Billie, Can you tell me specifically what you noticed in the Kafka bundle. It seems like we should be totally safe when depending on another Apache Software Foundation project. However, perhaps that is a dangerous assumption.
I looked up Kafka's NOTICE and LICENSE file and appears to be the stock one. However, I then looked up the scala dependency which comes in from using their client and it looks like a typical 3-clause BSD license which should be called out in the overall license. Will look further but would like to know what you found as well. Thanks Joe On Thu, Jan 29, 2015 at 10:23 AM, Joe Witt <joe.w...@gmail.com> wrote: > Billie > > My concern with the dependencies file is the false sense of security it > can sometimes give. These are dependencies for which Maven can find the > license information. If it can't it isn't something that could be clearly > called out/articulated. This is particularly true with a case like bundled > javascript dependencies. I realize moving towards all externalized > dependencies is ideal but it is also not fail-proof. Point taken thought > that they offer some utility in validating. > > Will take a look at the Kafka licensing case. Adding that to [ > https://issues.apache.org/jira/browse/NIFI-291] now. > > I went through every artifact personally including > nars/wars/javascript/etc... from raw source and the binary builds. Kafka > though was indeed added after that. Ideal case is the dev that adds it > takes care of rolling up as needed into overall LICENSE/NOTICE. Then it is > on the R in RTC. Then it is on the RM. Then voters. So that went right > past all phases. Independent of the outstanding questions about binary > convenience packages does whatever specific license is missing from the > kafka bundle preclude us from providing a binary convenience package for > 0.0.1? > > Thanks > Joe > > On Thu, Jan 29, 2015 at 10:10 AM, Billie Rinaldi <bil...@apache.org> > wrote: > >> On Thu, Jan 29, 2015 at 7:45 PM, Joe Witt <joe.w...@gmail.com> wrote: >> > Will investigate how to have the build process for the convenience >> binaries >> > not add the auto-generated dependencies file and for it to use our >> license >> > rather than the stock one. >> >> I actually like the dependencies file. It makes it easier to check over >> the license. >> Beware that the license does not currently cover all of the dependencies >> bundled in the nars/wars. (As the license for the source package, it >> doesn't have to.) The one I noticed was nifi-kafka-nar, but there could >> be >> others. >> > >
