does not change anything imho
Now, I do think that we should include into the N&L files the licenses for
3rd parties we *directly* include, but not those that are transivitely
included. I may be wrong though. I understand your position, too.
It may be worthful to ask beside this thread what is the correct way to
refer those transitive dependencies...
+1
Did not know there were other positions actually.
http://incubator.apache.org/guides/releasemanagement.html#best-practice-license
"All the licenses on all the files to be included within a package
should be included in the LICENSE document. "
But as soon as we include the deps' licenses we include, even if they
themselves include some 3rd party licenses, my understanding is that they
already have done the job...
If they did it it. I have not opened all the files to be honest, but
is this something we can rely on (that they have done their job
proberly)?
It says to me, it does not matter who depends on what, it does only
matter whats inside your war.
Btw, I am still unsure which license XPP has. This is worse, because:
http://www.apache.org/dev/release.html#distribute-other-artifacts
"Again, these artifacts may be distributed only if they contain
LICENSE and NOTICE files"
See on
http://www.extreme.indiana.edu/dist/java-repository/xpp3/distributions/,
unzip the
http://www.extreme.indiana.edu/dist/java-repository/xpp3/distributions/xpp3-1.1.4c_src.tgz
tarball and check the included license.
Thanks! I opened the jar from the Syncope war, there was no info included.
Is that compatible? "Indiana University Extreme! Lab Software License"
I think its fine, but I am not very good with that boring stuff:
http://apache.org/legal/3party.html
Btw, this phrase is interesting:
"Redistributions in binary form must reproduce the above copyright notice"
This includes the provided war file. There is no copyright notice of
XPP and my guess is the license holders are not interested if we are
having it as transitive lib or not.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
