On Jun 22, 2012, at 6:16 PM, Chris Douglas wrote: > Kevan-
Hi Chris, Thanks for elaborating. > > Please appreciate that there is universal agreement that (1) listing > and maintaining all transitive dependencies and licenses is a sound > service It's more than "sound". We are required to meet the terms and conditions of the source/binary artifacts. IIRC, Marvin stated this pretty well... > and (2) listing all dependencies distributed with source code > carry legal requirements w.r.t. the LICENSE and NOTICE files. We > disagree only on (3) the scope of legally required attribution extends > to the transitive closure of dependencies. I wasn't aware of a disagreement on transitive closure. I thought your position was that "source-only" releases did not need to document their build-time/distribution licensing. I'll attempt to elaborate, the case for Kafka: 1) Kafka source contains some ALv2 and non-AL v2 licensed stuff (let's avoid the question of binary vs. source) 2) Kafka source declares some dependencies on binary artifacts 3) These direct dependencies have additional transitive dependencies (in this case, declared via pom.xml, the precise mechanics don't matter)… Kafka's LICENSE/NOTICE files document the licensing of the source code. Many projects document their source and binary dependencies in the LICENSE/NOTICE files in the root directory of their source. Some projects have separate source and binary licenses. There may be some room for interpretation, here, along with some old-school/new-school thinking. Some transitive dependencies are compile/test-time only. We don't care about these. We care about the run-time dependencies. Moreover we only care about the run-time dependencies that we bundle. If Kafka only produced individual jar files (and not a runtiime environment), things would be different. If you only produced jar files, you would need license/notice files in your source and to produce jar files with license/notice files in the META-INF directory. These jar files may have run-time dependencies and these dependencies may be encoded in some meta-data (e.g. pom.xml). We don't care about these dependencies. The META-INF/LICENSE (NOTICE) need only document the licensing of the source that produced the contents of the jar file. In the jar-only case, you aren't bundling the dependencies of your jars. Someone else will be. And IMO, they would be responsible for the licensing of whatever bundling they create. Just because a pom.xml file declares transitive dependencies, doesn't mean that the bundler has to use these dependencies. The bundler may replace with their own preferred artifacts with their own licensing (an behavior, of course). If Kafka was a jar-only project, we'd be basically done (though I've noted that you aren't producing jar files with META-INF/LICENSE and NOTICE). That's a "new" requirement, I wouldn't necessarily demand that in a 0.7.1 release. But would look for it in the future. Kafka is more than a jar-only project. Kafka is designed to create a messaging server. Kafka builds kafka source into jar files, packages dependencies (direct/transitive), contains shell scripts to launch a Kafka messaging server, etc… If you or anyone else on the project disagrees with this, then let's discuss... So, Kafka is required to create the LICENSE/NOTICE files for the the Kafka messaging server that your project is constructing. The LICENSE/NOTICE files must describe all artifacts contained within the Kafka messaging server. Direct or transitive dependencies don't matter. What matters is the contents of the Kafka messaging server. > > Now, a group of us believe that we investigated this thoroughly in the > Kafka 0.7.0 release and- based on its approval- we are exercising the > same procedure to release 0.7.1. If you believe this is mistaken, you > can either go to the trouble to obtain clarification from board@, > legal@, or find a reference that supports your position. Presented > with that evidence, I would reverse my vote. Alternatively, if you > believe the work is important enough regardless of policy, then do it. > The project would be grateful to receive that contribution. -C Thanks. Though I'm interested in the Kafka project from several technical aspects, I just don't have time to participate. Plus, I'm also interested in seeing the project undertake their ASF responsibilities. So, here's my attempt at documenting what's required of the project… Apache releases are described here: http://www.apache.org/dev/release.html#what All PMCs must approve their releases as described here: http://www.apache.org/dev/release.html#approving-a-release As described in the above -- "Before voting +1 PMC members are required to download the signed source code package, compile it as provided, and test the resulting executable on their own platform, along with also verifying that the package contains the required contents." Required contents is documented here: http://www.apache.org/dev/release.html#what-must-every-release-contain "Every ASF release must comply with ASF licensing policy. This requirement is of utmost importance and an audit should be performed before any full release is created. In particular, every artifact distributed must contain appropriate LICENSE and NOTICE files. More information can be found in the foundation website and in the release licensing FAQ." IMO, the requirements are clear. Let me know if you are unconvinced, and I'll pursue clarification. An explanation of your position (or summary of your prior investigation) would be helpful. --kevan --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
