Hi again, after a little research:
> org.livetribe:livetribe-jsr223:jar:2.0.6 ASL2.0 license, see its parent: <http://search.maven.org/remotecontent?filepath=org/livetribe/livetribe/1.2/livetribe-1.2.pom> > org.mybatis:mybatis:jar:3.0.6 ASL2.0 <http://search.maven.org/#artifactdetails%7Corg.mybatis%7Cmybatis-parent%7C15%7Cpom> > xmlpull:xmlpull:jar:1.1.3.1 Public domain <http://search.maven.org/#artifactdetails%7Cxmlpull%7Cxmlpull%7C1.1.3.1%7Cjar> > xpp3:xpp3_min:jar:1.1.4c / xpp3:xpp3:jar:1.1.4c already discussed > aopalliance:aopalliance:jar:1.0 public domain <http://search.maven.org/#artifactdetails%7Caopalliance%7Caopalliance%7C1.0%7Cjar> > asm:asm:jar:3.3.1 BSD <http://search.maven.org/#artifactdetails%7Casm%7Casm-parent%7C3.3.1%7Cpom> category A <http://www.apache.org/legal/resolved.html#category-a> > antlr:antlr:jar:2.7.7 BSD <http://www.antlr.org/license.html> category A <http://www.apache.org/legal/resolved.html#category-a> > dom4j:dom4j:jar:1.6.1 BSD variant <http://search.maven.org/#artifactdetails%7Casm%7Casm-parent%7C3.3.1%7Cpom> Category A as shown as <http://www.apache.org/legal/resolved.html#category-a> > joda-time:joda-time:jar:2.0 ASL2.0 So, at that point, we should just complete the legal files and I consider the dependency inclusion issue as resolved. Best, -Simo http://people.apache.org/~simonetripodi/ http://simonetripodi.livejournal.com/ http://twitter.com/simonetripodi http://www.99soft.org/ On Wed, May 16, 2012 at 9:45 AM, Francesco Chicchiriccò <ilgro...@apache.org> wrote: > Hi all, > as far as I've understood we are quite in an impasse here: is there any > quick way out? > > I've performed some more analysis and I've come to the following findings: > > 1. XPP3 is pulled in by XStream (syncope-core and syncope-console WAR files) > > [INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.2:compile > [INFO] | \- xpp3:xpp3_min:jar:1.1.4c:compile > > and by ApacheDS (syncope-build-tools WAR file) > > [INFO] +- org.apache.directory.server:apacheds-all:jar:1.5.7:compile > [INFO] | +- org.apache.directory.shared:shared-ldif:jar:0.9.19:compile > [INFO] | \- > org.apache.directory.shared:shared-dsml-parser:jar:0.9.19:compile > [INFO] | \- xpp3:xpp3:jar:1.1.4c:compile > > XStream says that other XML parsers can be used ( > http://xstream.codehaus.org/download.html#optional-deps), I don't know > about ApacheDS - but guess Emmanuel does. > > 2. The following are all the transitive dependencies currently not > mentioned in L&N files: > > org.livetribe:livetribe-jsr223:jar:2.0.6 > org.mybatis:mybatis:jar:3.0.6 > xmlpull:xmlpull:jar:1.1.3.1 > xpp3:xpp3_min:jar:1.1.4c / xpp3:xpp3:jar:1.1.4c > aopalliance:aopalliance:jar:1.0 > asm:asm:jar:3.3.1 > antlr:antlr:jar:2.7.7 > dom4j:dom4j:jar:1.6.1 > joda-time:joda-time:jar:2.0 > > > Can we found a simple and shared way to assess what is the legal, > correct and complete, content of Syncope L&N files? > Is there any other ASF project distributing WAR files we can check? > > If not: what if just include in L&N files all the deps reported above? > Is this harmful in any way? > > Please help: we'd really like to cut out first release... > > Best regards. > > On 15/05/2012 11:36, Christian Grobmeier wrote: >>> The point is that we don't vote binaries, we vote sources. Generated >>> binaries are just by-products of the build. >>> >>> That we distribute binaries is just for convenience. >> which does not change anything imho >> >>> Now, I do think that we should include into the N&L files the licenses for >>> 3rd parties we *directly* include, but not those that are transivitely >>> included. I may be wrong though. I understand your position, too. >>> >>> It may be worthful to ask beside this thread what is the correct way to >>> refer those transitive dependencies... >> +1 >> >> Did not know there were other positions actually. >> >>>> http://incubator.apache.org/guides/releasemanagement.html#best-practice-license >>>> "All the licenses on all the files to be included within a package >>>> should be included in the LICENSE document. " >>> But as soon as we include the deps' licenses we include, even if they >>> themselves include some 3rd party licenses, my understanding is that they >>> already have done the job... >> If they did it it. I have not opened all the files to be honest, but >> is this something we can rely on (that they have done their job >> proberly)? >> >>>> It says to me, it does not matter who depends on what, it does only >>>> matter whats inside your war. >>>> >>>> Btw, I am still unsure which license XPP has. This is worse, because: >>>> http://www.apache.org/dev/release.html#distribute-other-artifacts >>>> "Again, these artifacts may be distributed only if they contain >>>> LICENSE and NOTICE files" >>> >>> See on >>> http://www.extreme.indiana.edu/dist/java-repository/xpp3/distributions/, >>> unzip the >>> http://www.extreme.indiana.edu/dist/java-repository/xpp3/distributions/xpp3-1.1.4c_src.tgz >>> tarball and check the included license. >> Thanks! I opened the jar from the Syncope war, there was no info included. >> >> Is that compatible? "Indiana University Extreme! Lab Software License" >> I think its fine, but I am not very good with that boring stuff: >> http://apache.org/legal/3party.html >> >> Btw, this phrase is interesting: >> "Redistributions in binary form must reproduce the above copyright notice" >> >> This includes the provided war file. There is no copyright notice of >> XPP and my guess is the license holders are not interested if we are >> having it as transitive lib or not. > -- > Francesco Chicchiriccò > > Apache Cocoon PMC and Apache Syncope PPMC Member > http://people.apache.org/~ilgrosso/ > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
