You are right that if you are not redistributing third-party dependencies yourself (e.g. part of source code or embedded within ZIP/JAR files) - then you should not be propagating their NOTICE/LICENSE details.
However you still need to check that the dependencies your code relies on is acceptable according to https://www.apache.org/legal/resolved ..that is - any downstream user should be able to take all the JARs you depend on and assume they are compatible with the Apache license 2.0 (following their attribution requirements). So for instance if you have dependencies that are licensed as GPL, LGPL or Amazon Software License, then those would not be compatible. The exception is if those are OPTIONAL dependencies you would not normally use - see https://www.apache.org/legal/resolved#optional for how to deal with those. As predictionio is using SBT, I had a look at using this plugin https://github.com/jrudolph/sbt-dependency-graph which gave a very nice report (eventually): https://paste.apache.org/nL50 it's quite a long list.. obviously you should fix your own metadata so predictionio does not become one of the "unknown licenses". :) You can assume that all the org.apache ones commons-* are also Apache license. You then need to check each of the 'No license specified' ones like Jetty and Jettison Perhaps track this in a wiki page or see if you can tweak the config for the plugin to map the unknown dependencies. I can see a couple of GPL dependencies in there (mysql) which are red flags, e.g. mysql-connector-java, stax-api (dual licensed?) but otherwise it looks not bad. (quite a long list though! :) BTW, your LICENSE.txt is looking good. Some comments: 1) https://github.com/apache/incubator-predictionio/blob/develop/LICENSE.txt#L214 This reference to Apache Spark can now be removed, as Apache projects don't need to attribute each-other (we are all ASF). (You can do so by a regular comment within the file if you like). You should check Apache Spark's NOTICE if there are any other attributions you should propagate (in which case they should be in NOTICE rather than LICENSE) 2) No hunt-around required > The PredictionIO project contains subcomponents with separate copyright > notices > and license terms. Your use of the source code for these subcomponents is > subject to the terms and conditions of the following licenses. Users should not be required to hunt around in your source-tree for other licenses - so all of these needs to be referenced, including for instance ./docs/manual/bower_components/jcarousel/LICENSE ./docs/manual/bower_components/jquery/MIT-LICENSE.txt ./tools/src/main/resources/assets/bootstrap-3.2.0-dist/ (including the glyphicons-halflings font) It's usually enough to just list them in the top level LICENSE.txt with license name, which files they cover, and refer to the deeper license files which you generally already seem to have in the source tree. 3) CC No-Commercial > For documentation in docs/manual/: > This work is licensed under a Creative Commons > Attribution-NonCommercial-ShareAlike 3.0 Unported License. > http://creativecommons.org/licenses/by-nc-sa/3.0/ This is a big no-no I'm afraid.. (Category X). Apache projects must be usable and redistributable also for commercial use. Was the documentation under docs/ all part of the Software Grant to ASF, so that it can be relicensed as Apache License? (Check any outside contributions to them as those would have to sign ICLAs and agree to the relicensing) I also see there are several pictures/binaries which you may need to clarify, e.g. docs/manual/bower_components/jcarousel/examples/_shared/img/img3_thumb.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=1, copyright=Marc Wiegelmann], baseline, precision 8, 75x75, frames 3 But this should become clear if checking for the license headers of all the source files.. for instance with Apache Rat or a more crude grep: grep -c -r "Licensed to the Apache" . | grep :0$ | grep -v target Sorry for the long email - don't be discouraged - PredictionIO looks quite good license wise :) On 20 September 2016 at 20:02, Christopher <ctubb...@apache.org> wrote: > As I understand things, the licensing information you provide in your > artifacts should reflect everything contained within that artifact. You do > not need to provide license/notice information for dependencies which are > not bundled in your artifact. > > On Tue, Sep 20, 2016 at 3:01 PM Donald Szeto <don...@apache.org> wrote: > >> Sorry. I should have mentioned that I am preparing a release for >> PredictionIO. >> >> Regards, >> Donald >> >> On Tuesday, September 20, 2016, Donald Szeto <don...@apache.org> wrote: >> >> > Hi all, >> > >> > I am preparing my first Apache release and am wondering if I need to >> check >> > licenses of all transitive deps if the release contains: >> > >> > - a single source tarball; >> > - a few binary JAR artifacts on Nexus that contain no transitive deps in >> > either binary or source form. >> > >> > Would it be sufficient to make sure the licenses of all sources comply >> > with Apache policy in this case? Do I need to check transitive deps in >> this >> > case? >> > >> > Thanks! >> > >> > Regards, >> > Donald >> > >> -- Stian Soiland-Reyes http://orcid.org/0000-0001-9842-9718 --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
